EU Cybersecurity Laws and Regulations - Horizon Scanner
Our DEG team provide the latest links to key cyber legislation and share information on adoption and enforcement dates, relevant sectors, entities in scope and enforcement powers.
Legislation | Adoption Date | Effective Date | What Sector(s) Does the Legislation Apply to? | Enforcement Measures |
|---|---|---|---|---|
The European Council adopted the AI Act on 21 May 2024 – this marks the final step in the EU legislative process. | The AI Act will be signed by the Presidents of the European Parliament and the European Council before it is published in the Official Journal of the European Union. The Act will come into force twenty days after publication. | Applies to businesses operating within the EU, whether providers, users, importers, distributors or manufacturers of AI systems. Recital 49 sets out cybersecurity requirements for high-risk AI systems. Recital 51 also refers to cybersecurity. Article 15(4) begins: “High-risk AI systems shall be resilient as regards attempts by unauthorised third parties to alter their use or performance by exploiting the system vulnerabilities”. | National supervisory authorities shall report the outcomes of their activities to the Commission on a regular basis. Where non-compliance occurs, Member State market surveillance authorities may make one of a number of findings. Where non-compliance persists, Member States shall take all appropriate measures to restrict or prohibit the high-risk AI system being made available on the market. Fines of up to €35m or of up to 7% of total worldwide annual turnover may be imposed for non-compliance.
| |
Network Information Systems Directive (NIS 2) | 16 January 2023 | 17 October 2024 | Energy, Transport, Banking, Financial Market Infrastructures, Health, Water, Digital Infrastructure, ICT, Public Administration, Space, Postal and courier services, Waste, Food, Chemicals, Manufacturing, Digital Providers, Research | Competent authorities may carry out:
Fines Essential entities: up to €10M or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher. Important entities: can be fined up to €7m or at least 1.4% of total worldwide turnover for the preceding year, whichever is higher. |
Digital Operational Resilience Act (DORA) | 16 January 2023 | Effective from 17 January 2025 | The Act applies to:
| Competent authorities will have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties under the Regulation. Those powers include:
|
European Parliament adopted this on 12 March 2024, now awaiting European Council adoption. | The Act will enter into force 20 days after its publication in the Official Journal of the European Union. | The Act will apply to products with digital elements whose intended use includes logical or physical data connection to a device or network. | Member States shall designate one or more market surveillance authorities for the purpose of ensuring implementation. Where non-compliance persists Member States shall take all appropriate measures to restrict or prohibit the product with digital elements from being made available on the market. Member States shall lay down rules on penalties applicable to infringements. Non-compliance with essential requirements shall be subject to administrative fines of up to €15m, or up to 2.5% of total worldwide annual turnover. | |
European Parliament adopted an amendment to the regulation on 24 April 2024, the European Council will adopt the finalised texts at a subsequent meeting in the Autumn. | Once adopted, the text will be published in the Official Journal of the European Union and enter into force 20 days later. | The amended text of the Regulation has not been finalised but is expected to complement the NIS2 Directive in providing for the certification of service providers. | The initial Regulation stated that Member States shall lay down the rules on penalties applicable to infringements. These are awaited. | |
25 May 2016 | 25 May 2018 | Applies to all organisations, both EU and non-EU, that are engaged in the processing of the personal data of European citizens. Article 32 and Recitals 28, 29, 83 and 84 deal with the security of processing and requires that, inter alia, processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. | Administrative fines of €10m or up to 2% of total worldwide annual turnover may be imposed for certain infringements. Other more serious infringements may attract fines of up to €20m or up to 4% of total worldwide annual turnover. | |
25 May 2018 | Supplements the GDPR by filling in the sections of the Regulation for which Member States retained competency. Article 72 provides for security measures for personal data and requires that controllers ensure that measures are taken to provide a level of security appropriate to the harm that might result from a data breach. | As per the GDPR | ||
17 August 2023 | Will become binding in Member States on 18 August 2026. Deadline for transposition into national law is 18 February 2026. | Providers of electronic communications services, internet domain name and IP numbering services and other information society services. | Member States shall lay down rules on pecuniary penalties applicable to infringements and shall take all measures necessary to ensure that they are implemented. | |
29 June 2021 | 7 June 2022 | Applies to hosting service providers and aims to aide them in removing harmful online content. Coimisiún na Meán is the competent authority. | Member States shall lay down rules on pecuniary penalties applicable to infringements and shall take all measures necessary to ensure that they are implemented. | |
Approved by Government on 8 February 2024. | Will transpose the E-Evidence Regulation and TCOR into Irish national law and will give effect to a number of provisions of the Budapest Convention on Cybercrime, an international treaty seeking to address cybercrime by harmonising national laws. | As per the E-Evidence and TCOR Regulations | ||
6 July 2016 | 8 August 2016 | The precursor to NIS2. As of May 2024, this Directive applies in the EU but it will be repealed in its entirety by NIS2. Applies to operators of essential services and digital service providers. | Member States shall lay down the rules on penalties applicable to infringements of national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. Penalties shall be effective, proportionate and dissuasive. | |
21 September 2018 | Transposed the first NIS Directive into Irish national law | As per the NIS1 Directive | ||
31 October 2023 | The current expectation is that it will come into force in Q2 2024. | The Act is designed to implement the EU Investment Screening Regulation (2019/452). | Fines: A person found guilty of an offence under the Act may be liable, on summary conviction, to a maximum fine of €5,000 and / or a maximum sentence of 6 months imprisonment; or, on conviction on indictment, to a maximum fine of €4 million and/or up to 5 years imprisonment. Call-in Powers: The Act provides the Minister for Enterprise, Trade and Employment with a retrospective ‘call-in’ power to review non-notifiable transactions for a period of 15 months post-completion, and non-notified transactions for a period of up to 5 years, where there is public order and / or national security concerns. |