The EU is passing increasingly strict cybersecurity laws that affect organisations across all sectors. In this article, we’ll provide an overview of six key EU laws that impact cybersecurity:
- GDPR
- NIS Directive
- NIS 2 Directive
- Digital Operations Resilience Act (DORA)
- Critical Entity Resilience Directive (CER Directive)
- Cyber Resilience Act
In each case, we’ll tell you:
- When the law takes effect.
- Which types of organisations are covered.
- The key requirements.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, is not a cybersecurity law as such. However, the GDPR imposes security requirements on organisations to ensure they can protect the personal data they process.
Who Is Covered By the GDPR?
The GDPR covers anyone who “processes personal data” (with some caveats), which means almost every organisation in the EU (plus the UK, Iceland, Liechtenstein, and Norway), plus non-EU organisations that target or monitor the behaviour of people in the EU.
The regulation divides organisations into “controllers”, which decide why and how to process personal data, and “processors”, which process personal data on behalf of controllers.
GDPR: Key Security Requirements
Most of the GDPR’s obligations apply only to controllers. However, both controllers and processors are directly responsible for keeping personal data secure.
Some of the regulation’s key security obligations, set out in Article 32 of the GDPR, include:
- Pseudonymising or encrypting personal data.
- Ensuring the ongoing “confidentiality, integrity, availability, and resilience” of systems that process personal data.
- Ensuring systems that process personal data can be restored “in a timely manner”.
- Regularly testing, assessing, and evaluating the technical and organisational measures that protect personal data.
Controllers also have to obey a general principle of “confidentiality and integrity” (security). Other principles, such as data minimisation (not processing more personal data than is necessary for a specific purpose), also help maintain security.
The GDPR allows organisations to implement these measures in a way that is proportionate to the nature of the personal data, the organisation’s resources, and the “state of the art”.
Network and Information Systems Directive (NIS)
The Network and Information Systems Directive (NIS or NIS1), or Directive (EU) 2016/1148 took effect in August 2016.
Because NIS1 and NIS2 are directives, EU member states must create national laws to give them effect. The deadline for implementing NIS2 is 17 October 2024, so NIS1 should be repealed in all EU member states before that date.
Who Is Covered By NIS1?
NIS1 primarily applies to:
- Digital service providers (DSPs), namely:
- Online marketplaces
- Search engines
- Cloud computing services
- Operators of essential services (OESs), namely companies in the following sectors:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water supply and distribution
- Digital infrastructure
NIS1: Key Requirements
Some key requirements under NIS1 include:
- Implementing technical measures to help prevent cybersecurity breaches.
- Providing information to enable an in-depth assessment of systems and policies.
- Reporting significant cybersecurity incidents “without undue delay” to Computer Security Incident Response Teams (CSIRTs).
Some of these requirements apply differently to DSPs and OESs.
Network and Infomation Systems Directive 2 (NIS2)
The Network and Information Security Directive (NIS2), or Directive (EU) 2022/2555, repeals NIS1. By 17 October 2024, all EU member states must implement new national laws that amend or repeal the laws implemented following NIS1.
Who Is Covered By NIS2?
NIS2 amends and expands the scope of NIS1:
- DSPs and OESs are no longer distinguished. Services are either “essential” or “important”.
- NIS2 covers new sectors, including wastewater management, food, and IT services providers.
- Some small businesses are exempt from NIS2. EU member states have some discretion over which businesses are exempt.
Organisations operating in the supply chain of a NIS2-covered entity might also be indirectly impacted by the law.
NIS2: Key Obligations
Some of the key obligations under NIS2 include:
- Implementing a set of cybersecurity policies, including:
- Risk analysis and incident response
- Encryption
- Vulnerability disclosure
- Security training
- IT supply chain security.
- Implementing technical, operational and organisational measures to prevent cybersecurity incidents.
- Reporting significant cybersecurity incidents “without undue delay and within 24 hours”.
NIS2 also establishes a regime of sanctions and administrative penalties.
Digital Operations Resilience Act (DORA)
The Digital Operations Resilience Act (DORA), or Regulation (EU) 2022/2554, passed in December 2022 and will apply from 17 January 2025. As a regulation, DORA will apply directly to all EU member states.
Who Is Covered By DORA?
DORA covers companies operating in the finance sector and companies providing IT services in the finance sector.
The regulation lists 20 types of “financial entity” as falling within its scope, including:
- Payment institutions
- Credit institutions
- Crypto-asset service providers
- Investment firms
- Insurance and reinsurance undertakings
- Credit rating agencies
“ICT third-party service providers” are also covered by DORA.
DORA: Key Requirements
Key requirements under DORA include:
- Implementing IT risk management processes.
- Reporting major IT incidents.
- Digital operational resilience testing (penetration testing).
- Sharing threat and vulnerability intelligence.
- Managing third-party risk.
DORA will also impose mandatory standards for contracts between financial entities and ICT third-party service providers.
Critical Entity Resilience Directive (CER Directive)
The Directive on the Resilience of Critical Entities (CER Directive), or Directive (EU) 2022/2557, passed in December 2022. Member states must implement national laws to give effect to the directive by 18 October 2024.
Who Is Covered By the CER Directive?
The CER Directive applies to “critical entities”. Member states have some discretion in deciding which types of organisations are “critical entities”, but they will operate in the following sectors:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- Public administration
- Space
- Production, processing and distribution of food
CER Directive: Key Requirements
Some of the key obligations on critical entities under the CER Directive include:
- Carrying out risk assessments.
- Implementing technical and organisational measures to increase resilience.
- Reporting disruptive incidents to national authorities.
Proposed Cyber Resilience Act
The proposed Cyber Resilience Act was presented by the Commission in September 2022. The text of the regulation is not yet finalised.
Who Is Covered By the Cyber Resilience Act?
The Cyber Resilience Act applies to software or hardware products and their “remote data processing solutions”. Only software and devices that connect or can be connected to a device or network are covered.
As such, the Cyber Resilience Act could impact thousands of software and hardware companies operating in Europe.
The act designates certain types of products as “critical” and further distinguishes “class I” and “class II” critical products.
There are many examples of each type of critical product, including:
- Class I:
- Browsers
- Antivirus software
- VPNs
- Class II:
- Operating systems
- Public key infrastructure
- Smart metres
Remember that there could be changes before the text of the Cyber Resilience Act is finalised.
Cyber Resilience Act: Key Requirements
Some key requirements under the Cyber Resilience Act include:
- Designing, developing, and manufacturing products with an appropriate level of cybersecurity.
- Only releasing products without known vulnerabilities.
- Protecting data processed by the product.
- Providing security updates to address vulnerabilities.
- Notifying users of vulnerabilities.
Stricter rules will apply to class I and II critical products.
We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!