2022 was a very successful year for cybersecurity policy in the EU. Under the leadership of the two EU Presidencies – French (January – June) and Czech (July – December), we saw the development of various legislative files, strategic and policy approaches. A lot was achieved, indeed.
The French presidency set digital technology as their first priority. Cybersecurity was among the main issues on their agenda.
- Already in January, the Presidency, together with ANSSI (the French National Agency for Security of Information Systems), convened the CyCLONe(the European Cyber Crises Liaison Organisation Network, providing support for the large-scale cybersecurity incidents’ coordination) in order to discuss potential mutual assistance in case of a major attack against a Member State;
- In March an informal meeting of the EU Telecommunications and Digital Affairs Ministerstook place in Paris to address the Ukraine war, which triggered cybersecurity threats in the EU. Ministers agreed to accelerate European cybersecurity cooperation;
- In May the first ever meeting of the three networks – CSIRT, CyCLONe and NIS Cooperation Group was organised in Paris to discuss how to enhance cybersecurity in Europe;
- Also in May the provisional agreement on The Regulation on digital operational resilience for the financial sector (DORA) was reached. New measures that apply to financial entities were put forward, also strengthening and centralising reporting mechanisms;
- Again in May the Council and the European Parliament reached a provisional agreementon the EU Network and Information Systems (NIS2) Directive. NIS2 applies to both companies and European countries, sets targeted measures, widens the scope to apply to new sectors (e.g. public administrations, manufacturers, medical devices, impacting thousands more companies), introduces a possibility for companies to report vulnerabilities that will be managed in a European vulnerability database, and introduces new rules for tackling supply chain attacks;
- In June the political agreement on the Directive on the resilience of critical entities followed, supplementing the NIS2 Directive by introducing physical security measures for critical entities.
In July 2022, the Czech presidency hit the ground running – it had a very ambitious cybersecurity agenda from the start: one of its five general priorities was “Strengthening European defence capabilities and cybersecurity”. In its programme, the Czech Presidency stated it would focus on boosting the EU’s resilience to hybrid and cyber threats and stimulate discussions on cyber diplomacy, two topics that have dominated the EU’s cybersecurity policy agenda since the 2020 Cybersecurity Strategy’s adoption.
Among the most important pieces of legislation adopted during the Presidency were the two key pieces of cybersecurity legislation:
- The NIS2 Directive (+ the Directive on the resilience of critical entities);
- The DORA.
Other tangible outcomes of the Czech Presidency’s impressive agenda included:
- In September the Proposal for a Cyber Resilience Actwas published, aiming at addressing vulnerabilities in connected devices and ensuring cybersecurity throughout their life cycle;
- In October, the Council conclusions on ICT supply chain securitywere adopted to strengthen existing instruments such as public procurement or foreign direct investment screening frameworks, detailing also how existing and future EU cybersecurity legislation can be used for securing ICT supply chain security;
- In November, the Council adopted its general approach on a draft Regulation aiming at ensuring high common level of cybersecurity across the EU institutions, bodies, offices and agenciesto respond to the significant rise in sophisticated cyberattacks against EU public administrations in the last few years;
- In December a general approach on a framework for a European digital identity (eID) was adopted, which appoints ENISA as the agency to certify compliance of e-wallets with the relevant cybersecurity requirements.
All these achievements make for an excellent 2022 year for the EU cybersecurity, strengthening the EU’s legislative and policy powers, as well as its role as an international cybersecurity actor. 2022 set a very high bar for 2023, which will see the two presidencies of Sweden and Spain. They should further work on the negotiations of the Cyber Resilience Act, as well as the development of the cyber diplomacy posture.
More in depth analysis of the EU cybersecurity legislation is available here. We continue to closely follow the development of the EU cybersecurity legislation and will keep you posted. Follow @Cyen for timely updates and subscribe to our YouTube channel Cyen-Cybersecurity for monthly interviews with leading cybersecurity experts!