Looking Ahead to 2025 in EU Cybersecurity Developments

As 2024 draws to a close, we look ahead to notable upcoming cyber developments in the new year. From the adoption of new cyber laws to the initiation of infringement proceedings by the European Commission against a number of EU Member States for alleged failures to adequately implement the EU Network and Information Systems Security 2 Directive, the EU continues to emphasize cybersecurity in a rapidly evolving legal and technological environment. There are no signs of this momentum slowing down in 2025.

The following developments are particularly noteworthy:

  1. EU Cyber Resilience Act (“CRA”): The CRA, which imposes cybersecurity and incident / vulnerability reporting requirements onto connected products (both software and hardware) and related data processing services, entered into force on 10 December 2024.  The CRA will apply – i.e., be enforceable – from 11 September 2026 (for incident/vulnerability reporting), and from 11 December 2027 (for cybersecurity requirements necessitating product re-design). Key points include:
  • The CRA is a product safety-type law, imposing not only cybersecurity requirements but also product safety requirements prior to commercialization in the EU, such as conformity assessments, rules on CE-marking and technical documentation.
  • Under the CRA, manufacturers must provide ongoing security support and software updates for connected products.
  • The CRA is the first pan-EU law to introduce mandatory vulnerability reporting, requiring exploited vulnerabilities to be reported within 24 hours to competent authorities.
  • Most obligations fall on the product manufacturer, whether inside or outside the EU. However, distributors, authorised representatives and importers are also subject to specific requirements.

For more details, please refer to our prior blog post on the CRA (here).

  1. Revised EU Product Liability Directive (“rPLD”). The rPLD – which was updated to account for increasing cyber and other risks related to an increase in digital and connected products – entered into force on 8 December 2024. It will apply to in-scope products placed on the EU market after 9 December 2026. The rPLD does not impose regulatory obligations but harmonizes procedural rules across the EU for civil redress related to defective products, making it easier for victims to successfully claim compensation. This includes relaxing the burden of proof on victims in certain cases to demonstrate a defect. Key points to note include:
  • The rPLD now includes software (including AI systems) within scope, increasing the risk of civil litigation for manufacturers, importers and distributors of these products.
  • Whilst the rPLD applies to claims initiated by natural persons, some EU Member States have already indicated that they will extend these redress rights to legal persons, meaning that both B2C and B2B software manufacturers should take this heightened level of risk into account.
  • The rPLD is part of the EU Collective Redress Directive allowing “qualified entities” (e.g. certain industry associations) to initiate claims on behalf of a group of consumers, and thus increasing the risk for collective claims.
  1. EU Cyber Solidarity Act (“CSA”). The CSA was adopted by the Council on 2 December 2024 and will enter into force in early 2025. The CSA does not impose regulatory obligations onto private actors, but aims to strengthen the EU’s preparedness and response to cyber threats through three key pillars:
  • the establishment of a pan-EU network of national and cross-border “cyber hubs” to exchange information, and enhance analysis and data processing capabilities;
  • the establishment of a pan-EU Cybersecurity Emergency Mechanism to better anticipate, prepare for, and mitigate the impact of significant cyber incidents in the EU. It supports EU-coordinated incident preparedness testing of critical sectors, the establishment of an “EU Cybersecurity Reserve”, a pool of “trusted” managed security services providers that can support the EU or EU Member States during significant cybersecurity incidents; and
  • the establishment of a pan-EU Cybersecurity Incident Review Mechanism to facilitate the review by the EU Agency for Cybersecurity (“ENISA”) of significant cybersecurity incidents for intelligence purposes.
  1. Revised EU Cybersecurity Act (“rCA”). The Cybersecurity Act has been updated with targeted amendments to bring managed security services within scope. These amendments were adopted by the Council on 2 December 2024 and are expected to come into force in early 2025. Once effective, these changes will enable ENISA to adopt certification schemes for managed security services – which are broadly defined as services provided to third parties for cybersecurity risk management, such as incident handling, penetration testing, security audits, consulting, and technical support. Managed security service providers will be able, or in certain cases required, to certify their services under these new schemes when operating in the EU. Providers should monitor ENISA’s progress and consider participating in relevant consultations.
  2. EU Network and Information Systems Security 2 Directive (“NISD2”). The deadline for EU Member States to transpose NISD2 was 17 October 2024. However, only 4 Member States have (as at the date of drafting) adopted implementing legislation to the satisfaction of the EU Commission. This has led to the EU Commission initiating infringement proceedings against the other 23 EU Member States to urge compliance. An important upcoming deadline under NISD2 is for digital (infrastructure) providers (e.g., cloud, data centre, content delivery network, managed (security), online marketplace, social networking and online search engine providers) to register, by 17 January 2025, with the competent NISD2 EU Member State authority/ies.

ENISA also issued draft guidelines for digital (infrastructure) and managed (security) service providers detailing the technical requirements for cybersecurity risk management under NISD2. Although these guidelines are non-binding and specifically target digital (infrastructure) and managed (security) service providers, they may become the de facto standard for other providers. The draft guidelines are open for public consultation until 9 January 2025.

For more details, please refer to our prior blog post on NISD2 (here).

  1. EU Digital Operational Resilience Act (“DORA”). DORA, which sets cybersecurity requirements for the financial services industry will become enforceable on 17 January 2025. It applies directly to financial entities (e.g., investment firms, credit institutions, payment institutions, CCPs, trading venues) as well as critical third-party ICT service providers (broadly defined as providers of “digital and data” services, such as cloud and data centre services). Non-critical third-party ICT service providers will not be directly regulated under DORA but will be indirectly impacted, as financial entities must impose specific cybersecurity contractual requirements on their ICT providers.

For more details, please refer to our prior blog post on DORA (here).

Next Steps

In 2025, organizations operating or offering services/products in the EU – including those established outside the EU – should evaluate their cybersecurity measures in light of these new laws, both from a technical and legal (regulatory) perspective.

A few priority actions that organizations may consider include:

  1. Assessing how these new EU cybersecurity laws may apply to the organization’s products, services and operations;
  2. Determining any intersections between the requirements under these new laws and other regulatory frameworks that the organization is already subject to or is considering i.e., to ensure efficiencies in process; and
  3. Performing a gap assessment to identify any additional measures required for compliance by the organization with these new EU cybersecurity laws.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.