EU Cybersecurity Legislation – an overview by Jasmin Dizdarević and Nikša Maletić

Introduction

In a recent article published in Pravna Praksa, our colleagues Jasmin Dizdarević and Nikša Maletić explore an ever evolving landscape of EU Cybersecurity Legislation. In an era of increasing cyber threats and digitalization, cybersecurity has become a top priority for the European Union. To enhance digital resilience and protect both public and private entities, the EU has established a comprehensive regulatory framework. This blog post provides an overview of the key legislative initiatives shaping cybersecurity in the EU today by recaping the published article.

Key EU Cybersecurity Regulations

1. EU Cybersecurity Act strengthens the mandate of the European Union Agency for Cybersecurity (ENISA) and establishes an EU-wide cybersecurity certification framework. ENISA plays a crucial advisory role, conducting cybersecurity exercises and issuing guidelines to reduce regulatory fragmentation. The first certification scheme will take effect in February 2025, covering ICT products and services, with additional schemes in development for AI, cloud computing, 5G, and managed services.
2. NIS2 Directive replaced its predecessor by enhancing cybersecurity requirements for critical sectors and mandating a coordinated approach to incident reporting and risk management. It applies to entities in energy, transport, banking, healthcare, digital infrastructure, and other essential industries. Obligations include risk analysis, incident management, security backups, supply chain security, and multi-factor authentication. EU member states must implement NIS2 by October 2024, but as of early 2025, several have yet to do so.
3. Digital Operational Resilience Act (DORA) focuses on the financial sector by introducing stringent risk management requirements for ICT providers serving financial institutions. It covers banks, payment institutions, crypto service providers, and credit agencies. Key provisions include ICT risk management, incident reporting, resilience testing, and oversight of third-party service providers. Financial institutions must report major ICT incidents within 24 hours and provide detailed follow-up reports within 72 hours and one month, respectively. DORA took full effect in January 2025.
4. Cyber Resilience Act (CRA) was adopted in October 2024 and aims to strengthen cybersecurity for digital products by enforcing security-by-design principles throughout their lifecycle. It mandates that manufacturers and service providers ensure products are free from significant vulnerabilities, offer secure configurations, and support security updates. It applies to all digital products marketed in the EU, including smart devices and cloud services. Compliance includes mandatory reporting of exploited vulnerabilities to ENISA and national CSIRTs.
5. Critical Entities Resilience (CER) Directive focuses on enhancing the resilience of critical infrastructure sectors such as energy, transport, water, healthcare, and finance. It requires member states to identify critical entities, assess risks, and implement protective measures. CER ensures that these entities can withstand and recover from disruptions, whether caused by cyber incidents, natural disasters, or security threats. Slovenia was among the first EU nations to implement CER through its Critical Infrastructure Act.

Conclusion

The EU continues to refine its cybersecurity landscape, integrating legal, technical, and financial measures to build a secure digital ecosystem. Beyond regulation and certification, significant investments are being made through initiatives like NextGenerationEU, which supports economic recovery and digital resilience. Additionally, the proposed Joint Cyber Unit aims to coordinate the EU’s response to large-scale cyber incidents, further strengthening Europe’s cybersecurity posture.