Skip to main content

Clifford Chance

Clifford Chance
Cyber<br />

Cyber

Talking Tech

Cybersecurity in Europe: where are we now?

Cyber Security Telecoms Infrastructure 26 January 2024

Four years into the 2020s there is a clear push in the European Union harmonisation of the rules within the cyber security landscape, with the financial services sector, devices, and cloud security being key areas of focus.

This has been a long time coming. The EU's cybersecurity policy began in the mid-1990s, in specific areas such as telecommunications and data protection. Critical infrastructure and criminal matters became a key focus in the 2000s, before an EU-wide effort was consolidated in the 2013 Cybersecurity Strategy. In 2017, the Strategy was amended, directing efforts towards all cyber threats: "they are often criminal, motivated by profit, but they can also be political and strategic". The 2020 Cybersecurity Strategy for the Digital Decade develops the EU's efforts yet further to address the expanding cybersecurity landscape.

Where we are…

The current data protection and cybersecurity framework is underpinned by the 2016 General Data Protection Regulation (GDPR), applying since May 2018. The GDPR has significantly impacted the activities of operators within the EU through imposing requirements on data processing and transfer, and on data security. Layered over the GDPR are a series of cybersecurity regulations, such as the 2018 Network and Information Systems Directive (NIS 1), which sought to establish a common level of security for network and information systems, and the 2019 EU Cybersecurity Act (CSA), which strengthened the European Union Agency for Cybersecurity (ENISA) and created an EU-wide cybersecurity certification framework.

Where we're going…

There is growing concern around the social and economic aspects of cybersecurity at the EU level, which has led to an increased focus on creating strategic regulations for cybersecurity. This includes covering areas from traditional electronic and telecommunications through to electronic signatures and identity, as well as organisational and operational resilience and cybercrime.

Under the guise of its 2020 Cybersecurity Strategy for the Digital Decade, the EU has embarked on a flurry of regulatory developments and proposals that, between them, aim to enhance the baseline cybersecurity of organisations operating in the EU, and levy stronger obligations on certain sectors such as financial services and critical infrastructure.

In this overview article, we examine some of these key regulatory developments in the EU, whilst highlighting equivalent efforts, where applicable, in the UK.

Sectoral Regulation: Financial Services and Critical Sectors

Digital Operational Resilience Act (DORA)

Aimed at harmonising national rules across the EU for the financial sector concerning operational resilience and cybersecurity regulation, DORA is an EU regulation that establishes uniform requirements for the security of network and information systems of entities operating in the financial sector (Financial Entities) as well as critical third parties which provide services related to information communication technologies (ICT), such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to make sure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats.

Who does it apply to?

DORA will apply to Financial Entities and to ICT third-party service providers, which the European Supervisory Authorities (ESAs) designate as "critical" for Financial Entities through a newly established oversight framework. The ESAs are the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority. The ESAs will make this designation based on a set of qualitative and quantitative criteria, including:

  • the systemic impact on the stability, continuity or quality of financial services in the event that the ICT third-party provider faces a large-scale operational failure to provide its services
  • the systemic character or importance of Financial Entities that rely on the ICT third-party service provider
  • the degree of reliance of those Financial Entities on the services provided by the ICT third-party service provider in relation to critical or important functions of those Financial Entities
  • the degree of substitutability of the ICT third-party service provider.

Enforcement

Following the January 2025 deadline, and once standards have been finalised by the ESAs, responsibility for enforcement will be vested in designated regulators in each EU Member State, referred to as the "competent authorities". These competent authorities can demand that financial entities implement specific security measures and rectify vulnerabilities. They will also be able to impose administrative and, in certain instances, criminal penalties on entities that do not adhere to the regulations. DORA does not provide specific details regarding the nature or extent of penalties for non-compliance to competent authorities. Rather, it is the responsibility of Member States to devise rules pertaining to penalties and corrective measures.

ICT providers that are classified as "critical" by the European Commission will be under the direct supervision of "Lead Overseers" from the ESAs. Mirroring the role of competent authorities, Lead Overseers can demand security measures and remediation, and penalise non-compliant ICT providers up to 1 percent of the provider's average daily worldwide turnover in the preceding business year. These fines can be imposed daily for a period of up to six months until compliance is achieved.

Timeline

  • 16 January 2023: DORA entered into force.
  • 17 January 2025: DORA will apply to in-scope firms.

Further Information

Network and Information Security Directive (NIS 2)

In 2020, the European Commission, having recognised that there were differing approaches to Member State implementation of NIS 1 that had led to significant inconsistencies and fragmentation in the regulatory landscape, decided to embark on a successor, NIS 2. NIS 2 is intended to reduce divergence, as well as increase co-operation between responsible authorities in Member States. It will impose more rigorous security requirements on public and private entities and mandate the establishment of governance structures for managing cybersecurity, adherence to breach reporting obligations, and the monitoring of supply chains for cybersecurity risks.

Who does it apply to?

NIS 2 applies to all entities which: (i) provide their services or carry out their activities in the EU; and (ii) match the description of either an "essential" or an "important" entity in a defined list of sectors. Notable exceptions to this are: (i) a size-cap, which means small and micro businesses are excluded in many cases; and (ii) Member States can make exemptions for specific entities that carry out activities in the areas of national security, public security, defence or law enforcement. Member States will need to designate national "essential" and "important" entities by 17 April 2025. However, some entities, such as trust service providers, will automatically be in-scope, regardless of their size.

NIS 2 applies to the same sectors that are covered under NIS 1, and also to new, additional sectors. NIS 2 applies to the existing set of essential entities recognised to be covered under NIS 1: energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; and digital infrastructure. Under NIS 2, entities in the following new sectors will also be covered, due to their high criticality: ICT service management (B2B); public administration; and space. Additionally, other critical sectors that will be covered include postal and courier services; waste management; the manufacture, production, and distribution of chemical products; the production, processing and distribution of food; manufacturing; digital providers; and research.

Where sector-specific EU legislation imposes equivalent requirements for essential or important entities to adopt measures or notify significant incidents, the requirements under NIS 2 and any associated supervision and enforcement provisions will not apply. For example, any overlap with DORA will be addressed by DORA.

Key differences compared with NIS 1

  • Under NIS 1, entities were classified as either "operators of essential services" or "digital service providers" but this distinction did not reflect the importance of the entity to society and the economy. NIS 2 eliminates this classification, with the "essential" or "important" classification depending on sector or the type of service provided and, in most cases, an entity's size.
  • Under NIS 1, Member States were responsible for the classification of "operators of essential services". NIS 2 applies in a more prescriptive manner, in order to ensure more consistent application across Member States.
  • The scope of NIS 2 has been widened to capture entities in a number of additional sectors and subsectors compared with NIS 1, including, for example, social media platforms, public administration, and certain manufacturing (e.g. of medical devices).

Enforcement

NIS 2 provides national authorities with greater powers to supervise and sanction in-scope entities. These are different for "essential" and "important" entities:

  • Essential entities will experience a proactive supervisory regime, including random inspections, audits, and security scans.
  • Important entities will experience a lighter supervisory regime in the event of evidence or indications of non-compliance.

Breaches may result in a fine up to a maximum of EUR 10,000,000 or 2% of global annual turnover (whichever is higher) for essential entities, or EUR 7,000,0000 or 1.4% of global annual turnover for important entities.

Timing

  • 16 January 2023: NIS 2 entered into force.
  • 17 October 2024: by this date, EU Member States must have transposed NIS 2 into national law.
  • 17 April 2025: by this date, EU Member States must have designated "essential" and "important" entities.
  • TBC: the date by which entities must comply with the national implementing rules is currently unspecified.

UK Proposed Changes to NIS 1

After Brexit, the UK, which had transposed NIS 1 into national law through the NIS Regulations, is not obligated to implement NIS 2. In January 2022, the UK Government launched a public consultation on proposals to improve the UK's cyber resilience, to include seven policy measures, split across two categories: the first, to amend provisions relating to digital service providers, and the second, to modernise the NIS Regulations.

The UK's proposed reforms expand the existing UK NIS Regulations but are less extensive than the EU's NIS 2 Directive. The UK government acknowledges this divergence, stating that its more flexible, risk-based approach are tailored to the UK economy and can achieve the same results but at a lower cost to business. However, any organisations that are "essential" or "important" entities with customers across the UK and the EU will need to comply with NIS2 in any event.

Further Information

Product & service assurance

(New) Cybersecurity Act

The new EU Cybersecurity Act (CSA), an EU regulation, came into force on 27 June 2019, superseding the previous EU Cybersecurity Act. The CSA strengthened the European Union Agency for Cybersecurity (ENISA) by conferring on it a permanent mandate and amplified resources and tasks, including the formulation and preservation of the European cybersecurity certification framework. ENISA is now also mandated to increase operational co-operation across EU member states and assist those who need help with their cybersecurity incidents.

The CSA also launched an EU-wide cybersecurity certification framework for ICT products, services, and processes, marking out three specified assurance levels which define the resilience of a product, service, or process against cyberattacks. Companies are required to certify their ICT offerings to attain a recognised certificate that holds validity across the EU.

Who does it apply to?

The CSA established a regime for businesses to certify their products against EU cybersecurity standards. Certification will be optional, unless explicitly required for certain categories of products or services by sector-specific standards, which the European Commission reserves the right to evaluate on a regular basis.

Timing

  • 27 June 2019: CSA entered into force, becoming directly applicable in all EU Member States.
  • 28 June 2021: additional Articles entered into force: Articles 58 (National cybersecurity certification authorities), 60 (Conformity assessment bodies), 61 (Notification), 63 (Right to lodge a complaint), 64 (Right to an effective judicial remedy) and 65 (Penalties).
  • 18 April 2023: European Commission proposed an amendment to enable the future adoption of European certification schemes for "managed security services", covering areas such as security audits, incident response, penetration testing, and consultancy.

Further Information

Cyber Resilience Act (Proposed)

The proposed Cyber Resilience Act (CRA) imposes minimum cybersecurity requirements for "products with digital elements", aiming to bolster the security of hardware and software products within the EU. The proposed regulation is designed to meet four distinct goals:

  • Encourage manufacturers to enhance the security of products with digital elements from the design and development stage and throughout their entire life cycle.
  • Establish a consistent cybersecurity framework to simplify compliance for hardware and software manufacturers.
  • Increase the transparency of security features of products with digital elements.
  • Empower businesses and consumers to utilise products with digital elements in a secure manner.

Who does it apply to?

The CRA will apply to:

  • Manufacturers
  • Importers
  • Distributors of "products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network".

Manufacturers will face the heaviest compliance burden.

Enforcement

Non-compliant entities under the CRA could face penalties up to EUR 15,000,000 or, in the case of a business, up to 2.5% of its total global annual turnover from the previous financial year, whichever is higher.

Timeline

  • 30 November 2023: the European Parliament and Council reached a provisional agreement.
  • Final agreement and publication is expected in 2024. There will be a transitional period of up to 3 years to comply with the CRA's requirements.

Further Information

UK Product Security and Telecommunications Infrastructure Act

Similar to the EU's CRA, the UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) imposes minimum cybersecurity requirements for "connectable products", aiming to bolster the security of consumer hardware products within the UK. The minimum-security requirements for products are based on the UK’s Code of Practice for Consumer IoT security.

Who does it apply to?

The PSTI Act regime will apply to:

  • Manufacturers
  • Importers
  • Distributors.

Manufacturers will face the heaviest compliance burden.

Enforcement

Non-compliant entities under the PSTI regime could face penalties up to GBP 10,000,000 or, in the case of a business, up to 4% of its total global annual turnover from the previous financial year, whichever is higher.

Timeline

  • 6 December 2022: PSTI Act received Royal Assent.
  • 14 September 2023: PSTI Regulation, secondary legislation that outlines the specific cybersecurity requirements applicable to connectable products, introduced.
  • 29 April 2024: requirements under the Act and Regulation come into effect.

Further Information

Cloud

EU Cloud Services Scheme

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a draft ENISA standard for cloud service providers. ENISA was directed to draft the EUCS, the EU Common Criteria Scheme (EUCC) and 5G Scheme (EU5G) as part of the original Cybersecurity Act. In the current draft, which was leaked in November 2023, it has four levels of assurance standards (Basic, Substantial, High, High+), each of which imposes incremental requirements.

Among other things, the High+ assurance level is reported to require cloud service providers to adhere to European "sovereignty requirements". This would require data centres and personnel to be located in the EU, in addition to evidence that EU subsidiaries of non-EU companies are operationally independent of their non-EU parent to protect against unlawful access to EU data.

Who does it apply to?

The EUCS will be an optional certification for cloud service provides. However, as part of their NIS 2 implementation, Member States will have the option to require that essential or important entities use EUCS-certified providers.

Timing

  • 22 December 2020: draft version published for consultation.
  • 7 February 2021: consultation closed.
  • 20 November 2023: latest draft leaked.

Further Information