In 2024, businesses across Europe observed an evolving cybersecurity landscape characterized by overlapping new legal frameworks. The European Union (EU) introduced several significant texts to protect its digital ecosystem, imposing obligations on a wide range of entities, from manufacturers to financial institutions.
As we move into 2025, the focus shifts from legislation to implementation. EU and UK entities, alongside foreign businesses seeking market access, face mounting expectations to elevate cybersecurity practices.
Beyond technical robustness, compliance must align with the legislative intent, emphasizing harmonization, transparency, and fostering trust within the digital economy. These measures aim to address cross-border risks and build resilience against escalating cyber threats.
This article examines the EU’s key legislative instruments – the NIS 2 Directive, Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA) – which together harmonize cybersecurity standards across critical sectors such as infrastructure, digital products and financial services.
It also explores the interplay with broader frameworks, including the AI Act and the General Data Protection Regulation (GDPR), underlining the need for a cohesive regulatory strategy.
The UK’s complementary cybersecurity regulations are also discussed, highlighting their alignment and divergence from EU frameworks. Finally, practical steps for businesses navigating compliance in 2025 are outlined, aiming to foster resilience and long-term competitiveness.
Key Legislative Instruments
NIS 2 Directive
The NIS 2 Directive applies to “essential” and “important” entities across an expanded list of critical sectors, including energy, transport, banking, and healthcare. These entities must adopt robust security frameworks and collaborate effectively to counter cyber threats.
Member States were required to comply with the Directive by 17 October 2024, but many are lagging in transposing its measures into national law. In France, a bill to strengthen cybersecurity in critical infrastructure, transposing NIS 2, was presented in October 2024. However, current political challenges have delayed its prioritization, creating potential compliance gaps.
CRA
The CRA mandates cybersecurity requirements for products with digital elements (PDEs). Manufacturers, importers, and distributors must embed cybersecurity measures into product design.
Although the act will be fully applicable by 2027, incremental requirements mean businesses must act now. The CRA emphasizes proactive risk management, reflecting the EU’s broader goal of fostering resilience at the product development stage.
Resilience of Critical Entities Directive (CER)
Complementing NIS 2, the CER Directive extends its scope to both online and offline threats targeting entities critical for societal continuity. Sectors such as infrastructure must enhance operational and physical resilience to address increasingly interconnected cyber-physical risks.
EU Cybersecurity Act
This law introduces harmonized cybersecurity certification across Member States, establishing assurance levels (basic, substantial, and high) for ICT products, services, and processes. These certifications aim to boost cross-border trust, especially in areas such as cloud services and 5G networks. The EU Cybersecurity Certification Scheme on Common Criteria (EUCC), covering ICT suppliers, will be available on a voluntary basis from February 2025.
DORA
DORA targets the financial sector, harmonizing ICT risk management frameworks to safeguard against systemic cyber risks. Financial entities must align their systems with DORA’s requirements from January 2025 to ensure operational resilience against evolving threats.
EU Cyber Solidarity Act
Still pending final adoption, this act seeks to enhance the EU’s collective response to cyber incidents. It will establish a European Cybersecurity Alert System, fostering coordinated responses and improving situational awareness across Member States.
Broader Legislative Landscape
Cybersecurity compliance is not confined to sector-specific regulations. Other EU frameworks intersect with these measures, emphasizing a multidisciplinary approach:
- AI Act: This imposes cybersecurity requirements for high-risk AI systems, ensuring accountability and systemic safety
- Data Act: Incorporating obligations for cloud service providers, the act reinforces secure data sharing and protects the transfer of sensitive information
- Established Regulations: GDPR, the ePrivacy Directive, and sector-specific rules remain critical for safeguarding data integrity and user privacy
Navigating the Interplay
For businesses, understanding how these frameworks interact is crucial. Entities operating across sectors must adopt strategies combining technical compliance with robust legal oversight. This is particularly essential for multinational companies managing cross-border obligations under varying regulatory regimes.
Spotlight on the UK’s Approach
Post-Brexit, the UK’s cybersecurity framework mirrors the EU’s ambition but maintains regulatory autonomy. Key initiatives include:
Product Security and Telecommunications Infrastructure (PSTI) Act
Similar to the CRA, the PSTI enforces minimum cybersecurity standards for connectable products. The legislation builds on the UK’s Code of Practice for Consumer IoT Security, enhancing protection for consumer hardware.
Cyber Security and Resilience Bill
Expected in 2025, this bill will expand the UK’s regulatory scope to include digital services like managed service providers and critical data centers. Incident reporting requirements will also be strengthened, and data infrastructure could soon fall under its remit. A draft is anticipated by mid-2025.
UK Data (Use and Access) Bill
Introduced in October 2024, this bill aims to “unlock the value of data” while ensuring security in digital verification services and health IT systems. Though primarily focused on data, its provisions will influence broader compliance strategies.
Preparing for the Future: The 2025 Work Plan
With regulatory deadlines imminent, businesses must act swiftly to adapt to evolving cybersecurity obligations. Key steps include:
- Mapping obligations: Identify laws and regulations affecting services and products. This foundational step enables clear compliance strategies.
- Conducting gap analyses: Assess discrepancies between current practices and regulatory requirements. Use findings to prioritize and develop actionable work plans.
- Establishing governance: Define clear roles and responsibilities for stakeholders to ensure seamless coordination, avoid redundancies, and allocate resources efficiently.
- Embedding cybersecurity by design: Incorporate cybersecurity measures early in the design process for products and services, aligning with regulatory requirements.
- Building operational resilience: Strengthen risk management frameworks and incident response protocols. Regular testing and timely updates are vital to address evolving threats.
Compliance is not just a regulatory obligation but also a strategic opportunity. By aligning with these frameworks, businesses can mitigate risks, foster trust among clients and partners, and gain a competitive advantage. Conversely, failure to comply risks penalties and reputational damage.
While the scope and complexity of these measures are significant, they reflect a broader ambition to harmonize and raise cybersecurity standards. The urgency of compliance is clear: with escalating cyber threats, businesses must respond proactively.
The EU and UK’s initiatives mark a pivotal step in this journey, challenging organizations to meet heightened expectations in 2025.