Cybersecurity Rules Tightening Across Europe in 2022

As cyberattacks in the European Union and United Kingdom have continued to increase by every measure — volume, type and impact — policymakers are rolling out initiatives to stop them on several fronts.

In December, the European Council approved the Network and Information Security 2 (NIS2) Directive, a major step toward revamping the current EU-wide framework for cybersecurity. When finalized in 2022, the new directive is expected to require more types of companies to take stronger cybersecurity measures, among other changes. Cloud service providers, for instance, would be considered providers of essential services, with more stringent requirements in areas such as encryption and governance.

Also in December, the UK government published the National Cyber Strategy 2022, calling it “a holistic, whole-of-society endeavor to improve UK resilience.”[1] A report in The Stack, a UK business technology publication, called it “an industrial strategy, a skills strategy, a national security strategy and a statement of increasingly active and interventionist intent by Her Majesty’s Government.”[2]

These and other cybersecurity policy initiatives are advancing in Europe amid mounting cyber risk to business and society. In the EU, “cybersecurity threats are on the rise … and the cybersecurity landscape has grown in terms of sophistication of attacks, their complexity and their impact,” according to the EU Agency for Cybersecurity (ENISA).^[3] In the UK, “while the threats came from a range of actors using an array of methods, they had one thing in common: they led to real-world impact,” according to the National Cyber Security Centre’s (NCSC) 2021 annual review.[4] “Life savings were stolen, critical and sensitive data was compromised, healthcare and public services were disrupted, and food and energy supply was affected.”

EU Cybersecurity Rules

NIS2 is complemented by national digital strategies and rules in the EU’s 27 member states, as well as more targeted EU legislation, including the General Data Protection Regulation (GDPR) for data privacy, the pending European Cyber Resilience Act for the Internet of Things (IoT)[5] and pending rules titled Digital Operational Resilience in the EU Financial Sector.[6] 

NIS2 and the GDPR are considered Europe’s two most important and far-reaching pieces of cybersecurity legislation.[7] The different measures can overlap. For example, while the headlines in 2021 focused on GDPR fines for companies’ mishandling of people’s data, fines were also issued to companies that failed to ensure cybersecurity.[8] 

NIS2 lays out requirements for national cybersecurity capabilities among EU member states, rules for cross-border cooperation and requirements for regulating providers of essential services. Draft NIS2 provisions for business regulation include:[9]

• Baseline cyber risk management measures.
• Reporting obligations.
• Remedies and sanctions for enforcement.
• An updated list of sectors and activities covered.
• Expanded coverage of midsize as well as large companies.

Sectors covered by the current draft include energy, transportation, financial services, healthcare, water, digital infrastructure, managed service providers (including managed security service providers), public administration, space launch services, postal and courier services, waste management, certain types of manufacturers, the food industry and digital providers, such as online marketplaces, search engines and social networking platforms.[10]   

The European Council, European Parliament and European Commission will be negotiating a final version of NIS2 in early 2022, with some observers predicting agreement by midyear. After that, member countries would have up to two years to incorporate the provisions into national law. 

UK Cybersecurity Rules

The UK’s National Cyber Strategy describes outcomes to achieve by 2025, including:

• Increase cybersecurity talent and innovation.
• Establish the country’s leadership as a global “cyber power.”
• Fend off adversaries.
• Help businesses maximize the economic benefit of digital technology with less risk.
• Protect citizens.

While the UK’s strategy does not provide many specifics about cybersecurity regulation, it does give a sense of direction: “The government has an important responsibility to advise and inform citizens, businesses and organizations what they need to do to protect themselves online. Where necessary this includes setting the standards we expect key companies and organizations to meet in order to protect all of us,” the document says.[11]

As in the rest of Europe, two focus areas for regulation in the UK are digital services and connected devices. “We will strengthen and expand the existing regulation of digital service providers,” according to the strategy, which also acknowledged a new bill recently introduced in Parliament to enforce minimum security standards for connected devices. 

Cybersecurity Best Practices

Companies covered by NIS2 should not wait until it is finalized to plan their compliance strategies, according to Koen Van Impe, a Belgian security researcher. “Although it has to go through legal approval rounds before being put into national laws, and slight changes can still occur, the bulk of the proposal will likely remain as written,” he said. “As such, you can take action now to get ready.”[12]

Similar counsel applies in the UK. One piece of advice for UK CISOs, from the EY management consulting firm, suggests that centralizing cybersecurity governance will be key to facing many new and changing cybersecurity regulations. “With the right tracking and oversight, organizations can get to a point where responding to myriad compliance requests is owned by one person and comes from one set of controls.”[13] 

ENISA has outlined what it considers best practices under European cybersecurity regulation, laying out specific steps against ransomware, email-related threats and other attacks. In the area of ransomware, which it described as the prime threat for 2021 to 2022, ENISA’s recommendations include:

• Secure and redundant backups.
• Audits of identity and access management.
• Awareness training.
• Separation of development and production environments.
• Information sharing on incidents with authorities and the industry.
• Readiness assessments.
• Response and recovery plans.
• Utilization of security technologies proven to mitigate ransomware.
• Continual monitoring.

The Bottom Line

The EU and UK are advancing strategies to strengthen cyber defenses across Europe. Companies will need to factor many new measures into their planning for the next few years to comply with a significantly shifting regulatory landscape. 

[1] “National Cyber Strategy 2022,” UK Government

[2] “’A Rapid and Radical Overhaul’ — 10 Key Insights into UK’s Strikingly Bullish New National Cybersecurity Strategy,” The Stack

[3] “ENISA Threat Landscape 2021,” EU Agency for Cybersecurity

[4] “NCSC Annual Review 2021,” National Cyber Security Centre

[5] “How a European Cyber Resilience Act Will Help Protect Europe,” European Commission

[6] “ISACA Provides Guidance Around EU’s Proposed Digital Operational Resilience Act,” ISACA

[7] “The European Union, Cybersecurity, and the Financial Sector: A Primer,” Carnegie Endowment for International Peace

[8] “GDPR Enforcement Tracker,” CMS

[9] “Strengthening EU-wide Cybersecurity and Resilience — Council Agrees Its Position,” European Council

[10] “Proposal for a Directive of the European Parliament and of the Council on Measures for a High Common Level of Cybersecurity Across the Union,” European Council

[11] “National Cyber Strategy 2022,” UK Government

[12] “Cyber Resilience Strategy Changes You Should Know in the EU’s Digital Decade,” Security Intelligence

[13] “How UK CISOs Should Prepare for a New Era of Growth,” EY