Very few holiday travellers heading to airports in July 2024 could have expected that a cyber incident might suddenly cancel their long-awaited trip. A failed software update from a US cybersecurity provider caused repeated rebooting of computers running the Windows operating system, resulting in billions of euros in damages and disrupting air travel, stock markets, television broadcasts and manufacturing.
The impact of cyber incidents on the general public is set to increase in the coming years, and inaction will not provide relief. What steps is the European Union taking to ensure the continued functioning of individuals, businesses and societies in the golden age of cyberattacks?
The situation with cyberattacks will not improve anytime soon, and we must increasingly consider the unthinkable.
This was the observation made in January 2025 by Robert Viola, head of DG CONNECT, the EU’s directorate-general responsible for cyber security. His statement, along with the growing number of cyberattack headlines, explains why the EU has adopted numerous cybersecurity regulations in recent years. These regulations aim to enhance the cyber resilience of European citizens, businesses and institutions.
Digital solutions have become an essential part of societal functioning, rather than being just a convenient alternative to physical services.
With this in mind, let us review what the EU achieved in cyber security in 2024, and what lies ahead in 2025.
NIS2
In January 2023, the EU’s second cybersecurity directive, NIS2, came into effect, with the goal of establishing a consistently high level of cyber security across all member states. Member states had until October 2024 to incorporate it into national law, but Estonia, along with 20 other countries, missed the deadline. According to those drafting the legislation, the process was slowed by continuous refinements to guidelines and sector-specific inquiries. The goal is now to implement NIS2 by mid-2025, at which point the final scope of businesses affected by the directive will become clear.
The directive helps essential and important service providers adopt a strategic approach to cyber security, defines how and whom to notify in case of an attack, and sets baseline cybersecurity requirements.
Cyber Resilience Act
On 10 October 2024, member states adopted the Cyber Resilience Act (CRA), which establishes cybersecurity requirements for digital components and internet-connected devices such as smart TVs and home security cameras. The regulation ensures that products containing digital elements, including Internet of Things (IoT) solutions, remain secure throughout the supply chain and product lifecycle.
The CRA aims to establish uniform cybersecurity requirements for hardware and software products, avoiding regulatory overlap. It applies to products that are directly or indirectly connected to another device or communication network, excluding those already governed by other EU regulations, such as medical devices, aviation products and vehicles. Products must carry a CE marking, which certifies compliance with the regulation and with safety, health and environmental protection standards. This helps consumers identify secure products and protects both individuals and businesses from insecure digital products.
Unlike NIS2, the CRA has a longer implementation timeline, with a deadline set for December 2027. The European Commission must first establish general standards (Type A) in collaboration with member states, followed by standards for more than 20 product categories (Type C). Companies that wish to conduct self-assessments for compliance must adhere to their category’s Type C standards. If everything proceeds as planned, the main standards will be ready by autumn 2026.
Cyber Solidarity Act
In December 2024, member states adopted the Cyber Solidarity Act to enhance the EU’s capacities to detect, prepare for and respond to significant and large-scale cybersecurity threats that affect more than two member states.
The regulation, unveiled in January 2025, includes three key measures: a European cybersecurity alert system for real-time threat detection and response, a cybersecurity emergency mechanism to improve preparedness and response capabilities for large-scale cyber incidents, and a cybersecurity incident review mechanism for analysing major cyber incidents and providing recommendations to strengthen EU cybersecurity.
Last year also saw the adoption of two additional cybersecurity regulations: amendments to the Cybersecurity Act (CSA+), which addresses managed security services, and a regulation setting cybersecurity requirements for cross-border electricity flows.
What to expect in 2025
Significant progress was made in cybersecurity regulation last year. In 2025, the EU will begin revising the Cybersecurity Act, which governs the role of the EU agency in charge of cyber security (ENISA) and the EU cybersecurity certification framework. The five-year-old regulation needs updating to reflect ENISA’s evolving responsibilities and to improve certification processes in the cybersecurity sector.
The EU will also update its framework for responding to cyber incidents and crises, which was originally developed in 2017. The world has changed significantly since then, and greater focus is needed on preparedness and resilience. The European Commission has started the year actively, unveiling a proposal on 15 January for improving cyber security in the healthcare sector.
While some critics argue that the EU’s cybersecurity efforts remain insufficient, most experts advocate for a regulatory pause to allow for the effective implementation of existing measures. Now, the EU and its member states, including Estonia, must focus on enforcing regulations and supporting stakeholders in meeting the new requirements.
Last updated: 17.02.2025
