Last June, EU citizens were called to participate in the election of 720 members of the new European Parliament. After the elections, the Members of the European Parliament assessed the candidates and voted for the new European Commission and its President. Through this new administration, legislative priorities for regulating the evolving digital landscape are expected to be implemented.

One of the main areas of focus will be the adoption and enforcement of new legislation under the EU’s data strategy. This includes significant acts such as the Artificial Intelligence Act (AI Act), the Data Governance Act (DGA), the Digital Services Act (DSA), and the critically important NIS2 Directive for networks and information systems. Each of these legislative frameworks aims to provide information security and privacy professionals with a comprehensive framework for managing data with security and innovation.

Securing the EU's Cyberspace and Defining Legislative Priorities


Artificial Intelligence Act: A Landmark Regulation
A cornerstone of the EU's digital strategy is the AI Act. This regulation establishes a comprehensive legal and regulatory framework for AI within the EU and aims to promote AI development, marketing, and use in alignment with EU values. It emphasizes ensuring human-centric and trustworthy AI, with a high level of protection for health, safety, fundamental rights, democracy, the rule of law, and environmental protection. It directly involves providers, importers, and distributors of AI systems or general-purpose AI models. The Act will come into effect on August 1, 2024, with its provisions being gradually enforced over the next 6 to 36 months. This legislation represents a significant step toward establishing a unified approach, ensuring that AI technologies developed and used in the EU are safe, ethical, and aligned with core values.

 

Data Governance Act: Facilitating Data Sharing and Usage
The DGA aims to promote and facilitate data sharing within the European Economic Area. Its primary goal is to ensure legality in the distribution of value derived from data, while also fostering a competitive market, creating opportunities for innovation, and making data more accessible to all users. The DGA applies to manufacturers of connected devices, suppliers of related services, and their users. It also covers, among others, data holders and recipients. In doing so, it seeks to establish a robust framework that supports data sharing, driving innovative economic development.

Digital Services Act: Modernizing Digital Regulations
The DSA is one of the key regulations in EU law. It is designed to update the 2000 E-Commerce Directive. It aims to harmonize the conditions for providing intermediary services and increase transparency requirements for online intermediaries. The DSA applies (with exceptions) to internet access providers, domain name registrars, cloud services, web hosting services, a range of online marketplaces, social networks, and other platforms that reach more than 10% of EU consumers.

Strengthening Cybersecurity Resilience

The NIS2 Directive represents the most significant advancement in the EU’s efforts to strengthen cybersecurity. Building on the original NIS Directive adopted in 2016, NIS2 aims to further improve resilience and incident response capabilities across the EU, in both the public and private sectors. This is achieved through a combination of risk management measures and mandatory reporting requirements.

One of the most important changes introduced by NIS2 is the redefinition of covered entities, which will increase the number of critical and important infrastructures in Cyprus from 70 to 700 under the new directive. This provision also broadens the list of sectors and activities subject to EU-level cybersecurity legal obligations, safeguarding medium and large entities that now fall under the new scope. NIS2 also modifies breach notification requirements while introducing voluntary coordinated vulnerability disclosures for entities within its scope. These changes are designed to enhance transparency and improve the overall security posture of covered entities.

All of the above highlight the urgent need for the new European Commission and EU legislative bodies to finalize discussions and swiftly implement these critical regulations. Moving into 2025, the Digital Operational Resilience Act (DORA) is expected to come into force on January 17, while the full implementation of the Data Act is anticipated by September 12, 2025. By early 2026, the AI Act is set to be fully operational, followed by the e-Evidence regulation, which will take effect on August 18, 2026.

The EU Strengthens Cybersecurity

As the EU continues to navigate the complexities of cybersecurity, a proactive and holistic approach is essential. By aiming to reduce cyber threats through information sharing, implementing measures, and enhancing security, the EU can significantly strengthen its stance. The NIS2 Directive now plays a critical role in this strategy, improving the EU's resilience and incident response capabilities. With its expanded scope and stringent compliance requirements, NIS2 ensures that the EU remains at the forefront of digital innovation and security, creating a safer and more resilient digital environment for all its citizens.

Explore

Get in touch

Pangratios Vanezis

Board Member

Head of Entreprise & Startups

KPMG Limited

Andreas Ioannou

Senior Manager

IT Audit

KPMG Limited

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today