EU To Adopt New Cybersecurity Regulations

On 22 March 2022, the European Union (EU) Commission published a proposal for new regulations that will establish common cybersecurity and information security measures across EU institutions, bodies, offices, and agencies. The aim is to harmonize cybersecurity practices across EU public administration and consolidate disparate processes. To this end, the regulations extend the remit of EU-CERT (renamed the Cybersecurity Center), as well as create a new Interinstitutional Cybersecurity Board to monitor and supervise implementation. The proposal is a result of concerns that arose during the pandemic, notably increased digitization, and the evolving threat landscape post-pandemic (especially remote IT servicing). But the proposal comes also at a time when security in general is back as a top priority within EU member states’ national agendas following Russia’s invasion of Ukraine. A politically destabilized Europe is facing its biggest existential threat since the second World War and tightening the bloc’s security (including cyber) will be a concern for at least the next decade. Security for its members, as well as the security consideration of new members (and in particular Ukraine who is actively lobbying to join the EU) will sustain cybersecurity initiatives and momentum going forward for some time.

Cybersecurity is adversarial in nature, and when the threat from the adversary is amplified as it is today, responses must be consequential. The EU has played a strong role in strengthening cybersecurity within the bloc and in member states in the past decade through acts, directives, and regulations, and by allocating increasing budget to its primary agencies dedicated to the cause (ENISA and CERT-EU, among others). But who oversees the overseer? There is no doubt that the EU needed to tame the growing network of processes, policies, and technologies being deployed across its public administration into a more cohesive and homogenous effort through oversight and an update to existing rules in the space. Not only does the regulation provide a harmonized baseline framework, but it helps to better define the roles and responsibilities, as well as accountability in the space.

Perhaps the most important impact of the new regulation is the expanded role of CERT-EU, which will serve as the cybersecurity coordination and incident response center for all EU organizations (each of which will be required to make annual financial contributions to CERT-EU to cover the costs of its new responsibilities). An estimated total of 68.4 million euros (not including said contributions) is earmarked for CERT-EU for the period between 2023 to 2027. As such, CERT-EU will not only provide computer emergency response and threat intelligence but will also become a central advisory body and a service provider to EU institutions.

The expanded role and rising priority of cybersecurity within the EU will undoubtedly trigger greater demand for services and products from the cybersecurity industry, with a strong preference for European-based providers and vendors likely. This prioritization is supported by the recent call by member states to reinforce the EU’s cybersecurity capacities through the establishment of an emergency fund (to be used in times of conflict, such as today). These calls advocate the importance of building European cyber resilience that is less dependent on foreign companies, which primarily were American and Chinese firms. With the upcoming finalization of the Network and Information Security 2 (NIS2) Directive this year, the pending European Cyber Resilience Act for the IoT, and the Digital Operational Resilience in the EU Financial Sector, it is clear that the European cybersecurity landscape is set to mature and progress quickly in the coming years driving strong demand in cybersecurity spending. The outlook for a Euro-centric cybersecurity industry is highly positive and promisingly lucrative.