EU cyber security strategy: new laws, new obligations – an overview
Skip to main content
Select location Germany
  • Insights
  • EU cyber security strategy: new laws, new obligations – an overview
Insight

EU cyber security strategy: new laws, new obligations – an overview

Martin Lose
07/02/2025

Locations

Germany

The debate on cybersecurity has been strongly influenced by European legislation in recent years. As part of its cybersecurity strategy, the EU has issued numerous new legal acts aimed at increasing the level of cybersecurity in the European Union. The complex web of new regulations is not self-explanatory and can easily overwhelm companies that need to understand their compliance obligations. In this article, we categorise the overall strategy the EU Commission is pursuing with the various laws, how the new rules relate to each other and what exactly is regulated in the individual laws.

1. What strategy is the EU pursuing?

Threats to companies and government organisations are no longer limited to physical threats but are more and more shifting to cyberspace. At the same time, digital infrastructure and connectivity are playing an ever-greater role in all areas of life. In addition to improved protection of physical infrastructure (e.g. through the CER-Directive), protection against cyber threats is therefore a legislative focus. To this end, the European Commission presented its new cybersecurity strategy in December 2020. It aims to achieve a higher level of protection based on four basic principles:

  • Prevent
  • Detect
  • Respond
  • Deter

A particular focus here is on increased cooperation and information exchange between the member states. Threats from cyberspace cannot be stopped by national borders and regularly affect more than one member state. Centralised reporting systems and cross-sector security standards are therefore being established in order to create a comprehensive picture of the situation and ensure a coordinated approach. The strategy follows a risk-based approach. The higher the risk associated with a product, service or activity, the more extensive and stringent are the associated obligations. This applies both within the individual legal acts and to their scope of application (for example, the NIS 2 Directive applies to organisations that are particularly worthy of protection due to their systemic relevance). In functional terms, the strategy addresses both the product security of hardware and software as well as security within companies through technical and organisational measures (e.g. a risk management system).

2.  What are the legal acts?

In detail, the Commission's strategy is implemented through the following legal acts:

  • NIS-2 (Directive EU 2022/2555): NIS-2 aims to increase the cyber resilience of critical infrastructure and entities classified as ‘important’ or ‘essential’ that operate in sectors that are particularly worthy of protection.
  • Cybersecurity Act (Regulation EU 2019/881): The Cybersecurity Act creates a standardised certification framework for ICT products and strengthens the European Union Agency for Cybersecurity (ENISA).
  • Cyber Resilience Act (Regulation EU 2024/2847): The Cyber Resilience Act establishes horizontal security regulations for products with digital elements (e.g. Internet of Things).
  • Cyber Solidarity Act (Regulation EU 2025/38): The Cyber Solidarity Act aims to improve cross-border defence against cyber-attacks by establishing warning, emergency and verification systems.
  • Digital Operational Resilience Act ‘DORA’ (Regulation 2022/2554): DORA is intended to increase resilience in the financial sector by imposing increased security requirements on financial entities and also their ICT service providers.


3. What is regulated?

NIS-2: The directive has been in force since January 2023, but requires transposition into national law by the member states in order to be directly applicable. Although the transposition deadline expired on 17 October 2024, many member states are still struggling with implementation. In Germany, the transposition law is still at the draft stage. Due to the re-early elections, implementation in Germany is not expected before the end of 2025.

The NIS 2 Directive aims to ensure a high level of cybersecurity in sectors that are particularly worthy of protection. It thus complements the CER Directive (EU 2022/2557), which is designed to ensure the physical security of critical entities. The directive contains obligations regarding cybersecurity measures (e.g. a risk management system), registration and reporting of security incidents, as well as provisions on supervisory measures such as on-site inspections. It also focuses on EU-wide cooperation in reporting and defending against cyber threats, as well as on the exchange of information between member states. A significant change here is the considerable expansion of addressees. While previously only critical infrastructure was covered by the obligations, important and essential companies in the relevant sectors (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space) are now also covered. In addition, companies in other critical sectors are also covered (postal/courier services, waste management, production, manufacturing, digital providers, research). The criteria for classification as important or essential are, in addition to the company's activities, its turnover and number of employees. However, for some organizations (e.g. providers of public electronic communication networks or publicly accessible electronic communication services), the provisions apply regardless of the size of the organization. Despite the faltering national implementation, companies should already check whether they fall within the scope of the directive and get an overview of which cyber security measures they need to take to comply with the directive.

Cybersecurity Act: The Regulation has been in force since June 2019 and has been directly and fully applicable in all member states since 28 June 2021. The Cybersecurity Act aims to strengthen cybersecurity in the Union by creating a harmonized framework for the voluntary security certification of information and communication technology (ICT) products, services and processes. These are classified into the security levels ‘low’, ‘medium’ and ‘high’ based on different criteria. Examples of assessment criteria include the possibility of unauthorized access to stored data, security through default settings or the documentation of access to data. In addition, the ENISA has been strengthened with a permanent mandate. It has a comprehensive coordination, support and advisory function vis-à-vis member states and Union bodies.

Cyber Resilience Act: The regulation has been in force since 10 December 2024. The main obligations are directly applicable from 11 December 2027. The Cyber Resilience Act primarily addresses the horizontal security of products. It supplements the general provisions on product safety under the General Product Safety Regulation (EU 2023/988) with specific provisions on cybersecurity. The obligations apply to manufacturers, importers and retailers of products with digital elements. This addresses the increasing embedding of software in products (e.g. Internet of Things) and the security gaps that arise as a result. Accordingly, hardware, software and embedded systems are covered. The security requirements extend along the entire value chain and over the entire life cycle of the product and must be taken into account in planning, design, development and maintenance (including updates). In addition, there are recall and reporting obligations. The regulation follows a risk-based approach and imposes additional obligations on products that are classified as ‘important’ or ‘critical’ based on their function. There are exceptions for open source software (OSS) and certain products that are already subject to more specific safety regulations (e.g. medical devices).

Cyber Solidarity Act: The regulation was published in the Official Gazette on 15 January 2025 and will come into force on 4 February 2025. The Cyber Solidarity Act serves in particular to prevent and defend against cyber attacks across borders. To this end, EU-wide infrastructures are to be created for incident detection, response and management. Three systems are central to this:

  • European Cybersecurity Alert System: a Europe-wide network of voluntarily participating national and cross-border cyber hubs for the detection, analysis and data processing of cyber threats and the prevention of security incidents.
  • Cyber Emergency Mechanism: A system to reinforce the Union's resilience to cyber threats, in particular through readiness tests, measures to support incident response, assistance support and the establishment of a cybersecurity reserve.
  • European cybersecurity incident review mechanism: At the request of the Commission and with the agreement of the affected member state, ENISA can carry out a review and assessment of cyber threats, known exploitable vulnerabilities and containment measures in relation to a specific serious cybersecurity incident and prepare a report. This report may include recommendations for improving cyber defence.

DORA: The Regulation came into force on 16 January 2023 and has been directly applicable since 17 January 2025. DORA establishes specific security regulations for the financial sector. Financial entities have obligations regarding ICT risk management, ICT incident management, security testing, ICT third-party management (in particular contracts) and information sharing. However, ICT service providers that provide services to financial companies also fall within the scope of the regulation. Critical ICT service providers are subject to special monitoring by the supervisory authorities. In this context, the management bodies of companies have a special responsibility for implementing the obligations.

As a sector-specific law, DORA is not directly part of the general cybersecurity strategy, but due to its significant impact on ICT service providers, it is closely related to it. In general, it should be noted that in addition to the general legal acts on cybersecurity, further sector-specific regulations may also apply (e.g. Implementing Regulation EU 2015/1998 for aviation security or Implementing Regulation EU 2022/1426 for fully automated vehicles).

We would be happy to advise you on all aspects of cyber security and support you in implementing the new EU legal acts in a legally compliant manner. Please feel free to contact Martin Lose from our team. You can find out more about our expertise in the field of cyber security on our focus page.

You may also be interested in...
A digital illustration featuring a series of glowing padlocks, alternating between locked (in pink) and unlocked (in blue), against a background of numbers and code. The image symbolizes cybersecurity and data protection.
Insight
BNetzA launches consultation on new IT security catalogue
19/11/2025
A color-coded map of Europe highlights countries in different colors: red for Scandinavia and Iceland, orange for Western Europe, green for parts of Eastern Europe, purple for a central country, and blue for others.
Cyber Security
Cyber Security
Insight
NIS2 across the EU
14/11/2025
A close-up of a digital screen displaying a financial chart with candlestick patterns, grid lines, and various data lines. The background is dark, illuminated by colorful lights and gradients, creating a dynamic and futuristic feel.
Technology and Data
Technology and Data
Insight
The EU Data Act: A new era for data access and sharing in Europe
14/08/2025
Three neon padlocks are displayed against a dark digital background filled with binary code. The left padlock is blue and locked, the center padlock is blue and unlocked, and the right padlock is pink and partially open. The image represents cybersecurity.
Technology
Technology
Insight
The new Data Act
28/05/2025
A digital illustration featuring a series of glowing padlocks, alternating between locked (in pink) and unlocked (in blue), against a background of numbers and code. The image symbolizes cybersecurity and data protection.
Insight
BNetzA launches consultation on new IT security catalogue
19/11/2025
A color-coded map of Europe highlights countries in different colors: red for Scandinavia and Iceland, orange for Western Europe, green for parts of Eastern Europe, purple for a central country, and blue for others.
Cyber Security
Cyber Security
Insight
NIS2 across the EU
14/11/2025
A close-up of a digital screen displaying a financial chart with candlestick patterns, grid lines, and various data lines. The background is dark, illuminated by colorful lights and gradients, creating a dynamic and futuristic feel.
Technology and Data
Technology and Data
Insight
The EU Data Act: A new era for data access and sharing in Europe
14/08/2025
Three neon padlocks are displayed against a dark digital background filled with binary code. The left padlock is blue and locked, the center padlock is blue and unlocked, and the right padlock is pink and partially open. The image represents cybersecurity.
Technology
Technology
Insight
The new Data Act
28/05/2025

Areas of Expertise

Cyber Security

Related Work Areas

Technology