CYBERSECURITY IN THE EU: European Commission’s Strategy and Legislation

With 440 million inhabitants, the European technological landscape is made up of 90% of its population owning a smartphone, a personal computer, and an Internet connection, and the number of connected devices was estimated at 2.5 billion in 2020. Companies and public authorities are not left out, with nearly 95% of these players connected to the Internet.

This ever-growing penetration into the private and economic lives increases the exposure to cyber risks, and the appetite of  threats targeting economic resources,  and personal data. Moreover, it is estimated that every 40 seconds, a company or public entity is the victim of a cyber-attack.

 It is in this context that the European Union has developed a legal framework in order to increase and ensure the cyber security of its citizens and companies.

In this article, we will discuss a series of directives, regulations and acts from the EU. There is a singular difference between a directive and a regulation: if the first one is applicable in the Member States directly after its entry into force, the second must to be transposed into national law before becoming effective in each Member State.

At the beginning of the EU legislation, there was data…

The beginnings of cybersecurity legislations

The primary draft of a European directive on the security of its infrastructure dates back to 2008, with the European Critical Infrastructure (ECI) Directive, targeting transport and energy infrastructures. While it lays the groundwork for future texts in terms of a common approach, it does not address cybersecurity risks.

The cornerstone of the common cybersecurity policy was born in 2013, with the first EU Cybersecurity Strategy (EUCSS), linking the European Union and national legislations. It is also the first text to openly use the term “cybersecurity”. With the aim of strengthening the European cybersecurity, the EUCSS led each Member State to implement a National Computer Emergency Response Team (CERT) as well as a competent cybersecurity authority to represent the country in discussions at European level, like the Centre for Cybersecurity Belgium (CCB) or the ANSSI in France.

The European era of Data

The most known European piece of legislation remains the General Data Protection Regulation (GDPR). Voted in 2016, GDPR lays down the obligations that organisations and companies must use and process the personal data of service users, personal data designating any information which, directly or indirectly, can make it possible to identify a person. It is the first European regulation focusing and unifying the legislation relating to the protection of the rights of users, and fixing dissuasive sanctions in the event of non-respect of the obligations.

In line with the GDPR came the Digital Services Act (DSA), voted in December 2020. With this text, targeting the biggest digital companies, all online intermediaries offering their services in the EU Single Market, regardless whether they are established in the EU or outside, have to comply with obligations such as transparency, fundamental rights protection, and cooperation with national authorities. In case of non-compliance, they can receive periodic penalty payments and sanctions up to 6% of the platform’s worldwide turnover.

The DSA’s shortcomings led to the adoption in May 2022 of the Data Governance Act (DGA) – applicable as of September 2023. The objective is to create a single European data market and to promote reliable data sharing. This text will have a significant impact, and is particularly oriented in specific sectors such as health, energy, transport, supply chain, but also with regard to the use of artificial intelligence (AI). The main objective of the DGA is to leveling the sectorial advantage in favor of the SMEs compared to digital leaders.

The DGA encourages what it calls “data altruism”, i.e. the consent of the concerned individuals to process their personal data. This concept also relates to other data holders to allow the use of their non-personal data without seeking reward, for purposes of general interest, such as for the purpose of scientific research or the improvement of public services. Whenever data is transferred to a re-user, mechanisms will be put in place to ensure GDPR compliance and preserve the commercial confidentiality of the data.

Still in the field of the dematerialisation of personal data, the eIDAS regulation voted in 2014, ensured that EU citizens can use a national electronic identification (eID) scheme, such as ItsMe in Belgium, to access public services online in other countries within the European Economic Area. In 2021, the European Commission proposed the addition of digital wallets for the next iteration of eIDAS, commonly known as eIDAS 2.0. Digital wallets are apps and services that allow you to manage and securely share your digital identity credentials, providing only the information needed for the transaction.

Financial sector specifics

To close this overview, 2 specific directives and regulations for the banking and financial sector should be mentioned, such as the Payment Services Directive (PSD) 2 that established guidelines on major incident reporting, setting out the criteria, thresholds, and methodology to be used by payment service providers (PSP) to determine whether or not an operational or security incident should be considered major and, therefore, be notified to the Member State’s competent authority. The latest regulation in date is the Digital Operational Resilience Act (DORA), which sets uniform requirements for the security of the networks and information systems of companies and organisations active in the financial sector as well as critical third parties that provide services related to ICTs.

For a deep-dive into DORA, you can find all information in our targeted article.

… but the EU’s journey continues with a special focus on cybersecurity

The EU Cybersecurity Act and the role of ENISA

After the 2013 EUCSS, the second cornerstone of the EU legislation on cybersecurity was the 2019 EU Cybersecurity Act (EU CS Act), bringing forward awareness on the new needs in terms of cybersecurity, resilience, and cooperation in the EU.

The EU CS Act promotes 2 main points:

  • The European Cybersecurity Certification Framework which provides companies with EU-wide certification schemes in a package of comprehensive set of rules, technical requirements, standards and procedures;
  • And, the strengthening of the European Network Information Security Agency (ENISA), the official European Union Agency for Cybersecurity, based in Greece.

The ENISA “is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004, the ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow”.

The 2nd EU Cybersecurity Strategy and the NIS Directive era

In December 2020, the EU released its 2nd Cybersecurity Strategy (EUCSS). This new strategy aims to guarantee a global and open Internet with strong safeguards in the event of risks to the security and fundamental rights of citizens in Europe. It is a major update to the 1st EUCSS, and its main goal is to implement and promote 3 areas of EU action:

  • Resilience, technological sovereignty and leadership
  • Building operational capacity to prevent, deter and respond
  • Advancing a global and open cyberspace through increased cooperation

The most commonly known change mentioned in the 2020 EUCSS was the announcement of the upgrade and update of the NIS Directive, the NIS 2 Directive.

Flashback & crash course on the NIS Directive (the initial one)

Adopted in 2016, its objective was to ensure a high and common level of security for the networks and information systems of the EU, with the implementation of a cyber-resilience program with three major components:

  • Robust cybersecurity defenses
  • Preventive measures against cyber risks
  • Incident management and reporting systems and tools

This Directive applied to 2 categories of central players: digital service providers (DSP) and operators of essential services (OES), to be defined and listed by each Member State. The scope of the NIS directive concerned 7 sectors: healthcare, digital infrastructure (including web browser, cloud facilities), digital service providers, transport, water supply, banking and financial infrastructures, and energy.

The NIS directive led to the creation of the NIS Cooperation Group among Member States, coordinated by the ENISA, to support and facilitate strategic cooperation and the exchange of information on risks and network and information system security incidents.

However, the NIS directive has shown its limits in the face of the rapid digital transformation of society, new threats, and the Covid-19 health crisis. The European Commission identified the following main issues: insufficient level of cyber resilience of businesses operating in the EU; inconsistent resilience across Member States and sectors; insufficient common understanding of the main threats and challenges among Member States and lack of joint crisis response.

Due to the initial NIS Directive limitations, the European Commission decided to work on a global update with the NIS2 directive (currently undergoing the legislative validations at the European Parliament and then at the Council of the European Union). This new proposal extends the current scope of the NIS directive by adding new sectors based on their crucial importance for the economy and society, and by introducing a new size cap to include all medium and large companies. Member States will also be able to include in the scope smaller entities but with a high security profile. The proposed NIS 2 Directive would require Member States to implement a certain level of administrative fines to non-compliant entities – at least €10,000,000 or 2% of their total worldwide annual turnover of the preceding financial year.

Special focus on Health & Artificial Intelligence

This legislative strengthening also concerns the health sector also already covered by the NIS Directive, but also the AI sector.

In the field of health, we can cite the regulation on Health Technologies Assessment (HTA) voted on December 2021. The Regulation aims to achieve a high level of health protection for patients and users while ensuring the smooth functioning of the internal market with regard to medicinal products, medical devices and in vitro diagnostic medical devices. Currently, there are no updates as to the whereabouts of the legislative train on the HTA.

On the AI side, the Artificial Intelligence Act (AI Act) is a proposal regulation to introduce a common legal framework for AI, in all sectors and all types of AI systems, except for military. The AI Act should ban unacceptable practices, like manipulating persons through subliminal techniques, social scoring, or real time remote biometric identification. This act should also regulate high-risk AI systems, i.e. product falling under the EU product safety regulation, and a list of AI systems made by Members States. The provisional act proposes fines for non-compliance, up to EUR 30,000,000 or, if the offender is a company, up to 6 % of its total worldwide annual turnover for the preceding financial year.

The Cyber Resilience Act (CRA) and the Supply Chain era

Finally, the latest newcomer in the EU legislation presented by the European Commission in September 2022 is the Cyber Resilience Act (CRA). The Act aims to improve the transparency on the security of hardware and software products and introduces rules, through a coherent cybersecurity framework, to ensure that manufacturers remain responsible for the cybersecurity throughout their products’ lifecycle. This would lead to products with digital components that have fewer vulnerabilities when launched on the EU market.

The CRA aims to complement the AI Act, the EU Cybersecurity Act and the NIS 2 Directive, although its carries its own set of penalties in case of incompliance. Incompliant third party vendors would see themselves fined up to €15,000,000 or at the level of their 2.5% of their annual turnover (whichever the highest).

Where does HeadMind Partners stand in the middle of this?

When looking at the existing and ongoing talks and legislations in the EU, one word is at the center of everything for the impacted entities: compliance!

HeadMind Partners closely monitors all the above-mentioned topics and provides expertise and guidance to its clients to help them remain updated. We also closely follow the recommendations provided by the CCB and the ANSSI, respectively Belgium’s and France’s national cybersecurity agencies. To do so, HeadMind Partners has, internally, several dedicated working groups, our “Labs”, to monitor and continuously build on our expertise to stay up to date on all current legislations. Some high-profile legislative texts, such as the NIS Directive, have their own working streams inside our Labs as well.

A final observation on the evolution of these legislative texts shows that the EU does not hesitate to set higher and higher penalties in case of incompliance. Added to that is the knowledge that the number of cyberattacks against companies is ever increasing – e.g., according to Agoria, 60% of Belgian companies have already been hacked at one time or another and almost 30% expect to be hacked in the near future – with the intended financial and reputational costs. The bill seems to be getting higher and higher, so why not put all chances on your side?

Written by Boris CANONGE & Nina HASRATYAN