Managed Security Services (MSS) - EUMSS Certification Scheme
DATE OF UPDATE: 25 June 2025
CURRENT STATUS
The European Union Agency for Cybersecurity (ENISA) will establish an Ad Hoc Working Group to support the preparation of a candidate EUMSS certification scheme.
It will address current diversity and fragmentation in the approach and requirements that apply to the delivery of MSS in EU Member States, supporting and aligning with provisions of the dedicated amendment to the Cybersecurity Act (for Managed Security Services).
ENISA is inviting experts with extensive knowledge and experience in the areas of cybersecurity certification to participate in the relevant Ad Hoc Working Group.
WHY IS THIS APPLICABLE TO CLIENTS?
The development of trusted services based on a common approach is seen as an “advancement in effectively ensuring quality and building trust towards digital products and services within the Union.”
European Internal Security Strategy (Protect EU) - Encryption
CURRENT STATUS
The Centre for Democracy & Technology Europe, alongside 88 civil society organisations, companies, and cybersecurity experts published a joint letter to the European Commission.
The letter raises urgent concerns about the potential impact of the European Internal Security Strategy (Protect EU) (Strategy) on the future of end-to-end encryption in Europe.
The Strategy, announced in April, is designed to support Member States (MSs) and bolster the EU's security for its citizens.
WHY IS THIS APPLICABLE TO CLIENTS?
The Strategy contains several initiatives to foster a change of culture on internal security, with a whole-of-society approach involving citizens, businesses, researchers, and civil society.
It requires MSs to fully implement the Critical Entities Resilience Directive (Directive (EU) 2022/2557) and the NIS 2 Directive (Directive (EU) 2022/2555), proposes a new Cybersecurity Act, and new measures to secure cloud and telecom services and developing technological sovereignty.
NEXT STEPS
The letter calls on the Commission to recognise strong encryption as a critical pillar of Europe’s cybersecurity strategy, reframe its approach to the encryption roadmap, and involve a diverse set of experts and civil society voices in shaping future policy.
NIS2 Directive - Guidance
DATE OF UPDATE: 15 May 2025
CURRENT STATUS
ENISA has published a Handbook for Cyber Stress Tests. It has been developed as guidance for national or sectoral authorities overseeing cybersecurity and resilience of critical sectors, at the national level, regional or EU level, under the NIS 2 Directive (and possibly also the Digital Operational Resilience Act or the Critical Entities Resilience Directive).
WHY IS THIS APPLICABLE TO CLIENTS?
According to ENISA cyber stress tests are becoming a new lightweight and targeted mechanism for assessing critical sector resilience. For clients within scope of NIS 2, the handbook will offer an insight into how cyber stress tests might be conducted by the National Cyber Security Centre.
NIS2 Directive - European Vulnerability Database
DATE OF UPDATE: 13 May 2025
CURRENT STATUS
ENISA has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive.
WHY IS THIS APPLICABLE TO CLIENTS?
The database is accessible to the public at large to obtain information related to vulnerabilities impacting IT products and services. It is also addressed to suppliers of network and information systems and entities using their services.
NIS2 Directive - Transposition
DATE OF UPDATE: 7 May 2025
IMPLEMENTATION/ DEADLINE DATE:
Member States had to transpose the NIS2 Directive into national law by 17 October 2024.
CURRENT STATUS
The European Commission decided to send a reasoned opinion to 19 Member States, to include Ireland, for failing to notify full transposition of the NIS2 Directive.
The legislation is required to: designate certain sectoral regulators as the competent authorities for the purpose of implementing NIS2; establish offences and fines at national level (which could be up to 1.4% of total annual worldwide turnover or 7 million euro or 2% of total annual worldwide turnover or 10 million euro); establish a register of entities which are within the scope of the proposed legislation; and establish the basis for issuing penalties (including in respect of the personal liability of management bodies).
WHY IS THIS APPLICABLE TO CLIENTS?
By now, organisations within the critical sectors identified in the NIS 2 Directive will have ascertained whether their activities fall within the scope of the Directive. If they do, those entities will next identify whether they constitute an “important” entity or an “essential” entity and implement appropriate compliance measures.
NEXT STEPS
To date, the Irish government has published the General Scheme for the National Cyber Security Bill 2024 to transpose the NIS 2 Directive but has not, as of June 2025, introduced it to the legislative process in the form of Cyber Security Bill.
Cybersecurity Act - Consultation
CURRENT STATUS
The European Commission has launched a consultation on revising the Cybersecurity Act (Regulation (EU) 2019/881) following its commitment to simplifying rules.
WHY IS THIS APPLICABLE TO CLIENTS?
The Cybersecurity Act provides for a strengthened agency for Cybersecurity (ENISA) and a framework for voluntary European cybersecurity certification schemes for information and communications technology products, services and processes. Simplification of the legislation might be of benefit for product and service providers within its scope.
European Internal Security Strategy
DATE OF UPDATE: 1 April 2025
CURRENT STATUS
The European Commission presented ProtectEU – a European Internal Security Strategy to support Member States and bolster the EU's security for its citizens.
WHY IS THIS APPLICABLE TO CLIENTS?
Under the Strategy, Member States are required to fully implement the Critical Entities Resilience Directive and NIS2 Directive.
A new Cybersecurity Act and new measures are planned to secure cloud and telecom services and develop technological sovereignty.
Find out more: