The past 10 years have shown a significant increase in both the number and the complexity of digital threats. Ransomware and state-sponsored cybercrime have put the economy, infrastructure, and social security under pressure. It’s no longer a question of if but when the threat hits.
The EU has reacted by making cybersecurity a central political and regulatory area. Strategies and legislation ensure that member states can resist digital threats together. To understand the EU’s increasing focus on cybersecurity, it is necessary to examine the background, the new regulations, and the practical consequences for organizations.
EU tightens cybersecurity
There are several reasons why the EU has chosen to strengthen its efforts:
Ransomware and supply chain attacks: Cybercriminals have become more organized, and attacks on supply chains have shown how one weak link can impact hundreds of companies. Ransomware has evolved into a billion-dollar industry where data is not only encrypted but also threatened with public exposure.
Covid-19 and accelerated digitalization: The transition to remote work and cloud-based solutions during the pandemic made organizations more vulnerable. Many security measures lagged behind the rapid digitalization, creating new opportunities for attacks.
Geopolitical tensions: The war in Ukraine has demonstrated how cyberattacks are used as a part of hybrid warfare. Attacks against energy and communication infrastructure have affected both Ukraine and EU countries, and the threat from state-sponsored actors has become a central concern in Europe’s security policy.
Increasing dependence on digital services: Critical functions such as healthcare systems and energy supply depend on digital systems. If operations are halted, the consequences can quickly become critical for society.
EU’s Cybersecurity Strategy (2020)
In December 2020, the European Commission launched a new cybersecurity strategy with the vision of “a digital safe Europe”. The strategy is a part of the EU’s Digital Decade and aims to strengthen resilience across the member states.
The strategy is built on three pillars:
1) Resilience and technology sovereignty
The goal is to ensure that Europe’s digital infrastructure can resist and recover from cyberattacks. This involves not only technical requirements but also reducing the dependencies on non-EU suppliers. As part of this, the following measures have been adopted:
-
The NIS2 directive which imposes stricter requirements on critical sectors such as energy, transport, healthcare, and public administration.
-
The CER directive complements NIS2 by addressing the physical and digital resilience of critical entities.
-
Cyber Resilience Act, which requires manufacturers to build security into software and products from the outset and to ensure continuous updates.
Together, these initiatives aim to ensure that the EU is not only a consumer of technology but also sets security standards and increases independence from external actors.
2) Prevention and response
The strategy emphasizes that the EU should not only react after the damage has occurred, but also prevent and detect threats early. Specifically, this means:
-
A common European network of Security Operations Centers (SOCs) to monitor the threat landscape in real time
-
An enhanced mandate for ENISA, the European Union Agency for Cybersecurity, both advises, coordinates, and supports member states in managing major incidents.
-
A shared toolbox of methods and best practices that can be used across the EU.
The purpose is to create a more proactive defense where incidents can be detected quickly and managed effectively to minimize consequences.
3) International cooperation
Since cyber threats don’t respect national borders, the EU has to work closely with international partners. Therefore, the strategy priorities:
-
Partnerships with other states and organizations for information sharing and common standards
-
An active role in information forums where rules and norms for cyberspace are developed
-
Efforts against state-sponsored attacks, where the EU can use both diplomatic and economic measures.
This way, the EU aims to strengthen its role as a global leader in cybersecurity and contribute to a more stable and predictable digital environment.
Digital Finance Strategy (2020)
Alongside the Cybersecurity Strategy, the EU launched a separate Digital Finance Strategy in 2020. Its goal was to ensure that Europe's finance sector can leverage the opportunities of digitalization without compromising security. The strategy aimed to both support innovation and strengthen resilience against cyber threats.
The key outcome of the strategy is the DORA Regulation (Digital Operational Resilience Act), which imposes binding requirements on how the financial sector manages IT risks.
DORA includes the following key areas:
-
ICT risk management: Financial institutions must systematically identify, assess, and manage their digital risks.
-
Incident reporting: Serious IT incidents must be reported promptly and in detail to the relevant authorities.
-
Third-party and cloud management: Requirements are set for the control and monitoring of critical third-party providers, especially cloud services.
-
Resilience testing: institutions must continuously test their ability to resist and recover from cyberattacks.
DORA reinforces that Europe’s financial stability is a matter of security policy and that digital resilience is a strategic necessity.
From strategy to regulation – EU’s new normal
Recent years have shown that the EU’s cybersecurity strategies don’t remain confined to Brussels desks. They are translated into binding legislation, and organizations across Europe must now align governance, processes, and investments with legal requirements.
This means that compliance is no longer just an optional best practice but a regulated obligation comparable to financial reporting or environmental standards. Failure to comply not only raises risks but also entails legal and financial consequences.
The NIS2 directive means that many organizations now must document their risk management, contingency plans, and incident reporting at a level they have not previously been subject to.
The directive also imposes new requirements on management, who must take an active role in cybersecurity. It is no longer sufficient to delegate responsibility to the IT department – leaders themselves must be able to demonstrate how NIS2 compliance is being implemented.
The DORA Regulation takes this a step further in the financial sector, where digital resilience has become a part of the regulatory foundation alongside capital requirements. Banks, pension funds, and insurance companies must not only be able to manage cyber incidents but also continuously test their preparedness and demonstrate that they can maintain critical functions under pressure.
A key element is vendor management: Large parts of the sector rely on cloud providers, and DORA requires that these relationships be closely monitored and controlled. Cybersecurity thus becomes a responsibility that extends across the entire value chain.
The CER Directive (Critical Entities Resilience) is a reminder of the fact that digital and physical threats are closely linked. Cyber incidents can have physical consequences, and vice versa. CER therefore requires organizations in critical sectors to strengthen both their digital and physical resilience.
For example, energy companies must not only protect their IT systems against attacks but also ensure proper access control and monitoring, emergency power, fire and flood procedures, and plan to maintain operations under extreme conditions.
Cyber Resilience Act complements this framework by imposing requirements on hardware and software manufacturers, mandating that security be built in from the start and maintained throughout the product’s lifecycle.
What does it mean for organizations?
For both public and private actors, EU regulations introduce new obligations and expectations for how security work is organized.
Several sectors are directly affected
Where previous requirements mainly targeted energy and telecommunications, the rules now apply more broadly. Hospitals, municipalities, banks, transport companies, and digital service providers in Denmark are among those that must be able to document their preparedness and security measures.
Management responsibility is clarified
Top management has been given a new role. Where cybersecurity used to be a matter of budget approvals, it is now a strategic management task in line with financial control and ESG. The management and board of directors must continuously follow up on risks, investments, and supplier selection and ensure that the entire value chain meets the requirements. Responsibility has become visible, indispensable, and directly linked to management.
Compliance requires systematic processes and documentation
To meet the requirements, cybersecurity work must be documentable and systematic, which includes:
-
Ongoing risk assessments
-
Clear procedures for incident management
-
Continuous monitoring of vendors and partners
It is not just about ticking boxes but about creating a practice capable of withstanding both regulatory oversight and real cyberattacks.
The need for tools is growing
Manual management of these requirements quickly becomes unmanageable. That is why we see increasing interest in GRC platforms that integrate governance, risk, and compliance in one system. For many organizations, it is the only realistic way to gain an overview of data, processes, and reporting.
From obligation to competitive parameter
Although regulations can feel burdensome, they also present opportunities, and cybersecurity is not just an expense item. Organizations that can demonstrate resilience and compliance are stronger in tenders, in dialogue with partners, and in building trust of citizens and customers. Regulations, while challenging, can be leveraged actively as a competitive parameter.
The company that can prove safety and responsibility has a clear advantage in the market.
Cybersecurity as Europe’s competitive parameter
EU regulations clearly show that cybersecurity is no longer just about protecting data and systems – it is also about Europe’s ability to compete globally and maintain its technological sovereignty. The EU uses regulation as a strategic tool to strengthen Europe’s overall competitiveness. As the US and China invest heavily in digital solutions, the EU will stand out by combining innovation with responsibility.
This means that European companies are not only measured on price and quality, but also on their ability to deliver secure and reliable digital services. Over time, this could become one of Europe’s strongest competitive advantages: operating in an ecosystem where security is an integral part of the value chain.
