What to expect in European cybersecurity legislation in 2024?

The updated Network and Information Security Directive (NIS2) has been in force since 1 January 2023, with member states having time until 17 October 2024 to implement it into law. In Hungary for example, which has already enacted its law on cybersecurity certification and cybersecurity supervision, implementing the NIS2, the following deadlines apply for the organizations subject to the new regulation:

  • until 30. June 2024: organizations shall register with the Regulated Activities Supervisory Authority.
  • until 31. December 2024: these organizations shall appoint a licensed cybersecurity auditor.
  • until 31. December 2025: shall conduct the first NIS2-compliant cybersecurity due diligence.

After the Parliament, the Council and the Commission reached a provisional agreement on the text of the Cyber Resilience Act (CRA) on 30 November 2023, in early 2024 it will be formally approved by the Council and the European Parliament. After this, obligations will come into effect over a phased transition period:

  • vulnerability reporting obligations will go into effect after 21 months (late 2025)
  • the remaining obligations will go into effect after 3 years (early 2027).

ENISA develops the framework of cybersecurity certification schemes, which, after their adoption, will serve as implementing acts of the EU Cybersecurity Act. Currently, three cybersecurity certification schemes are under development. The first scheme, the European Common Criteria-based cybersecurity certification scheme (EUCC) was open for feedback in October 2023, and the Commission adoption of the Act was expected for Q4 2023, which is already delayed. Once it is adopted by the Commission, it will come into force on the twentieth day following its publication in the Official Journal of the European Union and will apply 12 months after the entry into force.
The second scheme being developed, EUCS, covers cloud services, and a third one, called EU5G, is related to 5G networks.

Parliament and Council reached a provisional agreement in December 2023 on the eIDAS 2.0, the update to the Electronic Identification, Authentication, and Trust Services Regulation, which seeks to improve the security and reliability of electronic identification and trust services. The text still needs to be formally adopted by the Parliament and the Council, which is expected in Q1 2024. Once formally adopted, it will enter into force on the 20th day following its publication in the Official Journal. Implementing Acts setting out the technical specifications need to be adopted 6 and 12 months after the adoption of the Regulation. Member States will have to provide EU Digital Identity Wallets to their citizens 24 months after the adoption of Implementing Acts, presumably in 2027.

The DOSS project will implement an IoT supply chain architecture with consideration to the CRA requirements and will also attempt to leverage its results with respect to the new digital wallet.

Leave a Reply