European Union: ENISA report identifies key threats to the bloc
This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
Key statutes, regulations and adopted international standards
Cybersecurity threats tend to be cross-border in nature, and a cyberattack on the infrastructure in one EU member state can affect the whole EU. This is why various regulations and directives have been introduced at the EU level to safeguard data and promote cyber resilience.
One of the key principles of the EU’s General Data Protection Regulation (GDPR) is the ‘integrity and confidentiality’ principle, which requires data controllers to ensure personal data is processed in a manner that ensures appropriate security of the personal data – including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage – using appropriate technical or organisational measures. The GDPR’s integrity and confidentiality principle is bolstered by further specific requirements specifying that organisations must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In particular, the GDPR indicates that measures should include, as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In other words, the GDPR requires, among other things, organisations to take appropriate measures to ensure the confidentiality, integrity and availability of personal data. Technology alone is not a complete solution. Organisations must perform a risk assessment, and develop and implement policies and procedures, and employees must be trained how to handle data correctly. The GDPR requires the combination of technology, processes, procedures and people all working together to ensure the protection of the personal data handled.
The GDPR also requires controllers to comply with strict reporting obligations in relation to breaches involving personal data.
Depending on the nature of the offence, the penalty for non-compliance with the GDPR’s requirements may reach up to €20 million or 4 per cent of the organisation’s worldwide turnover, whichever is higher.
Other key EU laws that directly relate to cybersecurity include the following:
- Regarding network and information systems (NIS), the EU Directive on the security of NIS (NIS 1) was the first piece of EU-wide cybersecurity legislation. Its purpose was to enhance cybersecurity by creating a common security standard, emphasising cooperation among EU member states and imposing additional cyber-related obligations on providers of certain services, with a view to ensuring the continuity of those services in the event of a cyberattack; however, as an EU directive, the requirements of NIS 1 needed to be incorporated into the national legislation of each EU member state, which led to diverging interpretations and fragmented application across the EU.
- To address the shortcomings of NIS 1, the EU adopted a successor law: NIS 2. NIS 2 builds on the NIS 1 framework to impose cyber risk management, incident reporting and information-sharing obligations on certain types of organisations in various sectors. NIS 2 was published in the Official Journal of the EU in December 2022 and entered into force on 16 January 2023. EU member states will have 21 months from the entry into force of the directive (ie, until 17 October 2024) in which to incorporate the provisions into their national law. Among other things, NIS 2 covers additional entities and sectors. Notably, it provides that the maximum administrative fine that can be imposed under national law should at least be set at €10 million or at least 2 per cent of total worldwide turnover, whichever is the higher.
- The Cybersecurity Act entered into force on 27 June 2019. It was significant as the first set of rules addressing cybersecurity certification for all countries within the EU. The Cybersecurity Act has two main objectives: (1) strengthen the mandate of the EU cybersecurity watchdog, the European Union Agency for Cybersecurity (ENISA), to support the EU member states with tackling cybersecurity threats and attacks; and (2) establish an EU-wide cybersecurity certification framework in which ENISA plays a key role. An update to the Cybersecurity Act is under discussion. On 18 April 2023, the European Commission proposed a targeted amendment to the Cybersecurity Act to enable the future adoption of European certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audits and consultancy.
- The proposed EU Cyber Solidarity Act aims to strengthen capacities in the EU to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks. The proposal includes the European Cybersecurity Shield, comprising security operation centres (SOCs) across the EU and a comprehensive ‘Cybersecurity Emergency Mechanism’ to improve the EU’s ‘cyber posture’. It would also create the EU Cybersecurity Reserve, comprising incident response services from trusted providers ready to intervene, at the request of a member state, in the event of significant and large-scale cybersecurity incidents. It would also provide financial support for mutual assistance between member states’ national authorities.
- The EU Cyber Resilience Act aims to safeguard consumers and businesses buying or using products or software with a digital component. It would introduce mandatory cybersecurity requirements for manufacturers and retailers of those products, with this protection extending throughout the product life cycle. It would also impose liability for bringing vulnerable products to market.
- The Critical Entities Resilience Directive entered into force on 16 January 2023, with implementing national measures due to take effect in October 2024. It aims to strengthen the resilience of certain critical infrastructures. It covers 11 critical sectors (eg, energy, transport, financial market infrastructures and digital infrastructures) and is intended to address specific threats, including natural hazards, terrorist attacks, insider threats and sabotage.
- The Digital Operational Resilience Act (DORA) aims to harmonise the cybersecurity measures and resilience of IT systems used by the financial services industry. DORA entered into force on 16 January 2023, and all EU member states must apply implementing national measures from 17 January 2025. Entities covered by DORA include various financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and reinsurance undertakings. After DORA, these entities must also follow rules for protection, detection, containment, recovery and repair capabilities against ICT-related incidents. While DORA does not explicitly set out specific sanctions that may be imposed on senior management, it opens the door to that possibility, stating, for example, at article 5 that the management body shall ‘bear the ultimate responsibility for managing the financial entity’s ICT risk’.
ENISA is the dedicated EU agency for achieving a high common level of cybersecurity across the EU. Established in 2004 and strengthened by the EU Cybersecurity Act, ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with member states and EU bodies and advises EU member states on how to ensure a high level of network and information security.
Enforcement of cybersecurity rules is handled by each EU member state, which means that each EU member state has its own authoritative body to investigate alleged violations and enforce compliance.
Taking France as an example, the French Data Protection Authority (CNIL) is the authority responsible for enforcing the proper application of data protection requirements by data controllers and processors. It has important powers of control and investigation and can impose significant administrative and financial penalties and order the temporary or permanent suspension of data processing.
Regarding application of the NIS 1 requirements in France, the French National Cybersecurity Agency (ANSSI) is the national authority responsible for responding to cybersecurity incidents targeting strategically important institutions.
This means that in the event of a security incident, the impacted organisation may need to notify two separate regulators about the same incident:
- the NIS 1 competent authority (in the case of France, the ANSSI), and
- the data protection authority (in the case of France, the CNIL) if the same incident is a personal data breach as defined under the GDPR.
In this section, France was chosen as an example because enforcement of cybersecurity requirements is performed at the level of each EU member state. In practice, organisations may need to assess whether reporting obligations exist in more than one EU state.
Recent regulatory guidance issued by the European Data Protection Board has indicated that where a controller is not established in the EU, a personal data breach ‘will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (These) notification(s) shall be the responsibility of the controller.’
Company obligations to protect IT systems and data
The GDPR requires organisations to implement ‘appropriate technical and organisational measures’ to ensure a level of security appropriate to the identified risk. Companies in the scope of NIS 2 will also need to manage their information security risks and implement risk management measures, which NIS 2 states should include at least the following:
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Effect of laws on foreign businesses
The GDPR has extraterritorial reach, meaning that many organisations based outside the EU may be subject to its requirements. In particular, article 3 of the GDPR provides that it applies to non-EU headquartered organisations ‘established’ within the EU (eg, possibly by through a branch office or agent operating in Paris or Madrid), regardless of whether the organisation chooses to process data about EU individuals inside or outside the EU.
Similarly, the GDPR is applicable to organisations that process personal data in relation to (1) offering goods or services to individuals who are in the EU, even if provided free of charge, or (2) monitoring the behaviour of individuals who are in the EU where that behaviour takes place in the EU, or both.
In practice, this means that a foreign online provider of goods or services may be subject to the GDPR if it actively markets to the EU, but not if it merely provides a website that is accessible to individuals in the EU; however, regulators will consider factors such as the use of any language or currency generally used in EU member states or mentioning customers or users residing in the EU. For example, if an e-commerce business based in the United States does not ship its goods to consumers in the EU and does not provide currency conversion or language options to cater to EU countries, then it is likely that it will not be subject to the GDPR. In practice, however, the situation will not be so clear-cut for many organisations.
NIS 1 has some extraterritorial reach as it applies to digital service providers outside the EU that offer their services in the EU (but not ‘operators of essential services’ outside the EU). NIS 2 has a broader extraterritorial reach as it applies to both essential and important entities.
Responsibilities of directors
The GDPR does not provide for directors’ liability where a company commits a data privacy violation; however, they may still be held personally liable if they are found to have acted negligently or recklessly. For example, section 198 of the UK’s Data Protection Act 2018 provides that personal liability may arise where an offence has been committed by the company, and it is proved to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, a director, manager, secretary or similar officer.
One of the most significant changes introduced by NIS 2 (compared to NIS 1) is that ‘to ensure a high level of responsibility for the cybersecurity risk-management measures and reporting obligations’, it imposes direct obligations on management bodies. NIS 2 does not explicitly define ‘management body’ – leaving the door open to national implementing laws to define or interpret this term; nevertheless, in the context of essential entities, the text of NIS 2 suggests that individuals who would be considered part of ‘management bodies’ may include those who:
- are responsible or act as a legal representative for the entity that is covered under NIS 2;
- have the authority to take decisions on such legal entity’s behalf; or
- have the authority to exercise control over such legal entity.
NIS 2 requires members of the management bodies of covered entities to complete training so that they may identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity. In addition, it provides that management bodies can be held directly and personally liable in some cases for infringements by the legal entity for a lack of compliance with implementing cybersecurity risk-management measures.
In addition, authorities may request, in certain cases, the imposition of a temporary prohibition of the exercise of managerial functions by a natural person discharging managerial responsibilities at the chief executive officer or legal representative level. NIS 2 does not set out a particular standard of failure to trigger personal liability; however, it is likely that any intent or negligence will be taken into account by the regulator when deciding the enforcement measure to impose.
Best practices for responding to breaches
Where a breach involving personal data occurs, article 33 of the GDPR requires the controller to notify the supervisory authority of the breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification, among other things, should include a description of the breach, the number or approximate number of data subjects and the personal data records concerned. It must also contain a list of likely consequences of the breach and the measures taken or proposed to be taken to address the breach.
If the breach is likely to result in a high risk to the rights and freedoms of a data subject, article 34 of the GDPR requires the controller to notify the data subject to whom the breach relates without undue delay. The requirement is waived if the controller has implemented appropriate measures to render the data unintelligible through encryption or otherwise to any person not authorised to access it.
Below is a round-up of some best practices for responding to a personal data breach. Controllers should:
- move as quickly as possible to secure all systems and fix the identified vulnerabilities that may have caused the breach. They should closely monitor all entry and exit points, especially those involved in the breach. This is essential to reduce the extent of the attack and avoid even more data being exposed.
- mobilise the breach response team immediately to prevent any additional data loss. The team should include members of other departments, such as legal, information security, IT, operations, human resources, communications, investor relations and management.
- consider hiring independent forensic investigators to help determine the source and scope of the breach, as well as external legal counsel.
- hire outside counsel at the start of a data breach incident response. This may help preserve the attorney–client privilege. Remember that advice provided by in-house counsel may not necessarily be protected by privilege. Running dual investigations can also help preserve privilege. Controllers should check the applicable requirements surrounding privilege for the organisation, as the rules vary depending on the considered jurisdiction.
- take all affected equipment offline immediately, but they should not turn any machines off until the forensic experts say so.
- if possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, they should change all system passwords as soon as the malware is removed from the system.
- immediately secure backup data or systems by taking them offline and ensure backups are free of malware.
- consider whether to reach out to law enforcement as soon as possible. Law enforcement may be able to use legal authorities and tools that are unavailable to most organisations. Law enforcement can enlist the assistance of international law enforcement partners to locate the stolen or encrypted data or identify the perpetrator.
Recent trends and updates
Some recent cybersecurity trends in the EU, as identified by the ENISA threat landscape report, include:
- an increase in the use of zero-day exploits by sophisticated threat actors to compromise systems and networks. Zero-day exploits are vulnerabilities that are unknown to the public or the vendor and can be exploited before they are patched.
- the resurgence of hacktivism as a form of cyber protest and activism. Hacktivism is the use of hacking techniques to promote a political or social cause, such as exposing corruption, censorship or human rights violations. The ENISA report notes that a new wave of hacktivism has been observed since the Russia–Ukraine war, with government and corporate websites and systems being increasingly targeted.
- the growing threat of artificial intelligence-enabled disinformation and deepfakes, including the proliferation of bots modelling personas to disrupt the ‘notice-and-comment’ rule-making process, as well as community interaction, by flooding government agencies with fake contents and comments.
- the rising risk of supply chain targeting by cybercriminals and nation-state actors (ie, the compromise of third-party vendors or service providers that have access to the systems or data of their customers or partners).
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation (GDPR)).
 ibid, article 5(1)(f).
 ibid, article 32.
 Directive (EU) 2016/1148.
 Directive (EU) 2022/2555 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2).
 Regulation (EU) 2019/881.
 Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities.
 Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014, (EU) 909/2014 and (EU) 2016/1011.
 European Data Protection Board (EDPB), Guidelines 9/2022 on personal data breach notification under GDPR, 28 March 2023.
 ibid, paragraph 73.
 NIS 2, article 21(2).
 The EDPB has confirmed that the mere presence of an employee in the EU will not necessarily result in that processing falling within the scope of the GDPR; however, the presence of a single employee or agent of a non-EU entity in the EU may, in some circumstances, be deemed a ‘stable arrangement’ amounting to an ‘establishment’ for the purposes of article 3(1)) of the GDPR if that employee or agent acts ‘with a sufficient degree of stability’. See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR, p. 6.
 GDPR, article 3.
 NIS 2, Recital 137.
 NIS 2, article 32(6).
 This refers to conducting a swift, non-privileged investigation to understand how the data breach occurred, while simultaneously running a separate, privileged investigation to assist in the provision of legal advice to the company.