Cybersecurity
For full-text versions and detailed information on key legislations, please see the menu above
EU Cybersecurity Strategy
Within the EU legal framework, cybersecurity is defined as measures to protect network and information systems, users of such systems, and other affected individuals from cyber threats. This includes protection against the disclosure, theft, or damage of hardware, software, or electronic data, as well as safeguarding against disruptions or misdirection of the services provided.
The Cyber Security Strategy on an EU level launched as part of EU’s digital decade legislation includes the following legislations/initiatives:
Indirect application. Even if some of these legislations are not directly aimed at suppliers, they often have indirect applications for suppliers to the covered entities. If the cybersecurity measures are not met by the suppliers, the covered entities may be unable to use such suppliers without violating their requirements.
Digital Omnibus
In November 2025, the European Commission published a proposal for a Regulation as regards the simplification of the digital legislative framework (the “Digital Omnibus”).
The proposal amends NIS2, DORA, eIDAS and the CER Directive to introduce a mandatory single-entry point (SEP) for incident and cyber-threat reporting in the EU. The SEP is developed, operated and secured by ENISA, which must establish technical, operational and organisational specifications ensuring interoperability with existing national and EU reporting systems, support for machine-readable formats and APIs, and the ability for entities to retrieve or supplement previous submissions. A single notification may be used to fulfil multiple reporting obligations across the amended legal acts.
ENISA must pilot the SEP for each legal act, after which the Commission must confirm its proper functioning before it can be used. If deficiencies are identified, ENISA must apply corrective measures.
Use of the SEP becomes mandatory across several frameworks, including:
– NIS2 (significant-incident reporting and alignment with CRA notifications),
– eIDAS (qualified trust service incident reporting),
– DORA (major ICT incidents and voluntary cyber-threat notifications), and
– CER Directive (incident notifications by critical entities).
Read more about these regulations
Snellman Digital Compliance Tracker
- Cyber Resilience Act
- NIS 2 Directive
- Resilience of Critical Entities Directive (CER)
- Digital Operational Resilience Act (DORA)
- Cybersecurity Act
- Cyber Solidarity Act
External links
EUR-Lex links to legislation not yet commented/included in the Snellman Digital Compliance Tracker can be found below:
Recent News
Sweden’s updated NIS2 draft regulation on training and security measures: broader flexibility, targeted tightening on supply chain security
- 5 min