Cybersecurity –
EU directives and legal requirements
Legal requirements for cybersecurity:
In an increasingly globalized and digital world, the European Union (EU) considers cybersecurity a priority. Therefore, it introduced a number of legal requirements aimed at ensuring the protection of personal data, digital infrastructure and preventing cyberattacks.
Key legal acts include EU regulations such as:
CER Directive (Critical Entity Resilience Directive)
It entered into force in 2022 and replaced the 2008 Critical Infrastructure Directive. The CER directive aims to strengthen digital protection in the EU region. It imposes obligations on digital service operators and suppliers of digital products and services in the field of IT security. It also aims to improve cooperation between Member States in responding to cyberattacks and preventing cyber incidents. The CER Directive aims to increase the EU’s digital security and strengthen its position as a leader in cybersecurity.
Directive on the security of network and information systems (NIS2)
Is an EU initiative aimed at increasing the European Union’s resilience to cyber threats by establishing a legal framework for cybersecurity at the level of Member States.
The original NIS Directive, adopted in 2016, was the first step in harmonizing cybersecurity regulations across the EU. This directive imposed obligations on Member States to identify entities operating in key sectors and the provision of digital services and required them to apply specific security standards.
The NIS 2 Directive continues these efforts and develops the legal framework to better secure the EU’s digital infrastructure. Key elements of the NIS 2 Directive may include:
Extension of the adjustment range
The NIS 2 Directive may expand the scope of entities regulated to include new sectors that are considered key to the functioning of the economy and society.
Strengthening security requirements
The directive may introduce stricter security requirements for regulated entities, requiring them to apply specific IT security measures.
Collaboration and information exchange
The NIS 2 Directive may also include provisions on cooperation between Member States on cybersecurity and the exchange of information on cyber threats and incidents.
Increased sanctions
The directive may introduce increased sanctions for entities violating cybersecurity rules to increase the effectiveness of enforcement.
The purpose of the NIS 2 Directive is to increase the European Union’s resilience to cyber threats and to ensure the coherence and effectiveness of Member States’ actions in the field of cybersecurity. Through these actions, the EU aims to improve the digital security of its citizens, companies and institutions.
ISO/IEC 27001 Safety Certificate
General Data Protection Regulation (GDPR)
Although the GDPR is not directly a directive but a regulation, it is the key legal act of the European Union regarding the protection of personal data. It establishes principles for the processing of personal data and obligations for entities processing such data, including in the context of cybersecurity.
Directive on Attacks against Information Systems
Is a different cybersecurity directive that focuses on combating attacks on information systems, including hacking, computer-related crime and other cybercrime-related activities.
Civil Protection Directive
Is a directive covers crisis management and response measures that may be related to cybersecurity, such as cyber attacks on critical infrastructure.
Directive on Patients’ Rights in cross-border healthcare
Although this directive is not directly related to cybersecurity, it is important in the context of protecting patients’ medical data, which in the digital era is becoming increasingly at risk of security breaches.
Certyfikat bezpieczeństwa w służbie zdrowia
These directives and regulations are part of the European Union’s broader legal agenda to ensure digital security, protect personal data and respond to threats related to cybercrime and attacks on information infrastructure. Their goal is to increase the European Union’s resilience to cyber threats and improve the digital security of citizens, companies and institutions.
