Navigating the Evolving EU Cybersecurity Landscape


In recent years, the world of IT has been under attack. Data is worth more than gold and malicious actors are doing their best to steal or kidnap data to extort money. We have seen major impacts from such attacks affecting society – to the extent of risking lives. Because of this, the European Parliament has been focusing the last couple of years to strengthen cyber resiliency and minimize the risks for the region.  This climate change in IT is creating the perfect compliance storm within the EU – this would be my forecast on what is coming.

The Evolving Threat Environment

The introduction of all the directives (NIS2, CER, and DORA) signifies a paradigm shift toward more proactive risk management. The European Parliament’s commitment to ensuring a safer, more resilient Europe is clear. The regulations demand heightened cyber resilience and include non-compliance penalties. They signify a clear intent to safeguard critical and digital infrastructure. And compliance is essential for organizations operating in the EU. So what are the directives?

1. Critical Entities Resiliency (EU directive)

  • Enhancing the resiliency of critical entities in the EU to secure the delivery of services for vital society functions or economic activities.
  • The verticals in scope: Energy, Transport, Financial market infrastructure, Banking, Health, Water, Digital infrastructure, Public administration, Space, Food.
  • To be legislated in each EU member state before October 2024

2. CRA – Cyber Resiliency Act (EU regulation)

  • Cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union. 
  • Aims to safeguard consumers and businesses buying or using products or software with a digital component.
  • Manufactures are now obliged to take security seriously throughout a product's life cycle.
  • Enter into force early 2024 with a 3-year implementation time

3. DORA – Digital Operational Resiliency Act (EU regulation)

  • Minimize the cyber risks and strengthen the cyber resilience for the interconnected financial sector in the EU
  • Shift some focus from credit risk management to cyber risk management
  • ICT third party risk management
  • Standardized reporting and collaboration
  • Regulatory and implementation standards to follow will be developed by the European Supervisory Authorities (ESA’s)
  • Applies to all financial institutions such as banks, payment institutions, credit institutions, insurance companies, service providers and data centers to the financial market.
  • Enter into force January 16 2023, with a 2-year implementation time

4. NIS2 – Network and Information Services version 2 (EU directive)

  • High common level of cybersecurity across the Union
  • Strengthen the cyber resiliency for essential and important entities in the EU
  • Technical and operational measures to manage risks related to the security of network and information systems and minimize the impact of incidents
  • The following verticals will be in scope: Energy, Transport, Financial market infrastructure, Banking, Health, Water, Digital infrastructure, Public administration, Space, Food, Postal services, manufacturing,
  • To be legislated in each EU member state before October 2024

Why compliance is good for business?

Maybe your organization has gone through all the new regulations and directives that are on its way, and you found your organization not in scope for these requirements. Should you just sit back and relax? 

There is a reason for these requirements to exist; attacks will happen, major incidents will occur, and no one will check if you’re in scope before they attack you. Ask yourself if your organization would survive if you experienced a 60 day downtime of your IT services – it’s not uncommon that it takes this time to get back online. Cyber resilience is good for your business, it’s your lifeboat. 

What should you consider of doing?

As a first step you may start following the legislative process within the country you operate.

Check scoping, will you be affected? What are the exact requirements?

Make sure to get an understanding if your organization will be affected by the regulation. Start now with analyzing the impact for your business so you understand the requirements, and how to get compliant.

Are you a financial institution in scope for DORA? Make sure you start an internal project for DORA compliance as early as possible and start with scoping, GAP-analysis, process validation, reporting validation. Ensure your organization understands what the requirements will be and what you need to do.

Veritas can help with many of the requirements set out in the directive. We have supported compliance within the financial sector for decades, and we have the experience, solutions and certifications that you would expect from such an important vendor. Do not hesitate to involve us in your projects. We can help you to check the boxes on important requirements for your organizations cyber resilience

Magnus Mårtensson
Technical Sales Engineer, Nordics