- Credits
- Applicability to your business
- More info on the list below
- Difference between EU Directive and EU Regulation
- EU primary law
- Regulations and directives
- GDPR Regulation
- The NIS 2 Directive
- The Digital Operational Resilience Act (DORA) – Financial sector
- The Critical Entities Resilience Directive (CER)
- EU Digital Services Act (DSA)
- EU Digital Markets Act (DMA)
- Directive on attacks against information systems
- European Data Governance Act (DGA)
- European ePrivacy directive
- European Cyber Defence Policy
- EU Cyber Diplomacy Toolbox
- Cybersecurity Act (EU 881 / 2019)
- Cybersecurity services for Radio Equipment Directive (RED)
- Medical Devices Regulation
- eIDAS Regulation (see Art 19(1))
- Digital Content Directive (DCD) (see Arts 7 and 8)
- European Communications Code (ECC) (see Art 40(1))
- Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres
- Intelligent Transport Systems (ITS) directive (2010/40/EU)
- EU strategy documents
- Recommendations
- Other proposed and upcomping acts
- Some more great stuff
- Your feedback and suggestions
Credits
Georg Philip Krog started a post on LinkedIN with an interesting overview of EU policies, directives and regulations…
While the post is still under development (and growing), it might be interesting to get some more information on the list that Georg Philip created.
Furthermore the original list is not clear on which legislation is in force or in proposal / draft state.
Applicability to your business
Please consider that many of the rules and regulations below might apply directly to your business.
If not , then you might be impacted indirectly via the supply chain where your customer or supplier is impacted by the legislations. In that case, it’s very likely that you will be forced to apply the rules by delegation or obligation of your customer/supplier.
In many cased the supply chain security will impose these rules to you, one way or another. Be ready.
The chapters below contain, in most cases, a short description or extract of introduction to evaluate what
- the act is about and
- if it applies to your business
More info on the list below
The list below is not maintaining the same positioning as originally posted by Georg Philip.
There is a split in
- laws, regulations and directives focusing on cybersecurity
- strategy documents & EU policies
- proposed (not yet active) laws
Difference between EU Directive and EU Regulation
Source: https://european-union.europa.eu/institutions-law-budget/law/types-legislation_en
A “regulation” is a binding legislative act. It must be applied in its entirety across the EU.
For example: GDPR (General Data Protection Regulation
A “directive” is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.
EU primary law
CFREU (Charter of Fundamental Rights of the EU)
Reference by Georg Philip: Articles 7 and 8 CFREU
Article 7 – Respect for private and family life
“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Article 8 – Protection of personal data
“1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
Source :
- http://fra.europa.eu/en/eu-charter/article/7-respect-private-and-family-life
- http://fra.europa.eu/en/eu-charter/article/8-protection-personal-data
ECHR (European Convention of Human Rights)
Art 8 ECHR:
Source: Guide on Article 8 of the European Convention on Human Rights
Regulations and directives
GDPR Regulation
Code number: Regulation 2016/679
Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj
The NIS 2 Directive
Code number: EU Directive 2022/2555
Source: https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Important note, the NIS 2 Directive is repealing NIS (also called NIS 1 now)
The NIS 1 Directive (repealed by NIS 2)
Code number : Directive 2016/1148
Source: http://data.europa.eu/eli/dir/2016/1148/oj
The Digital Operational Resilience Act (DORA) – Financial sector
Code name: EU Directive 2022/2554
Source: https://eur-lex.europa.eu/eli/reg/2022/2554/oj
DORA = digital operational resilience for the financial sector
More info and interesting reads:
The Critical Entities Resilience Directive (CER)
Code name : EU Directive 2022/2557
http://data.europa.eu/eli/dir/2022/2557/oj
EU Digital Services Act (DSA)
Code: Regulation 2022/2065
Source: http://data.europa.eu/eli/reg/2022/2065/oj
More Info: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package
“The Digital Services Act (DSA) and the Digital Market Act (DMA) form a single set of rules that apply across the whole EU. They have two main goals:
- to create a safer digital space in which the fundamental rights of all users of digital services are protected;
- to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.”
EU Digital Markets Act (DMA)
Code: Directive 2020/1828
Source: https://eur-lex.europa.eu/eli/dir/2020/1828/oj
“The Digital Markets Act (DMA) establishes a set of narrowly defined objective criteria for qualifying a large online platform as a so-called “gatekeeper”. This allows the DMA to remain well targeted to the problem that it aims to tackle as regards large, systemic online platforms.
These criteria will be met if a company:
- has a strong economic position, significant impact on the internal market and is active in multiple EU countries
- has a strong intermediation position, meaning that it links a large user base to a large number of businesses
- has (or is about to have) an entrenched and durable position in the market, meaning that it is stable over time if the company met the two criteria above in each of the last three financial years”
Directive on attacks against information systems
Code number: Directive 2013/40/EU
Source: https://eur-lex.europa.eu/eli/dir/2013/40/oj
European Data Governance Act (DGA)
Code number: Regulation (EU) 2022/868
Source: http://data.europa.eu/eli/reg/2022/868/oj
More info : https://digital-strategy.ec.europa.eu/en/policies/data-governance-act
Article 1
“1. This Regulation lays down:
| (a) | conditions for the re-use, within the Union, of certain categories of data held by public sector bodies; |
| (b) | a notification and supervisory framework for the provision of data intermediation services; |
| (c) | a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and |
| (d) | a framework for the establishment of a European Data Innovation Board. |
“
European ePrivacy directive
Original Code number: Directive 2002/58/EC
Source: http://data.europa.eu/eli/dir/2002/58/oj
Ammended :
- DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL Text with EEA relevance of 25 November 2009
- Corrigendum, OJ L 241, 10.9.2013, p. 9 (2009/136)
Current versions (updated 2009)
http://data.europa.eu/eli/dir/2002/58/2009-12-19
European Cyber Defence Policy
Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6642
EU Cyber Diplomacy Toolbox
https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2020)651937
https://www.consilium.europa.eu/en/press/press-releases/2017/06/19/cyber-diplomacy-toolbox/
Cybersecurity Act (EU 881 / 2019)
Code: Regulation (EU) 2019/881
Source: http://data.europa.eu/eli/reg/2019/881/oj
Cybersecurity services for Radio Equipment Directive (RED)
Code name: Directive 2014/53/EU
Source: http://data.europa.eu/eli/dir/2014/53/oj
Medical Devices Regulation
(see Art 10(1), together with paragraph 17(2) in Annex I)
Code: Regulation (EU) 2017/745
Source: http://data.europa.eu/eli/reg/2017/745/oj
eIDAS Regulation (see Art 19(1))
Code name: Regulation 910/2014,
eIDAS = Regulation on electronic identification and trust services (EIDAS)
Source: https://eur-lex.europa.eu/eli/reg/2014/910/oj
Digital Content Directive (DCD) (see Arts 7 and 8)
Code name: Directive (EU) 2019/770
Source: http://data.europa.eu/eli/dir/2019/770/oj
European Communications Code (ECC) (see Art 40(1))
Code: Directive 2018/1972
Source: http://data.europa.eu/eli/dir/2018/1972/oj
Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres
Source: https://eur-lex.europa.eu/eli/reg/2021/887/oj
Special reference by Georg Philip: Art 4(2)(b)
“
Article 4
Objectives of the Competence Centre
1. The Competence Centre shall have the overall objective of promoting research, innovation and deployment in the area of cybersecurity in order to fulfil the mission as set out in Article 3.
2. The Competence Centre shall have the following specific objectives:
| (a) | enhancing cybersecurity capacities, capabilities, knowledge and infrastructure for the benefit of industry, in particular SMEs, research communities, the public sector and civil society, as appropriate; |
| (b) | promoting cybersecurity resilience, the uptake of cybersecurity best practices, the principle of security by design, and the certification of the security of digital products and services, in a manner that complements the efforts of other public entities; |
| (c) | contributing to a strong European cybersecurity ecosystem which brings together all relevant stakeholders |
“
Intelligent Transport Systems (ITS) directive (2010/40/EU)
under revision 2021/0419(COD): https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM%3A2021%3A813%3AFIN
Code: Directive 2010/40/EU
Source: http://data.europa.eu/eli/dir/2010/40/oj
EU strategy documents
The Strategic Compass of the European Union
https://www.eeas.europa.eu/eeas/strategic-compass-security-and-defence-1_en
A European strategy on Cooperative Intelligent Transport Systems
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016DC0766
AI Strategy
Recommendations
NIS 2 also points to some interesting references like the one below.
| EC recommendation 2017/1584 | Recommendation on coordinated response to large-scale cybersecurity incidents and crises | http://data.europa.eu/eli/reco/2017/1584/oj |
| Regulation 2019/881 | Regulation on information and communications technology cybersecurity certification | http://data.europa.eu/eli/reg/2019/881/oj |
| EC recommendation 2019/534 | Recommendation on Cybersecurity of 5G networks | http://data.europa.eu/eli/reco/2019/534/oj |
Recommendation on coordinated response to large-scale cybersecurity incidents and crises
Code number: EC recommendation 2017/1584
Source: http://data.europa.eu/eli/reco/2017/1584/oj
Other proposed and upcomping acts
(Proposal) EU Cyber Resilience Act (CRA)
Code name: Regulation 2019/1020
Source: http://data.europa.eu/eli/reg/2019/1020/oj
More info: https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2022/0272(COD)&l=en
More info: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.”
Proposed EU Cyber Solidarity initiative and cyber reserve
More info: https://www.euractiv.com/section/cybersecurity/news/eu-sets-out-plan-for-cyber-defence-policy/
(Proposal) Artificial Intelligence Act (AIA)
More info: https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence
(Proposal) European Data Act
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0068
More info:
- (2023-03-14) https://www.euractiv.com/section/data-privacy/news/eu-lawmakers-formalise-position-on-the-data-act-in-plenary-vote/
- (2023-05-16) https://www.euractiv.com/section/data-privacy/news/data-act-trade-secret-safeguards-shall-be-exception-not-rule-commission-says/
The proposed Machinery Reg (see Annex III)
Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7741
(Proposal) European Health Data Space (EHDS)
Source: https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_2712
EHDS “is a health-specific data sharing framework establishing clear rules, common standards and practices, infrastructures and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes“
(Draft/proposal) European Chips Act
EU information: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-chips-act_en
Info: https://sciencebusiness.net/news/ICT/act-three-chips-act-heads-negotiation-phase
Some more great stuff
You don’t want to miss this chart, compiled by Nicolas Amaye.
Source: this LinkedIN post by Nicolas Ameye (PDF orginal download source here)
Your feedback and suggestions
As legislation is continuously on the move, this article is never finished.
If you have great ideas to add, feedback or suggestions, let me know.
Identity Underground 