“Looking at 2022 through a legal lens, you can only conclude that this was the year in which major steps were taken in terms of more cyber security and hygiene,” opens Thomas Declerck, Senior Associate at law firm Allen & Overy and specialised in cyber security. “The EU has clearly strengthened its position as a global leader in cyber security this year.”
The movement towards more European regulation on cyber security has been going on for several years. “For example, the new Network and Information directive NIS2, which was adopted in 2022, builds on the first NIS, adopted in 2016. For a number of sectors, it determines which cyber security measures must be taken and can therefore be legally enforced.”
NIS2 expands the number of sectors covered by this scheme, while also tightening the obligations. “To give just one example: it has been established that the entire management team of a company - and not just the CISO - needs to be concretely involved in managing the risks and complete additional training on cyber threats. The regulation makes a real effort to build cyber governance reflexes. It should no longer be a mere IT issue,” says Declerck.
Start of a new cycle
In addition to the further expansion of existing regulations, the EU also launched many new initiatives in 2022, such as the Cyber Resilience Act (CRA). “This is a proposal of a series of mandatory conditions for digital products, which producers must meet to be granted the right to sell on the European market. Products that meet these cyber security requirements will receive the well-known CE label.”
Similar initiatives were also taken with the Artificial Intelligence (AI) Act and the AI Liability Act, which should lead to clear rules on the use of AI, a technology that is inextricably linked to cyber security. Unlike the NIS2, which has now entered the phase of implementation at a national level, these are all legislative initiatives that are just getting started.
“We have clearly started a new cycle of regulation in Europe,” Thomas Declerck adds, also emphasizing that sufficient time should be allowed for the implementation phase. “If you start adding new rules too quickly, it will create too much bureaucratic burden for companies. To some extent this is inevitable, but if rules are perceived as just a bureaucratic obligation, they are de facto missing their purpose.”
National level remains essential
However, if the further roll-out and implementation of these rules happen at the right speed, this could turn into a competitive advantage for European companies and organisations. “Many of them already start realising that cyber security can grow to be a USP for many sectors,” Declerck has noticed.
The implementation of these rules is done at the national level. For Thomas Declerck, this also shows why – despite the obvious Europeanisation of the regulatory framework for cyber security – national actors still have a crucial role. Moreover, he also sees many reasons for optimism: “Belgium has taken important steps in recent years. This is not least to the credit of the Centre for Cyber Security Belgium and organisations such as the Cyber Security Coalition, who create a forum for discussion and knowledge sharing,” he concludes.