Navigating the Evolving EU Cybersecurity Landscape

In recent years, the world of IT has been under attack. Data is worth more than gold and malicious actors are doing their best to steal or kidnap data to extort money. We have seen major impacts from such attacks affecting society – to the extent of risking lives. Because of this, the European Parliament has been focusing the last couple of years to strengthen cyber resiliency and minimize the risks for the region. This climate change in IT is creating the perfect compliance storm within the EU – this would be my forecast on what is coming.

The Evolving Threat Environment

The introduction of all the directives (NIS2, CER, and DORA) signifies a paradigm shift toward more proactive risk management. The European Parliament’s commitment to ensuring a safer, more resilient Europe is clear. The regulations demand heightened cyber resilience and include non-compliance penalties. They signify a clear intent to safeguard critical and digital infrastructure. And compliance is essential for organizations operating in the EU. So what are the directives?

1. Critical Entities Resiliency (EU directive)

• Enhancing the resiliency of critical entities in the EU to secure the delivery of services for vital society functions or economic activities.
• The verticals in scope: Energy, Transport, Financial market infrastructure, Banking, Health, Water, Digital infrastructure, Public administration, Space, Food.
• To be legislated in each EU member state before October 2024

2. CRA – Cyber Resiliency Act (EU regulation)

• Cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union.
• Aims to safeguard consumers and businesses buying or using products or software with a digital component.
• Manufactures are now obliged to take security seriously throughout a product's life cycle.
• Enter into force early 2024 with a 3-year implementation time

3. DORA – Digital Operational Resiliency Act (EU regulation)

• Minimize the cyber risks and strengthen the cyber resilience for the interconnected financial sector in the EU
• Shift some focus from credit risk management to cyber risk management
• ICT third party risk management
• Standardized reporting and collaboration
• Regulatory and implementation standards to follow will be developed by the European Supervisory Authorities (ESA’s)
• Applies to all financial institutions such as banks, payment institutions, credit institutions, insurance companies, service providers and data centers to the financial market.
• Enter into force January 16 2023, with a 2-year implementation time

4. NIS2 – Network and Information Services version 2 (EU directive)

• High common level of cybersecurity across the Union
• Strengthen the cyber resiliency for essential and important entities in the EU
• Technical and operational measures to manage risks related to the security of network and information systems and minimize the impact of incidents
• The following verticals will be in scope: Energy, Transport, Financial market infrastructure, Banking, Health, Water, Digital infrastructure, Public administration, Space, Food, Postal services, manufacturing,
• To be legislated in each EU member state before October 2024

Why is compliance good for business?

Compliance isn't just about rules—it's about protecting your business. Regulations like DORA, CRA, CER, and NIS2 help protect your organization from threats and keep operations running smoothly.

What should you consider doing?

Stay informed about laws in your country. Even if you think they don't apply now, they could affect you later. Start planning early to understand what you need to do to comply.

Are you a financial institution covered by DORA? Initiate an internal compliance project now to assess your regulatory alignment and identify any gaps. This will help ensure your ongoing regulatory resilience.

Arctera can help your organization comply with regulations by providing comprehensive data visibility, classification, and risk assessment tools. We have supported compliance within the financial sector for decades and have the experience, solutions, and certifications that you would expect from such an important vendor. Do not hesitate to involve us in your projects. We can help you meet these important requirements.