Overview of cybersecurity relevant European laws, directives, regulations and policies…

  1. Credits
  2. Applicability to your business
  3. More info on the list below
  4. Difference between EU Directive and EU Regulation
  5. EU primary law
    1. CFREU (Charter of Fundamental Rights of the EU)
    2. ECHR (European Convention of Human Rights)
  6. Regulations and directives
    1. GDPR Regulation
    2. The NIS 2 Directive
      1. The NIS 1 Directive (repealed by NIS 2)
    3. The Digital Operational Resilience Act (DORA) – Financial sector
    4. The Critical Entities Resilience Directive (CER)
    5. EU Digital Services Act (DSA)
    6. EU Digital Markets Act (DMA)
    7. Directive on attacks against information systems
    8. European Data Governance Act (DGA)
    9. European ePrivacy directive
      1. Current versions (updated 2009)
    10. European Cyber Defence Policy
    11. EU Cyber Diplomacy Toolbox
    12. Cybersecurity Act (EU 881 / 2019) 
    13. Cybersecurity services for Radio Equipment Directive (RED)
    14. Medical Devices Regulation
    15. eIDAS Regulation (see Art 19(1))
    16. Digital Content Directive (DCD) (see Arts 7 and 8)
    17. European Communications Code (ECC) (see Art 40(1))
    18. Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres
    19. Intelligent Transport Systems  (ITS) directive (2010/40/EU)
  7. EU strategy documents
    1. The Strategic Compass of the European Union
    2. A European strategy on Cooperative Intelligent Transport Systems
    3. AI Strategy
  8. Recommendations
    1. Recommendation on coordinated response to large-scale cybersecurity incidents and crises
  9. Other proposed and upcomping acts
    1. (Proposal) EU Cyber Resilience Act (CRA)
    2. Proposed EU Cyber Solidarity initiative and cyber reserve
    3. (Proposal) Artificial Intelligence Act (AIA)
    4. (Proposal) European Data Act
    5. The proposed Machinery Reg (see Annex III)
    6. (Proposal) European Health Data Space (EHDS)
    7. (Draft/proposal) European Chips Act
  10. Some more great stuff
  11. Your feedback and suggestions


Georg Philip Krog started a post on LinkedIN with an interesting overview of EU policies, directives and regulations…

While the post is still under development (and growing), it might be interesting to get some more information on the list that Georg Philip created.

Furthermore the original list is not clear on which legislation is in force or in proposal / draft state.

Applicability to your business

Please consider that many of the rules and regulations below might apply directly to your business.

If not , then you might be impacted indirectly via the supply chain where your customer or supplier is impacted by the legislations. In that case, it’s very likely that you will be forced to apply the rules by delegation or obligation of your customer/supplier.

In many cased the supply chain security will impose these rules to you, one way or another. Be ready.

The chapters below contain, in most cases, a short description or extract of introduction to evaluate what

  • the act is about and
  • if it applies to your business

More info on the list below

The list below is not maintaining the same positioning as originally posted by Georg Philip.

There is a split in

  • laws, regulations and directives focusing on cybersecurity
  • strategy documents & EU policies
  • proposed (not yet active) laws

Difference between EU Directive and EU Regulation

Source: https://european-union.europa.eu/institutions-law-budget/law/types-legislation_en

A “regulation” is a binding legislative act. It must be applied in its entirety across the EU.

For example: GDPR (General Data Protection Regulation

A “directive” is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.

EU primary law

CFREU (Charter of Fundamental Rights of the EU)

Reference by Georg Philip: Articles 7 and 8 CFREU

Article 7 – Respect for private and family life

“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

Article 8 – Protection of personal data

“1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”

Source :

ECHR (European Convention of Human Rights)

Art 8 ECHR:
Source: Guide on Article 8 of the European Convention on Human Rights

Regulations and directives

GDPR Regulation

Code number: Regulation 2016/679

Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj

The NIS 2 Directive

Code number: EU Directive 2022/2555

Source: https://eur-lex.europa.eu/eli/dir/2022/2555/oj

Important note, the NIS 2 Directive is repealing NIS (also called NIS 1 now)

The NIS 1 Directive (repealed by NIS 2)

Code number : Directive 2016/1148

Source: http://data.europa.eu/eli/dir/2016/1148/oj

The Digital Operational Resilience Act (DORA) – Financial sector

Code name: EU Directive 2022/2554

Source: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

DORA =  digital operational resilience for the financial sector

More info and interesting reads:

The Critical Entities Resilience Directive (CER)

Code name : EU Directive 2022/2557


EU Digital Services Act (DSA)

Code: Regulation 2022/2065

Source: http://data.europa.eu/eli/reg/2022/2065/oj

More Info: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package

“The Digital Services Act (DSA) and the Digital Market Act (DMA) form a single set of rules that apply across the whole EU. They have two main goals:

  1. to create a safer digital space in which the fundamental rights of all users of digital services are protected;
  2. to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.”

EU Digital Markets Act (DMA)

Code: Directive 2020/1828

Source: https://eur-lex.europa.eu/eli/dir/2020/1828/oj

“The Digital Markets Act (DMA) establishes a set of narrowly defined objective criteria for qualifying a large online platform as a so-called “gatekeeper”. This allows the DMA to remain well targeted to the problem that it aims to tackle as regards large, systemic online platforms.

These criteria will be met if a company:

  • has a strong economic position, significant impact on the internal market and is active in multiple EU countries
  • has a strong intermediation position, meaning that it links a large user base to a large number of businesses
  • has (or is about to have) an entrenched and durable position in the market, meaning that it is stable over time if the company met the two criteria above in each of the last three financial years”

Directive on attacks against information systems

Code number: Directive 2013/40/EU

Source: https://eur-lex.europa.eu/eli/dir/2013/40/oj

European Data Governance Act (DGA)

Code number: Regulation (EU) 2022/868 

Source: http://data.europa.eu/eli/reg/2022/868/oj

More info : https://digital-strategy.ec.europa.eu/en/policies/data-governance-act

Article 1

“1.   This Regulation lays down:

(a)conditions for the re-use, within the Union, of certain categories of data held by public sector bodies;
(b)a notification and supervisory framework for the provision of data intermediation services;
(c)a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and
(d)a framework for the establishment of a European Data Innovation Board.

European ePrivacy directive

Original Code number: Directive 2002/58/EC

Source: http://data.europa.eu/eli/dir/2002/58/oj

Ammended :

Current versions (updated 2009)


European Cyber Defence Policy

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6642

More info: https://ccdcoe.org/incyder-articles/eu-cyber-defence-policy-framework-presents-more-than-40-action-measures/

EU Cyber Diplomacy Toolbox



More info: https://www.enisa.europa.eu/events/artificial-intelligence-an-opportunity-for-the-eu-cyber-crisis-management/workshop-presentations/20190603-eeas-eu-cyber-diplomacy-toolbox.pdf/view

Cybersecurity Act (EU 881 / 2019) 

Code: Regulation (EU) 2019/881

Source:  http://data.europa.eu/eli/reg/2019/881/oj

Cybersecurity services for Radio Equipment Directive (RED)

Code name: Directive 2014/53/EU

Source: http://data.europa.eu/eli/dir/2014/53/oj

More info: https://single-market-economy.ec.europa.eu/sectors/electrical-and-electronic-engineering-industries-eei/radio-equipment-directive-red_en

Medical Devices Regulation

(see Art 10(1), together with paragraph 17(2) in Annex I)

Code: Regulation (EU) 2017/745

Source: http://data.europa.eu/eli/reg/2017/745/oj

eIDAS Regulation (see Art 19(1))

Code name: Regulation 910/2014,

eIDAS = Regulation on electronic identification and trust services (EIDAS)

Source: https://eur-lex.europa.eu/eli/reg/2014/910/oj

Digital Content Directive (DCD) (see Arts 7 and 8)

Code name: Directive (EU) 2019/770 

Source: http://data.europa.eu/eli/dir/2019/770/oj

European Communications Code (ECC) (see Art 40(1))

Code: Directive 2018/1972

Source: http://data.europa.eu/eli/dir/2018/1972/oj

Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres

Source: https://eur-lex.europa.eu/eli/reg/2021/887/oj

Special reference by Georg Philip: Art 4(2)(b)

Article 4

Objectives of the Competence Centre

1.   The Competence Centre shall have the overall objective of promoting research, innovation and deployment in the area of cybersecurity in order to fulfil the mission as set out in Article 3.

2.   The Competence Centre shall have the following specific objectives:

(a)enhancing cybersecurity capacities, capabilities, knowledge and infrastructure for the benefit of industry, in particular SMEs, research communities, the public sector and civil society, as appropriate;
(b)promoting cybersecurity resilience, the uptake of cybersecurity best practices, the principle of security by design, and the certification of the security of digital products and services, in a manner that complements the efforts of other public entities;
(c)contributing to a strong European cybersecurity ecosystem which brings together all relevant stakeholders

Intelligent Transport Systems  (ITS) directive (2010/40/EU)

under revision 2021/0419(COD): https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM%3A2021%3A813%3AFIN

Code: Directive 2010/40/EU

Source: http://data.europa.eu/eli/dir/2010/40/oj

EU strategy documents

The Strategic Compass of the European Union


A European strategy on Cooperative Intelligent Transport Systems

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016DC0766

AI Strategy

European AI Strategy


NIS 2 also points to some interesting references like the one below.

EC recommendation 2017/1584Recommendation on coordinated response to large-scale cybersecurity incidents and criseshttp://data.europa.eu/eli/reco/2017/1584/oj
Regulation 2019/881Regulation on information and communications technology cybersecurity certificationhttp://data.europa.eu/eli/reg/2019/881/oj
EC recommendation 2019/534Recommendation on Cybersecurity of 5G networkshttp://data.europa.eu/eli/reco/2019/534/oj

Recommendation on coordinated response to large-scale cybersecurity incidents and crises

Code number: EC recommendation 2017/1584

Source: http://data.europa.eu/eli/reco/2017/1584/oj

Other proposed and upcomping acts

(Proposal) EU Cyber Resilience Act (CRA)

Code name: Regulation 2019/1020

Source: http://data.europa.eu/eli/reg/2019/1020/oj

More info: https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2022/0272(COD)&l=en

More info: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.”

Proposed EU Cyber Solidarity initiative and cyber reserve

More info: https://www.euractiv.com/section/cybersecurity/news/eu-sets-out-plan-for-cyber-defence-policy/

(Proposal) Artificial Intelligence Act (AIA)

Source: https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-laying-down-harmonised-rules-artificial-intelligence

More info: https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence

(Proposal) European Data Act


More info:

The proposed Machinery Reg (see Annex III)

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7741

(Proposal) European Health Data Space (EHDS)

Source: https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_2712

EHDS “is a health-specific data sharing framework establishing clear rules, common standards and practices, infrastructures and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes

(Draft/proposal) European Chips Act

EU information: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-chips-act_en

Info: https://sciencebusiness.net/news/ICT/act-three-chips-act-heads-negotiation-phase

Some more great stuff

You don’t want to miss this chart, compiled by Nicolas Amaye.

Source: this LinkedIN post by Nicolas Ameye (PDF orginal download source here)

Your feedback and suggestions

As legislation is continuously on the move, this article is never finished.
If you have great ideas to add, feedback or suggestions, let me know.