EU Cyber Law

The NIS 2 Directive

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, commonly known as NIS 2, constitutes the principal legislative instrument addressing cybersecurity across the European Union. Repealing and replacing the original NIS Directive (Directive (EU) 2016/1148), NIS 2 substantially expands the scope of European cybersecurity regulation from approximately 10,000 entities under the original NIS Directive to an estimated 160,000 entities across eighteen sectors. The Directive distinguishes between essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) and important entities (postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research), subjecting essential entities to a more stringent regulatory regime including ex ante supervision and higher penalty exposure. NIS 2 establishes a comprehensive set of cybersecurity risk management measures that covered entities must implement, focusing on the security of network and information systems and addressing policies on risk analysis, incident handling, business continuity, supply chain security, vulnerability disclosure, and the use of cryptography. Member States must ensure that essential entities face maximum administrative fines of at least €10 million or two per cent of annual worldwide turnover, and important entities at least €7 million or 1.4 per cent of annual worldwide turnover. The Directive requires Member States to designate national competent authorities, single points of contact, and Computer Security Incident Response Teams, and establishes the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) for coordinated response to large-scale cybersecurity incidents.

The Cybersecurity Act

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019, the Cybersecurity Act, establishes a comprehensive legal framework for cybersecurity certification and permanently mandates the European Union Agency for Cybersecurity (ENISA). The Regulation grants ENISA a permanent mandate (previously limited to periodic renewals) and expands its responsibilities to include the operation of the European cybersecurity certification framework, the maintenance of a European vulnerability database, the coordination of EU-wide cybersecurity exercises, the provision of technical expertise to Member States and EU institutions, and the promotion of cybersecurity awareness and education. The Cybersecurity Act introduces a European cybersecurity certification framework comprising three assurance levels: basic, substantial, and high. Certification schemes are developed by ENISA, adopted by the European Commission through implementing acts, and voluntary unless otherwise specified by sectoral legislation or Member State requirements. The first European cybersecurity certification scheme — the European Common Criteria-based cybersecurity certification scheme (EUCC) — was adopted by Commission Implementing Regulation (EU) 2024/482. Additional schemes under development include the European Cybersecurity Certification Scheme for Cloud Services (EUCS), which has been the subject of significant controversy over proposed sovereign control requirements addressing data access by non-EU entities, and schemes for 5G networks, artificial intelligence, and connected devices (the IoT scheme).

The Digital Operational Resilience Act

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022, the Digital Operational Resilience Act, establishes a comprehensive regulatory framework for ICT risk management in the financial sector. DORA applies to a broad range of financial entities including credit institutions, investment firms, payment institutions, insurance undertakings, and critical ICT third-party service providers. The Regulation harmonises the ICT risk management obligations previously addressed through sector-specific guidelines issued by the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority (the three European Supervisory Authorities). DORA requires financial entities to establish an ICT risk management framework encompassing governance and organisation, ICT systems management, identification of ICT risks, protection and prevention, detection, response and recovery, and reporting. The Regulation mandatorily requires the testing of ICT systems through vulnerability assessments, penetration testing, and, for systematically important financial entities, threat-led penetration testing (TLPT) based on the TIBER-EU framework. DORA establishes an ICT third-party risk management regime, requiring financial entities to manage the risks arising from their use of ICT services provided by third parties, to conduct due diligence on critical ICT third-party service providers, and to incorporate contractual provisions addressing termination rights, audit rights, data security, and data location. The ESAs are empowered to designate ICT third-party service providers as critical, subjecting them to direct oversight including the conduct of inspections and the imposition of penalties.

The Cyber Resilience Act

The Cyber Resilience Act, proposed by the European Commission on 15 September 2022 and adopted by the European Parliament and the Council in 2024 (Regulation (EU) 2024/2847), introduces mandatory cybersecurity requirements for products with digital elements — including hardware and software products whose intended and reasonably foreseeable use includes a direct or indirect data connection to a device or network. The CRA adopts a risk-based classification of digital products into default, Class I, and Class II categories, with Class II products (firewalls, virtual private networks, smartcards, and secure microcontrollers) subject to the most stringent obligations, including mandatory third-party conformity assessment under the Regulation’s conformity assessment procedures. Manufacturers are required to ensure that products with digital elements are designed, developed, and produced in accordance with essential cybersecurity requirements addressing security by design, vulnerability management, and data protection. Manufacturers must make available security updates for the expected product lifetime or for five years (whichever is less), report actively exploited vulnerabilities and severe incidents to ENISA within twenty-four hours of becoming aware, and notify affected users. Importers and distributors are subject to obligations regarding verification of CE marking, technical documentation, and manufacturer compliance. The CRA establishes a penalty framework with maximum administrative fines of up to €15 million or 2.5 per cent of annual worldwide turnover for non-compliance.

GDPR Data Breach Notification

The General Data Protection Regulation (Regulation (EU) 2016/679) establishes cybersecurity-related obligations through its data security and breach notification provisions. Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore access to personal data in a timely manner following an incident, and regular testing of security measures. Article 33 requires controllers to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within seventy-two hours of becoming aware of the breach, with a reasoned justification in cases of delay. The notification must describe the nature of the breach, the categories and approximate number of data subjects and records concerned, and the measures taken or proposed to address the breach. Article 34 requires the controller to communicate the breach to the affected data subjects without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR’s administrative fine regime — up to €20 million or four per cent of annual worldwide turnover — has been actively applied by Member State supervisory authorities in cybersecurity-related enforcement actions, including significant penalties for inadequate security measures under Article 32 in cases involving hacking, ransomware, and insider threats.

The ePrivacy Directive

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, as amended by Directive 2009/136/EC, the ePrivacy Directive (known colloquially as the Cookie Directive), addresses the processing of personal data and the protection of privacy in the electronic communications sector. The Directive requires Member States to ensure the confidentiality of communications through the prohibition of interception, surveillance, and unauthorised access without the consent of the users concerned (Article 5). The Directive requires providers of publicly available electronic communications services to implement appropriate technical and organisational measures to safeguard the security of their services, to notify subscribers of particular security risks, and to inform subscribers of available protective measures and the associated costs (Article 4). The Directive also addresses the use of traffic data, location data, and subscriber directories, and the obligation of providers to notify subscribers of security breaches affecting personal data. The proposed ePrivacy Regulation — intended to replace the Directive — has been under negotiation since 2017 and, as of 2026, has not been adopted. The Regulation would extend confidentiality obligations to over-the-top communications services (including messaging applications), harmonise the rules on cookies and tracking technologies, and strengthen the breach notification framework by aligning it with the GDPR.

The European Union Agency for Cybersecurity

ENISA, established in 2004 by Regulation (EC) No 460/2004 and permanently mandated by the Cybersecurity Act, serves as the European Union’s centre of cybersecurity expertise. ENISA’s current mandate encompasses the development and maintenance of the European cybersecurity certification framework; the provision of technical advice, analysis, and assistance to Member States and EU institutions; the coordination of operational cooperation through the CSIRTs network and EU-CyCLONe; the conduct of EU-level cybersecurity exercises and training; the analysis of emerging cybersecurity threats and trends through the European Cybersecurity Threat Landscape reports; and the operation of the EU Cybersecurity Market Observatory. ENISA publishes the annual ENISA Threat Landscape report and the State of Cybersecurity in the EU assessment. The Agency also administers the European Cybersecurity Month, the EU Cybersecurity Skills Academy, and the Cybersecurity Competence Centre in collaboration with Member States.