EU Moves to Tighten Cybersecurity Rules as Digital Threats Intensify

Key Takeaways

• Cybersecurity Act Revision: The European Commission plans to update the 2019 Cybersecurity Act to strengthen the EU’s ability to manage growing cyber and hybrid threats.
• Stronger Supply Chain Security: The proposal targets risks linked to third-country suppliers while improving how digital products and services are certified for security across the EU.
• Simpler Compliance for Firms: New measures aim to clarify jurisdictional rules and streamline ransomware reporting, making it easier for companies to meet cybersecurity obligations.
• Enhanced ENISA Support: The EU Agency for Cybersecurity would be reinforced to help member states better prepare for and respond to cross-border cyber threats.

Deep Dive

The European Commission has unveiled a new package of measures aimed at strengthening the European Union’s cybersecurity resilience, as cyber and hybrid threats increasingly target essential services, businesses, and democratic institutions across the bloc.

At the centre of the proposal is a planned revision of the EU’s Cybersecurity Act, first adopted in 2019. The Act established a framework for EU-wide cybersecurity certification of digital products, services, and processes. The Commission now wants to update that framework to reflect the growing complexity of cyber risks and the EU’s expanding digital supply chains.

According to the Commission, the proposed changes would strengthen the security of Europe’s information and communication technology supply chains by reducing exposure to third-country suppliers that raise cybersecurity concerns. At the same time, the revision is intended to make EU cybersecurity certification more effective by clarifying existing rules and simplifying procedures under the European Cybersecurity Certification Framework. The aim is to ensure that digital products and services used by EU citizens are tested for security in a more consistent and efficient way.

Beyond the revision of the Cybersecurity Act, the Commission is proposing a set of complementary measures designed to ease compliance and improve operational readiness across the EU. These include simplifying jurisdictional rules to make it easier for companies to understand which cybersecurity obligations apply to them, as well as streamlining how data on ransomware attacks is collected and shared.

The proposals also seek to bolster the role of the EU’s cybersecurity agency, EU Agency for Cybersecurity. By reinforcing ENISA’s mandate and resources, the Commission says the agency will be better positioned to help EU countries anticipate, prepare for, and respond to common cyber threats, particularly those that cut across borders.

The legislative proposals will now move to the European Parliament and the Council of the European Union for discussion. If approved, the revised rules and accompanying measures would apply across all EU member states, further shaping how cybersecurity risks are managed as Europe’s digital footprint continues to grow.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.