Cybersecurity has a prominent role in several EU legal instruments, often cited as an explicit obligation or as a requirement for building trust. As cyber threats have been growing in number and sophistication through the years, the expansion of legislation is essential to continue progress towards a higher level of cybersecurity.
Over the past few years, several significant legislative developments have taken place. After the entry into force of the Directive (EU) 2016/1148 (NIS Directive) in 2016 and the Cybersecurity Act4 in 2019, a major policy milestone at EU level was the EU Cybersecurity Strategy (published on 16 December 2020). Several regulatory measures have been taken since then, with important new legislation being put in place to complement the EU cybersecurity framework.
ENISA has taken an engineering approach to analysing legal obligations and translating them into technical requirements and advises Member States on upgrading security measures related to current and future EU legislation aimed at protecting cross-border internal market transactions of goods and services.
Working closely with policy experts, ENISA brings vision and state-of-the-art experience to help counteract or hinder threats to the supply chains of goods and services. It also helps facilitate a swifter understanding of legislative impacts on upgrading and aligning cybersecurity measures across the borders of the internal market.
On key specific existing laws (e.g., EECC, eIDAS, GDPR) and draft legislation, ENISA is well placed to advise Member States bodies on bringing their policies up to date and closer to EU-wide voluntary harmonisation.
The NIS2 Directive
The NIS2 Directive (EU 2022/2555) entered into force, replacing Directive (EU) 2016/1148. The NIS2 aims to achieve a high level of cybersecurity in Europe, and has a focus on increasing the resilience of the EU’s critical sectors. ENISA supports the European Commission and the Member States with the implementation of the NIS2 and its transposition in the national law. ENISA has contributed to the drafting of technical advice to the Commission on the NIS2 implementing rules for security measures and incident reporting for the digital infrastructure entities. Additionally, ENISA is developing technical guidance to support EU Member States and entities with the implementation of the technical and methodological requirements of the NIS2 cybersecurity risk-management measures outlined in the Commission Implementing Regulation (EU) 2024/2690 of 17.10.2024.