Cybersecurity 2025

Introduction to the Cybersecurity Guide

In recent years, cybersecurity has become a paramount concern for legal professionals, policymakers, and businesses. The increasing frequency and sophistication of cyberattacks have prompted jurisdictions worldwide to enact comprehensive legal frameworks to protect digital infrastructures and ensure the safety of personal and non-personal data.

The recent wave of cybersecurity regulations reflects a global recognition of the critical importance of safeguarding digital assets. These regulations have significant implications for businesses. They underscore the necessity for comprehensive risk management strategies, accountability at the highest levels of management, and the implementation of rigorous security measures across all sectors.

One of the primary implications of these regulations is the heightened accountability placed on organisational leadership. With the mandate for senior executives to oversee cybersecurity measures, laws aim to ensure that cybersecurity is prioritised at the strategic level. This shift in responsibility requires a cultural change within organisations, where cybersecurity is integrated into the core business strategy rather than treated as a peripheral IT issue.

Furthermore, the emphasis on incident reporting and transparency has profound implications for how organisations handle data breaches and cyber incidents. Timely reporting to regulatory authorities and affected parties is not only a legal obligation but also a critical component of maintaining trust and credibility. Organisations must develop clear protocols for incident response and communication to comply with these requirements.

The focus on supply chain security and the resilience of critical infrastructures highlights the interconnected nature of modern digital ecosystems. Cybersecurity cannot be viewed in isolation; it requires an inclusive approach that involves stakeholders across the supply chain. This interconnectedness of services necessitates that organisations conduct thorough assessments of their third-party relationships and implement stringent security controls to mitigate risks.

The European Union (EU) has implemented a series of directives and regulations aimed at enhancing the security of its digital market.

One of the cornerstone laws in the EU's cybersecurity framework is the Network and Information Security Directive (NIS2). The NIS2 Directive applies to companies in sectors deemed critical and listed in Annex I and II of the Directive, including digital infrastructure and certain manufacturing industries. Specifically, it affects entities such as internet node operators, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, and providers of publicly accessible electronic communication services. Additionally, digital service providers like online search engines, online marketplaces, and social networks, as well as manufacturers of electrical equipment, data processing devices, medical devices, and those in the machinery and automotive industries, are also covered. This directive sets out obligations for essential and important entities, such as digital service providers and operators of critical infrastructure, to implement risk management measures, conduct regular cybersecurity audits, and report significant incidents to national authorities. By holding management bodies accountable for compliance, NIS2 ensures that cybersecurity is prioritised at the highest levels of organisational leadership.

In addition to NIS2, the EU has introduced the Digital Operational Resilience Act (DORA), which targets the financial sector. The regulation addresses the critical role of information and communication technologies (ICT) in the financial sector, the vulnerabilities to cyber threats, and the dependencies on external service providers. DORA requires financial entities and critical ICT providers to establish comprehensive ICT risk management frameworks and mandates regular testing of digital operational resilience. This framework should address ICT risks and ensure high digital operational resilience. It must include strategies, policies, procedures, protocols, and applications necessary to protect all information and ICT assets. The principle of proportionality and a risk-based approach are emphasised in DORA, requiring the framework to be tailored to the company’s processes and technical means. To maintain a high level of protection, financial entities must continuously test their digital operational stability. They must develop a programme to assess their defensive readiness, identify vulnerabilities, and implement corrective measures. Tests should be conducted by independent internal or external parties, with sufficient resources provided to avoid conflicts of interest.

The Cyber Resilience Act (CRA) further complements the EU’s cybersecurity framework by addressing the security of products with digital elements. The CRA imposes life cycle security obligations on manufacturers, importers, and distributors, requiring them to conduct cyber-risk assessments, manage vulnerabilities, and report security incidents to the European Union Agency for Cybersecurity (ENISA) within specified timeframes. By focusing on the security of digital products, the CRA aims to mitigate vulnerabilities and enhance user trust in the digital marketplace. The draft CRA complements other legislation like NIS2. It applies to all products connected to other devices or networks, with some exclusions such as open-source software and certain regulated services (eg, medical devices, aviation, and cars).

One of the key challenges in cybersecurity regulation is the harmonisation of standards across jurisdictions. While the EU has made strides in creating a unified cybersecurity framework, achieving global consensus remains a complex task. Differences in legal systems, regulatory approaches, and levels of technological development can hinder efforts to establish common standards. However, international co-operation and dialogue are essential to overcoming these barriers and creating a cohesive global cybersecurity strategy.

Another challenge lies in the integration of emerging technologies, such as artificial intelligence (AI) and the Internet of Things (IoT), into existing cybersecurity frameworks. These technologies offer tremendous potential for innovation but also introduce new vulnerabilities that must be addressed. The EU’s AI Act, for example, sets standards for the design and operation of AI systems to ensure they are resilient to errors and secure against unauthorised alterations. As technology continues to evolve, legal frameworks must be adaptable to accommodate new developments and address emerging threats.

Public-private partnerships also play a crucial role in enhancing cybersecurity. By collaborating with private sector entities, governments can leverage the expertise, resources, and innovation of industry leaders to strengthen cybersecurity defences. These partnerships facilitate the sharing of best practices, threat intelligence, and technical expertise, leading to more resilient digital infrastructures.

In the EU, initiatives such as the European Cybersecurity Organisation (ECSO) and the European Cybersecurity Competence Centre (ECCC) exemplify the importance of public-private collaboration. These organisations bring together stakeholders from government, industry, and academia to promote research, innovation, and capacity building in cybersecurity. By fostering a collaborative approach, the EU aims to create a secure digital environment that supports economic growth and protects citizens’ rights.

For legal professionals, navigating the complexities of cybersecurity law requires a deep understanding of both the regulatory landscape and the technical aspects of cybersecurity. The path forward involves balancing innovation with regulation, ensuring that legal frameworks are both comprehensive and adaptable to emerging threats. By focusing on the implications of recent regulations and adopting forward-thinking strategies, governments and organisations can enhance their cybersecurity defences and protect their digital assets.