Cybersecurity regulation what companies need to know

Learn about laws and regulations such as NIS2, CRA, RED and CSA and get support with implementation.

Process and participants

Law-making in the EU is carried out by three main institutions: the European Commission, the European Parliament and the Council of the European Union. The Commission has the sole right of initiative for legislative proposals, which it submits to Parliament and the Council for discussion and adoption. The legislative procedure includes several readings and, if necessary, a conciliation procedure to arrive at a final legal text.

Types of legal acts

The EU essentially uses two types of legal acts:

• Regulations: They apply directly in all member states and do not need to be transposed into national law. They create uniform conditions across borders.
• Directives: Directives set objectives that all EU countries must achieve but leave the choice of means and methods to national authorities. They require transposition into national law, allowing member states to consider local specificities.

In addition to these main legal acts there are two other important types of acts that serve to supplement or implement the main acts:

• Delegated acts: These allow the European Commission to supplement or amend non-essential parts of the main act. The process involves consultation with expert groups representing all member states and review by the Council and Parliament.
• Implementing acts: These are used by the European Commission to ensure harmonised implementation in member states. They include consultation of member states in the comitology procedure (https://commission.europa.eu/law/law-making-process/adopting-eu-law/implementing-and-delegated-acts/comitology_en).

Both types of acts enable more flexible and efficient legislation by regulating technical details or implementation aspects without going through the full legislative process.

Distinction between delegated act and implementing act

To better understand the application of delegated acts and implementing acts, consider concrete examples from EU legislation:

• Delegated act: A key example is the delegated act to the Radio Equipment Directive (RED). This act complements the RED with specific cybersecurity requirements for radio equipment. It specifies which product categories must meet certain security standards without changing the core text of the directive.
• Delegated and implementing acts: The Cyber Resilience Act (CRA) foresees both delegated and implementing acts. Delegated acts could, for example, be used to update the list of highly critical products with digital elements. Implementing acts could be used to set harmonised conditions for carrying out market surveillance measures across all EU member states.

These examples show how the EU legal system can respond to technological developments and security requirements without having to run the full legislative process every time.

Relationship between standards and legislation

Standards are technical specifications that set requirements for products, services or procedures. Their application is usually voluntary unless specific laws or contracts require them. Standards are important to demonstrate the "state of the art" and to promote "best practices" in industry.

An overview of relevant norms and standards for cybersecurity can be found in our article Standards & norms.

The legislative procedure in detail

To understand the complexity of the legislative process in the European Union, it is important to look at the individual steps in detail. The steps are briefly described below:

• Initiative: The Commission submits a proposal to Parliament and the Council. The proposal can also originate from member states, the European Court of Justice, the European Central Bank or the European Investment Bank.
• First reading: Parliament and the Council examine the proposal. If both agree, the act is adopted.
• Second reading: If no agreement is reached, a second reading takes place in which Parliament can accept or reject the Council's position. If no agreement is reached, a conciliation committee is convened.
• Conciliation: The committee tries to find a compromise. If a joint text is agreed, there is a third reading.
• Third reading: The joint text must be approved by Parliament and the Council. If approval fails, the proposal is rejected.

Significant regulation related to security

In the field of cybersecurity and data protection, the European Union has implemented several important regulations aimed at protecting both consumers and businesses. Here are some of the most relevant EU regulations:

Requirements for operators

The EU has implemented several important regulations that require operators of essential services and digital service providers to adopt stringent security measures and minimise risks.

• General Data Protection Regulation (GDPR) - (EU) 2016/679: This regulation is the cornerstone of data protection law in the EU and aims to protect the personal data of individuals within the EU. It gives individuals more control over their personal data and ensures that companies processing this data meet strict requirements.
• NIS (Network and Information Systems) Directive - (EU) 2016/1148: This directive was designed to ensure a high common level of security for network and information systems in the EU. It applies to operators of essential services and digital service providers, requiring appropriate security measures and incident reporting.
• NIS 2 directive - (EU) 2022/2555: This directive updates and expands the original NIS directive to address new cybersecurity challenges. It broadens the scope and tightens security requirements for affected companies.
• eIDAS regulation (Electronic Identification and Trust Services) - (EU) 910/2014: This regulation creates a European framework for electronic identification and trust services for electronic transactions within the single market. It ensures that electronic signatures, seals, timestamps and other trust services are recognised across borders.

Requirements for manufacturers and placing on the market

To ensure the security of products on the European market, the EU has introduced a number of regulations requiring manufacturers and distributors to implement comprehensive cybersecurity measures throughout the product lifecycle.

• Cybersecurity Act - (EU) 2019/881: This act establishes a framework for cybersecurity certification in the EU and strengthens the mandate of the European Union Agency for Cybersecurity (ENISA). Its aim is to increase trust in the digital single market and improve the cybersecurity of products and services.
• Cyber Resilience Act: This law aims to improve cybersecurity requirements for products with digital elements. It sets minimum cybersecurity standards and requires manufacturers to provide security updates and vulnerability management throughout the product lifecycle.
• Radio Equipment Directive - (EU) 2014/53 and (EU) 2022/30: This directive ensures that radio equipment operates safely and without interference. The delegated regulation to the Radio Equipment Directive strengthens cybersecurity requirements for such devices.

In addition, the EU has adopted further sector-specific regulations:

• Machinery Regulation - (EU) 2023/1230: This regulation sets safety requirements for machinery, including cybersecurity requirements for machines used in Industry 4.0 and other connected environments.
• Medical Device Regulation - (EU) 2017/745: This regulation governs safety and performance requirements for medical devices, including cybersecurity requirements for connected medical devices.
• In Vitro Diagnostic Regulation - (EU) 2017/746: This regulation sets requirements for the safety and performance of in vitro diagnostic devices, including cybersecurity requirements for these devices.
• Marine Equipment Directive (MED) - 2014/90/EU: This directive sets requirements for ship equipment. It refers to the Unified Requirements (UR) of the International Association of Classification Societies (IACS), which among other things define the cyber resilience of onboard systems and equipment.

These regulations play a decisive role in shaping the security landscape in the EU by setting uniform standards and strengthening trust in digital and network-related activities.

Support for implementation

Cybersecurity requirements are increasing significantly in many industries, driven by EU legal acts such as the Cyber Resilience Act, the Radio Equipment Directive or the Machinery Regulation. For manufacturers this means that technical protective measures alone are no longer sufficient - processes, evidence and responsibilities must also be reviewed and adapted.

Secuvi supports companies in systematically understanding these regulations and putting them into practice. We help identify the actions relevant to your company, derive prioritised measures and design effective implementation - from the initial analysis to operational execution.

If you are wondering how to integrate European cybersecurity requirements into your product development and organisation, we accompany you with technical, regulatory and methodological expertise.

More information at: secuvi.com