Cybersecurity should be one of the core parts of business strategies. Strong cybersecurity can help businesses to protect their systems, networks and data from cyberattacks, and to prevent financial loss, reputational damage, and disruption to their operations.

On the occasion of the cybersecurity awareness month, we present some key European Union (EU) cybersecurity laws that businesses should be aware of in order to devise and implement strong and legally-compliant cybersecurity strategies.

EU NIS2 Directive

The EU NIS2 Directive is part of the EU’s Cybersecurity Strategy, and it establishes measures for a common high level of cybersecurity for critical infrastructures across the EU. It entered into force on January 16, 2023 and it is an update to the EU NIS Directive. EU Member States have until October 17, 2024 to transpose the EU NIS2 Directive into their national laws.

The EU NIS2 Directive applies to “Essential” and “Important” entities within the European Economic Area. These are entities that are considered critical for the EU economy and society. It applies to a broader range of sectors compared to the EU NIS Directive and it provides detailed risk-management measures, obligations for senior management, timeframes for the reporting of cybersecurity incidents and administrative fines in case of non-compliance. In addition, the EU NIS2 Directive mandates the European Union Agency for Cybersecurity (ENISA) with the task to set up and maintain a database which will include information regarding publicly known vulnerabilities of products and services.

EU Cybersecurity Act & European Cybersecurity Certification schemes

The EU Cybersecurity Act was adopted on March 12, 2019, and entered into force on June 27 of the same year.

The EU Cybersecurity Act strengthens the role of ENISA by granting to the agency a permanent mandate, defining its objectives, tasks and organization, reinforcing its financial and human resources and overall enhancing its role in supporting the EU to achieve a common and high-level cybersecurity. In addition, the EU Cybersecurity Act lays down the first EU-wide cybersecurity certification framework to ensure a common cybersecurity certification approach in the European internal market and ultimately to improve cybersecurity in a broad range of ICT products, services and processes.

On  April 18, 2023, the European Commission proposed a targeted amendment to the EU Cybersecurity Act with the aim of enabling the adoption of EU Cybersecurity Certification schemes for “managed security services” covering areas such as incident response and security audits.

In addition, on October 3, 2023 the European Commission issued a draft Implementing Regulation with the view to establish the roles, rules, obligations, and the structure of the European Common Criteria-based cybersecurity certification scheme (EUCC). This voluntary scheme will introduce a set of security requirements for ICT security products such as firewalls, encryption devices, electronic signature devices, and ICT products with an inbuilt security functionality such as routers, smartphones and bank cards. The draft Implementing Regulation is open to public consultation, and stakeholders can submit their feedback until  October 31, 2023.

The final version of the Implementing Regulation is expected in the fourth quarter of 2023, and it will become applicable 12 months after its entry into force. Once the EUCC is applicable, all national cybersecurity certification schemes and the related procedures for ICT products and processes that are covered by the EUCC shall no longer produce effects to the extent that they apply to the evaluation standards and the specific evaluation criteria and methods enshrined in the EUCC.

EU Cyber Resilience Act

On September 15, 2022, the European Commission proposed the EU Cyber Resilience Act, which aims to set common standards for the cybersecurity of products with digital elements.

The EU Cyber Resilience Act requires that products with digital elements will only be made available on the market if they meet specific essential cybersecurity requirements. It applies both to tangible digital products, such as connected devices, and to non-tangible digital products, such as software products embedded into connected devices, and it requires manufacturers to factor cybersecurity from the design and development phase and through the products’ life cycle.

The EU Cyber Resilience Act exempts from its scope connected devices that are already covered from sectoral legislation such as medical devices, certain vehicles and their trailers and aviation. In addition, it does not apply to software-as-a-service unless it is part of integral remote data processing solutions for a product with digital elements and to free open-source software developed or supplied outside the course of a commercial activity.

The EU Cyber Resilience Act divides the products that fall within its scope into different classes based on their cybersecurity risk level, and imposes different compliance obligations for each of them. Among others, it provides for detailed rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products, essential requirements for the design, development and production of such products and obligations for economic operators in relation to the cybersecurity of these products, essential requirements for the vulnerability management with regards to cybersecurity and rules on market surveillance and enforcement of the above-mentioned rules and requirements.

On September 13, 2023 the European Parliament confirmed the Committee’s on Industry, Research and Energy (ITRE) decision to enter in interinstitutional negotiations. Earlier, on July 19, 2023 the Council of the European Union obtained its negotiating mandate. The EU Cyber Resilience Act will now enter the trilogue stage of the legislative process, which entails that there will be interinstitutional negotiations between representatives of the European Commission, the European Parliament and the Council of the European Union, during which the final wording of the Regulation will be agreed.

If adopted, the EU Cyber Resilience Act would complement existing cybersecurity legislation, including the EU NIS2 Directive. When the proposed EU Cyber Resilience Act enters into force, software and products connected to the internet would bear the CE marking to indicate they comply with the new standards.

Do not hesitate to contact us in case you have any question! Our Digital laws team is ready to assist you and to provide you with further information in order to ensure that your business processes are up-to-date and compliant with the EU cybersecurity legal landscape.

GDPR Enforcement Trends provides a monthly summary on enforcement action taken by data protection authorities within the UK and EU under the General Data Protection Regulation. We provide key takeaways from the previous month’s developments and identify the EU’s most active regulators.

Click below to download a PDF version of the tracker.

On July 4, 2023, the highest EU court issued a landmark judgment in Case C-252/21, where the German court referred several questions for a preliminary ruling related to (i) the interplay between data protection concerns and competition law breaches; and (ii) interpretation of the EU General Data Protection Regulation (GDPR). This judgment has far-reaching implications for online operators whose business model is based on personalized content and advertisement.

Click here to read more.

The landscape for privacy regulations in the United States has been changing almost weekly. Most recently, Oregon and Delaware joined California in enacting some of the strictest privacy regulations in the country. Now, amid increased public scrutiny regarding privacy regulations and enforcement, courts, too, are taking a closer examination of privacy laws and pumping the brakes on some privacy rights.

Click here to read more.

On July 4 2023, the European Commission presented a Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the General Data Protection Regulation (GDPR) (the Proposal). Divergent enforcement of the GDPR by national Supervisory Authorities (SAs) in cross-border cases – cases that affect individuals located in more than one Member State – has compelled the Commission to redress such divergence through the adoption of this proposal, which will complement the GDPR. It aims at improving the consistent and swift enforcement of the GDPR, while ensuring seamless cooperation among SAs in cross-border cases. The Proposal further harmonizes the rights and obligations of complainants and defendants throughout the handling of a complaint and the investigation process.

1. What Are the Main Takeaways From the Proposal?

For Parties Under Investigation (Controllers and Processors)

The proposal clarifies the rights of defendants and provides them notably with the rights:

  • To receive a copy the preliminary findings of the Lead Supervisory Authority (LSA), including the corrective measures being considered, and to provide written reply to these preliminary findings.
  • To be heard regarding new elements raised in the revised draft decision.
  • To get access to the administrative file (which must include all documents, inculpatory and exculpatory, including facts and documents which are known to the parties under investigation) after notification of the preliminary findings.
  • To identify documents submitted for their defense as confidential documents.
  • To receive a copy of the statement of reasons explaining the reasoning the binding decision that the European Data Protection Board (EDPB) intends to adopt, and to provide comments on the statement of reasons

For Complainants

The Proposal clarifies the rights of complainants and provides them notably with the rights:

  • If a partial or full rejection of the complaint is being considered, the right to submit their views and to get access to the non-confidential version of the documents on which the proposed rejection of the complaint is based.
  • To be informed of their right to challenge in court the decision rejecting their complaint.
  • To receive a non-confidential copy the preliminary findings of LSA (including where relevant, a non-confidential version of documents included in the administrative file), and to provide written reply to these preliminary findings.
  • If a partial or full rejection of the complaint is being considered, to receive a copy of the statement of reasons explaining the reasoning the binding decision that the European Data Protection Board (EDPB) intends to adopt and to provide comments on the statement of reasons.

For SAs

The Proposal sets out common rules to be followed when handling complaints and conducting investigations, notably:

  • It introduces a harmonized complaint form and clarifies which information must be submitted along with the complaint form.
  • It harmonizes the criteria to be taken in account when assessing the admissibility of a cross-border complaint and the timeframe within which a decision regarding such admissibility must be reached.
  • It introduces the obligation for SAs to propose an amicable settlement to the parties when possible.
  • It introduces the obligation for the LSA to regularly update the SAs concerned about the progress of the investigation and provide them with relevant information once available.
  • It provides SAs concerned with the possibility to provide comments and raised disagreements on the assessment of the LSA.
  • It introduces the possibility to request an urgent binding decision from the EDPB if no consensus can be reached between the LSA and the SAs concerned.

2. What Are the Next Steps?

The EU co-legislators, the Council and the Parliament, will now assess the Commission’s proposal and put forward their positions in order to reach an agreement on the final version of the text before it can be formally adopted. Once formally adopted, this new Regulation will enter into force immediately after publication in the Official Journal of the European Union.

GDPR Enforcement Trends provides a monthly summary on enforcement action taken by data protection authorities within the UK and EU under the General Data Protection Regulation. We provide key takeaways from the previous month’s developments and identify the EU’s most active regulators.

Click below to download a PDF of this month’s update.

GDPR Enforcement Trends provides a monthly summary on enforcement action taken by data protection authorities within the UK and EU under the General Data Protection Regulation. We provide key takeaways from the previous month’s developments and identify the EU’s most active regulators.

Click below to download a PDF of this month’s update.

On May 4, 2023, the White House announced three new actions to further promote responsible innovation in artificial intelligence (“AI”) while protecting people’s rights and safety. These actions include: (1) making investments in AI research and development institutes; (2) conducting public assessments of existing AI system models; and (3) creation of policies for the use of AI by the U.S. government.

Click here to read more.

The EU Digital Markets Act (DMA) regulates the economic power of larger platforms considered “gatekeepers” and imposes new rules to prevent such gatekeepers from engaging in unfair practices. The DMA entered into application on May 2, 2023, and organizations have until July 3, 2023 to assess whether they fall within its scope and need to notify the European Commission.

Click here to read more.

GDPR Enforcement Trends provides a monthly summary on enforcement action taken by data protection authorities within the UK and EU under the General Data Protection Regulation. We provide key takeaways from the previous month’s developments and identify the EU’s most active regulators.

Click below to download a PDF of this month’s update.