Cybersecurity in the EU: Milestones, Challenges, and the Road Ahead

The past year has brought several significant developments at EU level both in the Cybercrime and Cybersecurity field.

The adoption of the European Commission’s flagship project, the e-Evidence Regulation, in the summer of 2023, was a significant milestone given the ongoing discussions on the topic since 2017. For the first time, law enforcement authorities will now be able to directly address service providers established on the territory of a different Member State. The focus will now be on the technical implementation of the Regulation in the Member States, where new challenges will be posed by the EU-wide harmonisation of the national technical platforms for the secure exchange of data between law enforcement authorities and service providers via a decentralised IT-system.

Another central topic is the importance of encryption. The initial proposal on the Regulation to combat child sexual abuse stipulated detection measures that would have significantly undermined the use of end-to-end encryption in communication services. This provoked a huge wave of criticism showing that secure communications are also important to the broader public. This response ultimately led the European Parliament to explicitly exclude end-to-end encrypted communications from the scope of the Regulation.

At EU Member State level, the implementation of the NIS-2-Directive is still ongoing and will require substantial efforts by the affected companies, especially those that have not been subject to any cybersecurity requirements until now. On the other hand, providers of electronic communication networks and services are already under a sector-specific security regime as part of the European Electronic Communication Code. It will therefore be important that the national implementation of the NIS-2-Directive take into account the already existing security concepts in this sector and only stipulate additional measures where these would in fact lead to a higher level of security.

A political agreement on the Cyber Resilience Act has been reached, which harmonises cybersecurity standards for products and software with digital components and will also assist providers under the NIS-2-Directive to ensure supply chain security. Finally, it must be noted that the enormous frequency of new legal acts in the field of cybersecurity in recent years poses major challenges for the companies affected by them, as their internal processes must constantly be adapted, and it is often hard to find the necessary skilled workers to implement new requirements. With this in mind, along with the new mandate coming up this year, the focus of the upcoming European Commission should be on the smooth implementation of these legal acts rather than on new proposals.