Pooja Mohnani Anastasius Gavras
Eurescom GmbH Eurescom GmbH
The European Union has established a comprehensive cybersecurity framework to strengthen digital resilience, protect citizens and businesses, and foster trust in the digital economy. With increasing cyber threats, the EU has adopted key legislative acts and created specialized institutions to ensure a coordinated and high-level response across all member states. Major initiatives include the EU Cybersecurity Act, the Cyber Resilience Act (CRA), and the NIS 2 Directive, supported by agencies and networks such as ENISA, CERT-EU, EU-CyCLONe, and the European Cybersecurity Competence Centre (ECCC). Together, these instruments form the foundation of the EU’s strategy to safeguard its digital future.
EU Cybersecurity Act
The EU Cybersecurity Act (Regulation (EU) 2019/881) aims to enhance cybersecurity across the Union by setting high standards and promoting cooperation among member states and stakeholders.
Strengthened ENISA: The Act grants the European Union Agency for Cybersecurity (ENISA) a permanent mandate, reinforcing its role in supporting EU institutions and member states in improving cybersecurity capabilities, responding to incidents, and coordinating crisis management.
Cybersecurity Certification Framework: It introduces a European framework for cybersecurity certification of ICT products, services, and processes. This ensures consistent standards across the internal market, reducing fragmentation and increasing trust in digital solutions.
Support and Cooperation: ENISA assists national authorities, promotes capacity building, and facilitates operational cooperation. It also contributes to developing and implementing EU cybersecurity policies and legislation.
Public Awareness and Education: The Act emphasizes raising awareness about cyber risks, promoting education and best practices to strengthen the cybersecurity culture within the EU.
International Cooperation: ENISA represents the EU in international cybersecurity discussions and partnerships, ensuring alignment with global standards and enhancing collective resilience.
EU Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA), which entered into force on December 10, 2024, aims to improve the cybersecurity of products with digital elements. Its main obligations will apply from December 11, 2027.
Scope: The CRA applies to all hardware and software products sold in the EU, from smart home devices to industrial systems.
Security Requirements: It establishes mandatory cybersecurity obligations covering the entire product lifecycle—from design and development to maintenance and disposal—ensuring continuous protection.
Conformity Assessment: Products must undergo cybersecurity evaluations before being placed on the market. High-risk products require stricter assessments and CE marking to demonstrate compliance.
Vulnerability Reporting: Manufacturers must report serious vulnerabilities and incidents to national authorities and CERT-EU, ensuring transparency and rapid mitigation.
Lifecycle Security: Vendors are required to provide security updates for at least five years or for the product’s operational lifespan, whichever is shorter.
Exemptions: Certain categories, such as non-commercial open-source software or devices regulated under other sector-specific laws (e.g., medical or aviation), are exempt from CRA requirements.
Network and Information Systems Directive (NIS 2)
The NIS 2 Directive (Directive (EU) 2022/2555) updates and strengthens the EU’s first cybersecurity law (NIS 1). Adopted on December 14, 2022, it must be transposed by member states by October 17, 2024.
Broader Scope: NIS 2 expands coverage to include more sectors, such as energy, transport, public communications, and digital infrastructure.
Enhanced Security Requirements: Entities must implement robust risk management measures, incident reporting, and business continuity plans.
Improved Cooperation: It establishes the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) to enhance coordination and information exchange during large-scale cyber incidents.
Stronger Enforcement: The directive introduces harmonized penalties and supervisory powers to ensure consistent enforcement.
Supply Chain Security: Organizations must assess and secure their supply chains, ensuring third-party providers comply with cybersecurity standards.
European Union Agency for Cybersecurity (ENISA)
ENISA is the EU’s core agency for cybersecurity, established in 2004 and strengthened by the Cybersecurity Act. Its mission is to achieve a high level of cybersecurity across Europe by supporting policy implementation, capacity building, and cooperation.
Key Functions:
• Policy Development: Advises on EU cybersecurity legislation and policy frameworks.
• Certification: Develops and manages EU cybersecurity certification schemes.
• Incident Response: Supports member states and EU bodies during major incidents.
• Capacity Building: Provides training, expertise, and best practices.
• Operational Cooperation: Facilitates collaboration among stakeholders.
• Awareness Raising: Promotes cybersecurity education and best practices.
Computer Emergency Response Team (CERT-EU)
CERT-EU protects EU institutions, agencies, and bodies from cyber threats.
Functions:
• Incident Response: Detects, analyzes, and mitigates cyber incidents.
• Coordination: Ensures joint responses between national and institutional teams.
• Information Sharing: Provides intelligence on vulnerabilities and threats.
• Crisis Management: Supports large-scale cybersecurity crisis response and recovery.
European Cyber Crisis Liaison Organisation Network (EU-CyCLONe)
EU-CyCLONe enhances coordination during major cross-border cybersecurity incidents.
Main Roles:
• Coordinated Management: Ensures operational cooperation among EU states and institutions.
• Preparedness: Develops joint situational awareness and response strategies.
• Decision Support: Provides information to political-level decision-makers during crises.
ENISA serves as the secretariat, ensuring technical and operational support.
European Cybersecurity Competence Centre (ECCC)
Headquartered in Bucharest, Romania, the ECCC aims to strengthen Europe’s cybersecurity capabilities and industrial competitiveness.
Objectives:
• Build cybersecurity capacity and foster a strong European cybersecurity community.
• Support innovation and industrial policy through collaboration with National Coordination Centres (NCCs).
• Enhance EU’s technological sovereignty and leadership.
The ECCC coordinates funding from Horizon Europe and the Digital Europe Programme, aligning research, innovation, and deployment efforts across Europe.
Digital Operational Resilience Act (DORA)
The DORA Regulation, effective January 17, 2025, reinforces the financial sector’s ability to withstand ICT-related disruptions.
Key Areas:
• ICT Risk Management: Requires robust frameworks for managing ICT risks.
• Third-Party Risk: Imposes oversight on critical ICT service providers.
• Incident Reporting: Mandates timely reporting of significant incidents.
• Resilience Testing: Introduces regular testing of digital operational resilience.
• Information Sharing: Encourages intelligence exchange among financial institutions and authorities.
European Cyber Security Organisation (ECSO)
Founded in 2016, ECSO is a public–private partnership aimed at developing a competitive European cybersecurity industry.
Strategic Goals:
• Strengthen Europe’s digital sovereignty.
• Enhance societal and economic cyber resilience.
• Foster collaboration among public and private stakeholders.
Activities:
• Contributing to EU policy development.
• Supporting innovation, R&D, and market growth for cybersecurity solutions.
• Promoting education and skills initiatives.
• Facilitating international cooperation.
Public-Private Partnership on Cybersecurity (cPPP)
Launched by the European Commission in 2016, the cPPP aimed to strengthen cybersecurity collaboration and innovation in Europe. It supported R&D under Horizon 2020, fostering cooperation between industry, academia, and public authorities. The initiative laid the foundation for ongoing partnerships such as ECSO and the ECCC, continuing to drive cybersecurity research and capacity building across the EU.
Funding Opportunities and the European Defence Fund (EDF)
Horizon Europe funds cybersecurity R&I projects through Cluster 3 – Civil Security for Society, supporting initiatives in cyber resilience, AI security, and privacy protection.
The European Defence Fund (EDF) complements these efforts by financing defence-oriented cybersecurity projects, including cyber defence capabilities, situational awareness, secure communications, and AI-based threat detection, thereby strengthening the EU’s cyber defence posture.
Conclusion
Through a combination of robust legislation, specialized agencies, and strategic partnerships, the European Union has built one of the most comprehensive cybersecurity frameworks in the world. The coordinated efforts of ENISA, CERT-EU, EU-CyCLONe, and the ECCC, supported by initiatives like DORA, ECSO, and Horizon Europe, ensure that Europe’s digital infrastructure remains secure, resilient, and innovative—ready to meet the cybersecurity challenges of the future.
