Digital compliance has become a significant focus for any organisation providing or consuming digital products and services in Europe. With the continuous evolution of digital technology, businesses increasingly struggle to stay on the right side of the law and operate resiliently. So, strategic navigation is crucial.
The EU’s unwavering commitment to digital transformation is one of its top priorities. The EU is actively shaping policies to enhance Europe’s capacities in new digital technologies, open new opportunities for businesses and consumers, support the EU’s green transition towards climate neutrality by 2050, bolster digital skills and workforce training, and digitalise public services while respecting fundamental rights and values. This steadfast commitment should reassure corporate leaders about the direction of EU policies.
However, the digital regulatory landscape across Europe remains varied, with some issues still subject to local implementation. Further complexity arises from Brexit, adding another layer of divergence in digital regulation.
The Commission’s Digital Decade policy programme sets specific targets for 2030 in areas like digital skills, secure and sustainable digital infrastructures, business digital transformation, and public service digitalisation. In May 2021, the European Parliament urged the Commission to address the challenges of the digital transition, harness the potential of the digital single market, improve AI use, and support digital innovation and skills.
This overview delineates five key legislative developments from the 2019-2024 term—the NIS2 Directive, the AI Act, the Cyber Resilience Act, the European Cloud Security Certification Scheme (EUCS), and the European Cybersecurity Competence Centre (ECCC)—each designed to address specific challenges in the digital environment. By understanding and strategically responding to these legislative goals, you can leverage these regulations to enhance your competitive edge in the digital marketplace.
The Heavy-Weight: The NIS2 Directive
As digital and physical are increasingly intertwined, new dangers arise. That’s where the NIS2 Directive comes in: it aims to bolster the security of critical infrastructure and industries by addressing gaps in cybersecurity preparedness.
The NIS2 Directive, the heir to the NIS1 Directive of 2016, the first piece of EU-wide legislation on cybersecurity, is a game-changer. It applies to entities that provide vital services or carry out specific activities within the EU. By setting stricter requirements and increasing regulatory oversight, NIS2 seeks to strengthen resilience across sectors.
Strategic Implications:
- EU Member States must elaborate national cybersecurity strategies. These will likely be a challenge as NIS2 marks a considerable increase in the number of companies and sectors in scope (more than 160,000 across the EU).
- Organisations must regularly assess and bolster their cybersecurity protocols to meet NIS2 requirements. An organisation’s leadership is also likely to be held liable for failing to meet the Directive’s requirements.
- Entities should establish robust cybersecurity partnerships with suppliers and partners to ensure a unified defence mechanism.
- NIS2 is expected to result in a harmonised EU regime for handling cyber incidents, with specific rules for incident reporting and enforcement across Europe.
What You Can Do:
We have elaborated a practical guide on translating compliance technicalities into actionable objectives so that every team knows its role in bolstering cyber resilience and reducing risk while providing quality products to your customers.
The Visionary: The AI Act
AI has the potential to improve essential services and provide tailored assistance. It can also optimise production processes and give European businesses a competitive edge. To ensure Europe makes the most of AI’s potential, the EU has accentuated the need for human-centric AI legislation to establish a trustworthy framework that can implement ethical standards, support jobs, help build competitive “AI made in Europe”, and influence global standards.
The AI Act, a landmark in regulating AI, is the first-ever binding framework on AI and a milestone in regulating this technology more widely. It regulates the development and deployment of AI, ensuring its ethical, safe, and transparent use. The scope of the Act extends to providers and users of AI systems used in the EU, regardless of their location. This coverage underscores the AI Act’s importance in shaping AI’s future and should make corporate leaders feel the need to adapt to the new regulations.
Strategic Implications:
- AI systems will be categorised based on risk levels, necessitating tailored compliance measures. The AI Act targets many entities, including AI system providers, importers, distributors, and deployers.
- Adhering to the AI Act involves more than mere compliance, particularly for cybersecurity teams; it’s about embracing a culture of transparency, responsibility, and continuous risk assessment in a framework that prioritises respecting fundamental rights and freedoms.
What You Can Do:
While each novel technology brings new considerations and risks to evaluate, the security profession must proactively address a handful of constants. In this context, Sysdig’s CTO provides valuable insights into the implications of the AI Act and how to navigate its requirements.
The Double-Faced: The Cyber Resilience Act
Protecting consumers and companies from the growing risks of the cyber world is another challenge on the EU’s digital agenda. As the number of connected devices, such as baby monitors or smartwatches, grows, it is crucial that they are secure and do not serve as potential gateways for cyberattacks.
That’s where the Cyber Resilience Act (CRA) kicks in. The main aim of the CRA is to introduce mandatory cybersecurity requirements for manufacturers and retailers to ensure that products with digital elements are designed, developed and maintained securely from the outset. These requirements cover the entire life cycle of the products and include aspects such as risk assessment, conformity testing, and continuous cybersecurity monitoring.
We have dubbed the CRA’ the double-faced’ because it will likely impact cybersecurity maturity and product market access significantly. On the one hand, products that comply with the new standards must bear the CE mark, enabling consumers and companies to make more informed decisions. On the other hand, the new standards and obligations may pose significant challenges for manufacturers and retailers, potentially affecting their ability to bring products to market.
Thus, one requirement is that no product or service in scope must reach the EU market bearing known vulnerabilities. Another obligation is a heavy-handed notification procedure for vulnerabilities and security incidents. Due diligence obligations also apply to importers and distributors of products and services in scope, who must ensure that these comply with essential cybersecurity requirements and bear the CE marking.
Strategic Implications:
- The CRA mandates that all involved in product or service development ensure security from inception and throughout its lifecycle. Besides, updates must be provided at least five years after the end of life.
- Mandating a detailed recovery and incident response plan and a structured vulnerability management approach will create friction between business lines and cybersecurity teams.
What You Can Do:
We have elaborated a practical guide on translating compliance technicalities into actionable objectives so that every team knows its role in bolstering cyber resilience and reducing risk while providing quality products to your customers.
The Facilitator: The ECCC
The European Cybersecurity Competence Centre (ECCC) has emerged as a driving force in strengthening Europe’s digital skills landscape. Established to enhance Europe’s cybersecurity capabilities and competitiveness, the ECCC collaborates closely with a Network of National Coordination Centres to build a robust cybersecurity community.
The ECCC plays a pivotal role in addressing the digital skills gap by fostering research, innovation, and education in cybersecurity. This initiative emphasises the importance of public-private partnerships and cross-border collaboration in advancing digital skills across the continent, ultimately ensuring that people and businesses can fully utilise technological advancements.
Strategic Implications:
- The ECCC is tasked with pooling resources and expertise to enhance cybersecurity across the EU. It focuses on upskilling the workforce to meet the demands of a digital economy.
- Throughout its mandate, the Centre could support the implementation of specific policies such as the NIS2 Directive and the Cyber Resilience Act.
- Through its Strategic Agenda, the ECCC defines a vision for the EU investment in cybersecurity. The overarching goal is to increase the global competitiveness of the Union’s cybersecurity industry with a strong focus on SMEs and startups.
What You Can Do:
Invest in continuous cybersecurity training and skills development programs for your workforce to ensure they remain adept at handling emerging cyber threats. And keep an eye on the ECCC’s funding opportunities.
The Political: The EUCS
The fifth achievement we bring to your attention is a particular one: how a technical matter – a cloud security certification scheme – has become a highly politicised debate over sovereignty. We have chosen this case since it serves as a cautionary tale: this scheme is the victim of a three-year deadlock which detracts from answering questions about the cybersecurity requirements themselves, scheme implementation, and standards harmonisation across the EU, all of which may have attendant effects on the region’s cybersecurity and resilience.
The EU’s 2020 joint declaration on the cloud initially described Europe’s aim and intention to boost the capability and reach of Europe’s CSPs. In December 2020, the EU Agency for Cybersecurity (ENISA) released a draft of what is best known as the EUCS. The EU Cloud Security Certification Scheme (EUCS) thus aims to create a harmonised cybersecurity certification framework across the EU to enhance trust and security in digital products and services.
Things sorely escalated when the negotiations on the scheme reached the topic of EU’ digital sovereignty’. ENISA’s strong commitment to the EUCS stems from perennial EU concerns about US firms providing foreign governments with EU data. Thus, aspirations to elevate EU CSPs and remove European dependence on US competitors have taken centre stage in the past three years. The EUCS’ digital sovereignty’ goals include strict CSP headquarters and operations requirements; if maintained, such obligations would effectively bar non-European CSPs from attaining the same high levels of assurance certification as European CSPs.
EU countries have been in a pitched battle over these ‘digital sovereignty’ provisions in the EUCS. France, Italy, and Spain have remained their primary supporters. The Netherlands, Denmark, Estonia, Greece, Ireland, Lithuania, Poland and Sweden reportedly issued a joint non-paper opposing these requirements in EUCS. To break the gridlock, the Belgian Presidency of the EU released a compromise earlier in 2024 – a compromise… that will need to wait for the new European legislature to begin its term.
Strategic Implications:
- Establishing a cohesive certification process across EU member states makes sense for reinforcingto reinforce the Union’s global cybersecurity maturity. A harmonised standard will help to build consumer and stakeholder trust through certified security measures.
- ENISA designed the EUCS as a “voluntary” cybersecurity certification scheme that companies can leverage to demonstrate the soundness of their privacy and security measures. However, in practice, consumers may include the EUCS as a tender requirement, making the certification mandatory. Furthermore, the NIS2 allows EU governments and the European Commission to require that cloud customers only utilise cloud services certified by the EUCS.
What You Can Do:
Engage proactively with certification bodies to ensure your products and services meet EUCS requirements, thus enhancing market credibility. And ensure you have a steady supply of coffee coming your way while doing so.