The European Union strengthens cybersecurity with new regulation

Europe has been working for nearly two years on a set of measures to strengthen the cybersecurity of its institutions. The new regulation, born out of an intense collaborative process, was definitively approved at the end of 2023 and came into operation in January 2024.

I

mproving the protection of sensitive information and managing the risks faced by various institutions within the European Union are the main reasons behind this ambitious project to guard against cyberattacks. 

Unified measures for the protection of EU institutions 

For the first time, a unified set of measures has been established to protect all entities and offices within the European Union, including institutions such as the European Parliament, the Council of the European Union, the Court of Justice of the European Union, the European Central Bank, Europol, the European Medicines Agency (EMA), the European Aviation Safety Agency (EASA), and the European Investment Bank (EIB). 

According to the regulation, all these entities will design a comprehensive cybersecurity plan, the final implementation of which must be completed by January 8, 2026. 

Comprehensive approach to strengthen cybersecurity 

Entities subject to the regulation must consider the following points to strengthen cybersecurity:  

• Telecommuting: Establish technical measures that allow and securely maintain telecommuting, ensuring the integrity and confidentiality of information. 
• Zero Trust: Adopt specific measures to advance the principles of “Zero Trust.” This model requires continuous identity verification and security validation before granting access to resources or information, operating on the premise of “never trust, always verify,” regardless of the location or network accessed. 
• MFA (Multi Factor Authentication): Implement multi-factor authentication in all network and information systems to add additional layers of security. 
• Encryption: Use cryptography and encryption, especially end-to-end encryption and secure digital signatures, to protect the confidentiality and integrity of information. 
• Communications: Ensure secure voice, video, and text communications, as well as secure emergency communication systems, to guarantee the confidentiality of transmitted information. 
• Malware: Develop proactive measures to detect and remove malicious programs and spyware that could compromise system security. 
• Software: Strengthen security in the software supply chain to prevent vulnerabilities and ensure program integrity. 
• Cybersecurity training: Develop cybersecurity training programs for all personnel with ongoing training to acquire the necessary skills and ensure effective implementation of the regulation. The new standards consider not only technical but also human strengthening. 
• Collaboration: Actively contribute to the analysis of interconnection risks between entities when relevant, ensuring a comprehensive understanding of shared risks. 

Coordination and cooperation 

Additionally, the regulation establishes specific rules to eliminate contractual barriers that may hinder communication with the Security Service for EU institutions, bodies, offices, and agencies. This service consolidates as the central axis for coordinating threat intelligence, exchanging information, and responding to incidents in the EU, as well as providing advisory functions in cybersecurity. 

Previously known as CERT-EU (Computer Emergency Response Team for the EU Institutions, Agencies, and Bodies), this service seeks to establish obligations requiring providers to notify any identified incidents, vulnerabilities, or cyber threats, as well as implement effective responses to these events. The regulation insists firmly on rules that promote cooperation and responsiveness. 

The newly enacted Cybersecurity Regulation integrates coherently with other regulations and laws established by the European Commission, such as the Network and Information Systems Directive (NIS), adopted in 2016. This legislation aimed to improve cybersecurity in EU member countries by establishing measures to ensure a common level of security in critical infrastructures and digital service providers, proposing requirements for essential service operators and digital service providers, including mandatory notification of security incidents, and promoting cooperation among member states to address cyber threats. 

A milestone that prepares the continent to face cyber threats and promote recovery from incidents 

Johannes Hahn, Commissioner for Budget and Administration of the European Union, highlighted the significant step Europe has taken with this regulation, unifying protocols and advocating for a culture of prevention and resilience. In his words, “In a connected environment, a single cybersecurity incident can affect an entire organization. That’s why it’s crucial to build a strong shield against cyber threats and incidents that may disrupt our ability to act. The regulations we propose today are a milestone in the EU’s cybersecurity and information security landscape. They are based on enhanced cooperation and mutual support among EU institutions, bodies, offices, and agencies and on coordinated preparedness and response. It’s a true collective effort.” 

Contact our cybersecurity and fraud experts now and request personalized advice to protect your business.