Navigating the Future: Key EU Cybersecurity Regulatory Frameworks for 2024-2029

The European Union (EU) is leading the development of comprehensive cybersecurity regulations. These frameworks shape secure digital environments and protect businesses and citizens from cyber threats. For industry leaders and cybersecurity practitioners, especially those focused on cloud technologies, understanding and navigating these frameworks is key to maintaining compliance and gaining a competitive edge.

Having explored the regulatory heritage from the 2019-2024 legislature and the influential MEPs who returned to the Parliament in previous blogs, let’s now focus on the five key regulatory frameworks that will shape the EU’s cybersecurity landscape in the new legislature.

NIS2 Directive

The NIS2 Directive builds upon the original NIS Directive. It strives to achieve a high common level of cybersecurity across the EU. 

Why it matters:

It mandates that Essential and Important Entities implement robust risk management and incident response measures to protect critical infrastructure, including cloud-based systems.

Status:

The NIS2 Directive came into force on 16 January 2023. Member States are currently transposing it into national law, with a deadline of 17 October 2024.

Challenges:

  • Expanded scope: NIS2 covers more sectors than its predecessor, increasing the compliance burden for organisations, especially those newly included under its scope, such as small or sector-oriented CSPs.
  • Harmonised penalties: The directive introduces sanctions across the EU, which can be severe for non-compliance. This adds pressure on organisations to meet stringent security requirements.
  • Uneven transposition across Member states: Businesses operating in many countries must navigate different national laws and requirements, increasing compliance complexity and costs.

Strategic implications:

  • Leaders must develop sound executive oversight and invest in training for themselves and their employees.
  • Improving cybersecurity teams’ frameworks to support rapid incident response and resilience against potential disruptions, with a particular focus on cloud security, is essential.

What should I do:

  • Conduct a compliance audit of the organisation’s security practices to ensure alignment with NIS2 requirements and develop a compliance roadmap.
  • Enhance training programs to educate employees on compliance and incident response protocols.
  • Track national legislation to know about the progress of NIS2 transposition in relevant countries and adjust compliance strategies.
  • Read Sysdig’s Point of View paper to gain unique insights into upgrading security technologies and infrastructure to meet direct’s standards.

Digital Operational Resilience Act (DORA)

DORA targets the financial sector, emphasising IT security and operational resilience.

Why it matters:

It has strict requirements for managing ICT-related incidents. DORA also mandates operational resilience testing to ensure financial system stability amidst increasing digital risks, including those associated with cloud services.

Status:

DORA will become applicable on 17 January 2025.

Strategic implications:

  • Leadership strategy should improve IT security frameworks, ensuring resilience and incident management are integral to business continuity plans.
  • Cybersecurity practitioners must conduct regular testing and updates to withstand cyber threats and maintain customer trust, particularly in cloud environments.

What should I do:

  • Create and update operational resilience plans to address potential ICT-related incidents.
  • Implement a schedule for regular resilience testing to ensure systems can withstand cyber threats.
  • Allocate resources wisely to balance compliance efforts with other business objectives.
  • Ensure continuous compliance with automated policy updates with the Sysdig CNAPP Platform

EU Cybersecurity Certification Scheme for Cloud Services (EUCS)

The EUCS is a pivotal certification scheme targeting cloud services. It aims to enhance trust in cloud services by defining comprehensive security requirements. It also seeks to improve and streamline cybersecurity guarantees across specific levels of assurance and all kinds of cloud services across the EU.

Status:

The latest draft of the EUCS was updated in March 2024, but has no known adoption date.

Why it matters:

The EUCS aims to ensure that cloud service providers (CSPs) adhere to rigorous cybersecurity standards and provide EU customers with a comprehensive view of prospective CSPs’ risks. CSPs seeking the highest certification level will file an “International Company Profile Attest” to state which jurisdiction(s) they are subject to, which will then be communicated to customers.

Challenges:

  • Compliance costs: Implementing EUCS can be costly, especially for cloud startups and smaller businesses. These may face significant financial burdens in meeting certification requirements.
  • Legal complexity: The EUCS should allow Member States to include sovereignty requirements in the attestation, which could be incorporated into contractual agreements.
  • Market entry: The EUCS would serve as a technical tool, assisting customers in making informed decisions through best practices for CSPs.

Strategic implications:

  • For C-level executives, evaluating the strategic impact of EUCS on their cloud strategies is crucial, especially if they rely on non-EU providers. Understanding these requirements can help businesses align their cloud service choices.
  • Cybersecurity practitioners should ensure their cloud services meet certification levels, collaborating with CSPs to follow EUCS, particularly on data localisation and security measures.

What should I do:

  • Assess current CSPs to gauge how they meet known EUCS requirements. Consider switching to certified providers if necessary.
  • Allocate resources for achieving and maintaining EUCS certification, considering direct and indirect costs.
  • Streamline administrative processes related to certification to reduce complexity and improve efficiency.

Cyber Resilience Act (CRA)

The CRA focuses on cybersecurity requirements for products with digital elements, including hardware and software.

Why it matters:

The CRA mandates that manufacturers implement cybersecurity throughout the product lifecycle. It also promotes transparency and accountability in the digital market.

Status:

The Cyber Resilience Act was approved by Parliament on 12 March 2024 and is awaiting formal adoption by the Council.

Challenges:

  • Product lifecycle management: Ensuring cybersecurity throughout the product lifecycle can be resource-intensive and complex, particularly for cloud-based products.
  • Compliance constraints: Following stringent security measures may be complex, especially for smaller companies with limited resources.

Strategic implications:

  • Leadership should prioritize compliance with new standards, viewing them as opportunities for competitive advantage.
  • Cybersecurity practitioners must update product development processes to incorporate security features and achieve CE marking.

What should I do:

  • Assess and update product development processes to incorporate security measures from the outset.
  • Engage with stakeholders, including suppliers and partners, to ensure compliance throughout the supply chain.
  • Track compliance trends about changes in requirements and adjust strategies.
  • Read Sysdig’s Point of View paper to gain unique insights into upgrading security technologies and infrastructure to meet CRA’s technical requirements.

Cyber Solidarity Act

The Cyber Solidarity Act aims to strengthen EU cyber resilience through certification schemes and managed security services. 

Why it matters:

It fosters collaboration among EU member states to enhance threat detection and response capabilities, establishing a European cybersecurity shield that includes cloud infrastructures.

Status:

The Cyber Solidarity Act reached a provisional agreement on 5 March 2024 and is awaiting formal approval by the Parliament and the Council.

Challenges:

  • Coordination Complexity: Coordinating efforts across many Member States and integrating various national systems can be complex and time-consuming.
  • Resource sharing: Ensuring fair resource sharing and access to cybersecurity services across the EU can be challenging, particularly for smaller Member States.

Strategic implications:

  • Leaders should advocate for participation in collaborative frameworks to benefit from shared resources and intelligence.
  • Cybersecurity teams should leverage increased access to trusted services and certifications to enhance security posture, focusing on cloud security.

What should I do:

  • Participate in EU-wide cybersecurity collaborations to enjoy shared resources and intelligence.
  • Leverage European certification schemes to enhance the organisation’s security posture and credibility.
  • Advocate for equitable access to cybersecurity resources and services across the EU.

These regulatory frameworks will impact businesses operating within the EU. C-level executives and cybersecurity practitioners must proactively adapt to these regulations to gain a competitive edge, particularly in the cloud domain.