Our Locations

41 Devonshire Street, Ground Floor, London, United Kingdom,

Phone Number

+442037690496

Email Address

info@itc-cert.co.uk

Information Technology

Home > Information Technology

Information Technology

In Europe, cybersecurity is governed by regulations that aim to protect personal data, ensure the resilience of critical infrastructures and defend organizations from cyberattacks. The main European regulations and directives on cybersecurity are explained below.

The General Data Protection Regulation, known as GDPR, came into force on 25 May 2018. It regulates the processing and protection of personal data within the EU, and also applies to non-European organizations that process data of EU citizens.

Main Requirements:

  • Protection of personal data: obligation to implement security measures to safeguard personal data.
  • Consent: explicit request for consent to process data.
  • Right to be forgotten and data portability.
  • Notification of breaches: obligation to notify data breaches within 72 hours.
  • Penalties: Violations can result in fines of up to 4% of a company’s global annual turnover or up to €20 million.

The NIS Directive, adopted in 2016, was the first European regulation specifically aimed at the security of network and information systems. It applies to operators of essential services (such as energy, transport, healthcare, finance) and digital service providers (search engines, online platforms, cloud services).

Main Requirements:

  • Implementation of appropriate security measures to ensure a high level of security of network and information systems.
  • Obligation to notify significant security incidents.
  • Recent Developments: It has recently been updated with the **NIS2 Directive** (approved in 2022 and planned for implementation in 2024) to extend the obligations to more sectors and introduce more stringent security requirements.

The NIS Directive, in force since 2018, is the first European regulation specifically dedicated to the security of network and information systems. It applies to critical infrastructure, digital service providers and key sectors such as energy, transport and health.

Key objectives:

  • Strengthen the EU’s cyber resilience, improve cooperation between Member States and increase the security of essential operators and digital service providers.
  • Recent developments: The NIS Directive 2, expected in 2024, will further strengthen security obligations and broaden the scope of the regulation.

Entered into force in 2019, the Cybersecurity Act establishes a European framework for the certification of cybersecurity of ICT (information and communication technologies) products, services and processes.

Main Requirements:

  • European cybersecurity certification system that creates a common standard to certify the level of security of products and services.
  • Strengthening the role of ENISA, the European Union Agency for Cybersecurity, whose mission is to support member countries in risk management and in preparing and responding to incidents.
  • Objective: Increase consumer trust and improve the security of critical infrastructure and digital tools across the EU.

The eIDAS Regulation, which entered into force in 2014, regulates electronic identification and trust services for electronic transactions in the EU, such as electronic signatures, electronic seals and authentication services.

Key Requirements:

  • Sets standards for qualified electronic signatures and electronic seals, providing legal value.
  • Creation of a single European market for electronic identification services.
  • Impact on Cybersecurity: Ensures the authenticity, integrity and security of electronic transactions, reducing the risks associated with digital fraud.

The second Payment Services Directive (PSD2), in force since 2018, applies to financial transactions and establishes requirements to protect consumers in the context of online payments.

Key Requirements:

  • Strong Customer Authentication (SCA): Requires two-factor authentication methods to protect online transactions.
  • Open Banking: Gives customers more control over their financial data and allows authorized third parties to access banking data with the customer’s consent.
  • Impact on Cybersecurity: Strengthens the security of online payments and financial information to reduce fraud and risk.

The Data Governance Act, proposed in 2020 and adopted in 2022, is part of the European data strategy and establishes a framework for safer data management across the EU.

Key Requirements:

  • Creation of a European market for data, promoting safe data sharing between public and private entities.
  • Clear and transparent rules for data intermediation service providers.
  • Impact on Cybersecurity: Promotes safe data management, with a focus on privacy protection and security during data transfer.

The DORA is a European regulation, approved in 2022, aimed at the digital operational resilience of the financial sector. It comes into force in 2025 and aims to ensure that financial institutions can withstand and respond to cyber attacks and technology incidents.

Key Requirements:

  • Requires financial institutions to adopt ICT risk management practices.
  • Introduces obligations to monitor and report ICT incidents and requires providers of critical services to meet high security standards.
  • Impact on Cybersecurity: Strengthens the cybersecurity of the financial sector, improving the protection of sensitive data and reducing the risk of disruptions.

The new European Cybersecurity Strategy, published in 2020, is based on a set of strategic measures to improve cybersecurity in Europe. It includes proposals to update the NIS Directive and strengthen collaboration between Member States.

Objectives:

  • Strengthen the resilience of critical infrastructures and strategic assets.
  • Better protect European citizens online and promote cybersecurity that safeguards fundamental rights and freedoms.
  • Impact: The strategy provides a roadmap to address cyber threats in a coordinated way and supports cooperation and resource sharing between Member States.

The CER Directive, approved in 2022, updates and expands the previous legislation on critical infrastructure. It aims to strengthen the resilience of entities providing essential services, such as water, transport and health, for which cybersecurity is essential.

Key Requirements:

  • Obligation to assess and manage security risks, including cyber risks, and to notify significant incidents.
  • Requires the creation of business continuity and incident response plans for critical entities.
  • Impact on Cybersecurity: Improves the protection of critical infrastructure, which are often targets of sophisticated cyber attacks.

These European regulations provide a comprehensive and structured framework to protect data, critical infrastructures and information systems, helping to build a digital society that is safe, resilient and respectful of the privacy of European citizens.

Associated with

Contact Us