Cybersecurity

Legal Acts

• Network and Information Security Directive (NIS2-RL)
• Critical Entities‘ Resilience Directive (CER-RL)
• Digital Operational Resilience Act (DORA)
• Cyber Resilience Act (CRA)
• Cyber Solidarity Act
• Cyber Security Act (CSA)

Background and Overview

General

Cybersecurity refers to practices for the protection of digital systems, networks, and data from attacks, unauthorized access, and damage.^[1]

IT security: Focuses on the protection of information technology systems.

Information security: Encompasses the protection of all types of information, both digital and physical.

Network security: Focuses specifically on the protection of computer networks.

Data security: Aims to protect data from loss, manipulation, and unauthorized access.</ref>

As part of its cybersecurity strategy, the European Union (EU) aims to set standards to increase the level of cybersecurity in the EU. The EU's cybersecurity strategy is a key component of its efforts to make the digital transformation secure and resilient. It aims to increase resilience against cyber threats, ensure technological sovereignty, and strengthen cooperation both within the EU and with international partners. This strategy is closely linked with a series of legal acts that govern and implement specific aspects of cybersecurity. The strategy emphasises the importance of a coordinated approach by all member states as well as a high degree of technological independence. At the same time, international cooperation is fostered to develop global standards for a secure cyberspace.

The EU Cybersecurity Strategy pursues three main objectives:

The EU Cybersecurity Strategy pursues three main objectives:

She addresses the growing threat of cyberattacks, which are becoming increasingly complex and affect critical infrastructure as well as businesses and citizens. To meet these challenges, the EU relies on a combination of regulatory measures, investments in technology, and political cooperation. Essential legal acts in the context of the cybersecurity strategy:

NIS2 Directive (Network and Information Security Directive)

The NIS2 Directive forms the backbone of the EU cybersecurity strategy and aims to ensure a high common level of security for network and information systems across the EU. It replaces the original NIS Directive from 2016 and expands its scope to 18 critical sectors, including energy, healthcare, transport, and digital infrastructure. The directive requires member states to develop national cybersecurity strategies and enhance cooperation in responding to cross-border incidents. Companies in the affected sectors must implement strict risk management measures and report security incidents.

CER Directive (Critical Entities’ Resilience Directive)

This directive complements the NIS2 Directive by specifically focusing on the physical and digital resilience of critical infrastructures. It obliges member states to identify critical entities and ensure their protection against cyber and physical threats.

DORA (Digital Operational Resilience Act)

DORA targets the financial sector and establishes detailed requirements for IT risk management. The goal is to ensure that financial institutions such as banks or insurance companies remain functional even in the event of serious cyber incidents. The focus is on stress tests, reporting obligations, and the monitoring of third-party providers.

Code-Snippet

Cyber Resilience Act (CRA)

The CRA aims to introduce mandatory cybersecurity requirements for products with digital elements. Manufacturers are obliged to consider security aspects throughout the entire product lifecycle. This is intended to help minimize vulnerabilities in digital products at an early stage.

Cyber Solidarity Act

This legal act strengthens cooperation between EU member states in tackling major cyberattacks. Among other things, it provides for an emergency mechanism and an early warning system for cybersecurity incidents.

Cybersecurity Act (CSA)

The CSA established an EU-wide certification system for ICT products and strengthened the mandate of the European Union Agency for Cybersecurity (ENISA). The goal is to create uniform standards for cybersecurity across the entire EU.

References