The Interplay between EU Cyber Security Laws

The 2020 EU Cybersecurity Strategy aimed to build a resilient and secure digital environment in Europe, ensuring trust and confidence in digital technologies while addressing evolving cyber threats and challenges.

We are now seeing the fruits of that strategy coming together with no end in sight to the new laws, national and EU level entities, certification schemes, funding programmes and co-operation that has come into play.

In terms of these new cybersecurity laws it is important to know that there is a lot of interplay between them. One compliments the another and altogether they raise the bar for cyber security in general for the benefit of consumers (both end users and businesses), member state infrastructure and indeed for society as a whole.

The Cybersecurity Act (CSA) underscored the need for a unified approach to cybersecurity. It enhanced the role of the European Union Agency for Cybersecurity (ENISA) with a permanent mandate to improve coordination and cooperation across the Union, as well as to prevent and to respond to cyber-attacks. Additionally, it aims to strengthen the EU’s cybersecurity framework by establishing a European-wide certification scheme for ICT products, services, and processes.

The NIS2 Directive aims to improve cybersecurity resilience across critical sectors such as energy, transport, and healthcare ensuring continuity of essential services. Requirements include the implementation of appropriate security measures to prevent and minimize the impact of cybersecurity incidents, the reporting of significant cybersecurity incidents at a national level and to facilitates cooperation and information exchange between member states to enhance cybersecurity resilience at an EU level.

DORA aims to bolster cybersecurity resilience within the financial sector by establishing robust rules for safeguarding against and responding to ICT-related incidents. It mandates comprehensive measures encompassing protection, detection, containment, recovery, and repair capabilities. The regulation sets out uniform requirements applicable to financial entities to ensure a consistently high level of operational resilience. These include ICT risk management, incident reporting protocols, resilience testing, information sharing frameworks, and management of third-party risks.

The Cyber Resilience Act sets baseline cybersecurity requirements for connected products with digital elements being made available on the EU market.  It aims to enhance cybersecurity resilience of connected devices, mitigating the risk of supply chain cyber threats and ensuring consumer trust in digital products. It will mandate that manufacturers ensure products have adequate cybersecurity measures and provide security updates throughout the product lifecycle. It will require manufacturers to inform users about product security risks and provide clear end-of-support notifications. In addition it will establish mechanisms for market surveillance authorities to enforce compliance and address cybersecurity vulnerabilities

The EU Cyber Solidarity Act aims to strengthen capacities in the EU to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks. The Act includes a European Cybersecurity Alert System, made of Security Operation Centres interconnected across the EU, and a comprehensive Cybersecurity Emergency Mechanism to improve the EU’s cyber resilience.  The act mandates the creation of a European Cybersecurity Reserve, consisting of incident response services from trusted providers, selected based on specified criteria.  Enterprises taking part in the EU Cybersecurity Reserve, will need to be qualified under European cybersecurity certification schemes for managed security services in the relevant areas.

Some of the high-level interplays between these diverse acts are:

Various EU regulations, including the NIS2 directive, the Artificial Intelligence Act, Cyber Solidarity Act and the Cyber Resilience Act, task the European Commission with outlining CSA certification requirements to underpin their implementation.

ENISA’s new powers will cross each regulatory domain to offer co-ordination, support and guidance on their implementation.

The Cyber Resilience act aims to fill a gap for NIS2 and DORA entities where they will now be able to choose products with digital elements that are certified and reduce the supply chain risk profiles of these operators.  Naturally choosing products with digital elements that are certified and have the CE mark affixed will help them with their own compliance requirements. Additionally, more clarity on product support periods and availability of security patches will benefit consumers both business and end users.

In April 2023, a new regulatory proposal was introduced to expand the European cybersecurity certification framework, allowing for the inclusion of “managed security services.” These services involve performing or assisting with activities related to customers’ cybersecurity risk management.

The proposed amendment aims to facilitate the adoption of European cybersecurity certification schemes for managed security services through Commission implementing acts. This would be in addition to the existing coverage under the Cybersecurity Act, which includes ICT products, ICT services, and ICT processes. Managed security services are becoming increasingly crucial in preventing and mitigating cybersecurity incidents so ensuring they are trusted entities will be an integral part of certification.

Products with digital elements that are also AI enabled has a double compliance requirement between the CRA and the AI Act.  If operators must be compliant with both these acts the security requirements in the CRA will be higher bar and will be used to comply with the AI Act.

These laws and regulations reflect the EU’s ongoing efforts to strengthen cybersecurity and resilience across the EU and for ICT products, services and providers within the European Single Market. In addition to other important laws; the protection of personal data and privacy (GDPR & ePrivacy), the assurance of high risk AI systems (AI Act), the regulation of unfair practices in digital markets (DMA) and better protection of user rights in digital services (DSA) i.e. social media platforms, should amount to necessary changes to strengthen trust and safety in our digital world.