Skip to content

EU cybersecurity: strategy and key policies

Digitalisation brings opportunities, but also cyberthreats. To counter these, the EU has developed a cybersecurity strategy and has launched initiatives to strengthen security and resilience.

The EU cybersecurity strategy

In October 2020, EU leaders called on member states to:

  • protect the EU against cyber threats
  • provide for a secure communication environment, including through quantum encryption
  • ensure access to data for judicial and law enforcement purposes

The call on member states was made because a stronger cybersecurity response to build an open and secure cyberspace can lead to citizens having greater trust in digital tools and services. Cybersecurity protects network and information systems, the users of such systems and other persons affected by cyber threats.

In December 2020, the European Commission and the European External Action Service (EEAS) presented a new EU cybersecurity strategy. The goal is to strengthen Europe’s resilience against cyber threats and to ensure that all citizens and businesses benefit fully from trustworthy and reliable services and digital tools.

On 22 March 2021, the Council adopted conclusions on the cybersecurity strategy, underlining that cybersecurity is essential for building a resilient, green and digital Europe. EU ministers set the key objective of achieving strategic autonomy while preserving an open economy. This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, while strengthening the EU's digital leadership and strategic capacities.

Key EU cybersecurity policies

Cyber blueprint

The Council adopted an EU blueprint on cybersecurity crisis management on 6 June 2025. 

The blueprint provides a comprehensive and detailed framework for managing cyber crises at the EU level, building on the 2017 Cybersecurity Blueprint. 

The cyber blueprint aims to:

  • ensure an effective and efficient response to large-scale cyber incidents
  • foster a more structured cooperation between civilian and military actors
  • explain what a cyber crisis is and what triggers a cyber crisis mechanism

EU cyber solidarity act

On 2 December 2024, the Council adopted the cyber solidarity act. This regulation establishes EU-wide capabilities to make Europe more resilient and reactive in the face of cyber threats, while strengthening cooperation mechanisms.

The new rules:

  • establish a cyber security alert system’, a pan-European infrastructure composed of national and cross-border cyber hubs in charge of supporting the detection of cyber threats and incidents
  • provide for the creation of cybersecurity emergency mechanism to bolster preparedness and protect critical entities and essential services, such as hospitals and public utilities
  • strengthen solidarity at EU level, concerted crisis management and response capabilities across member states
  • contribute to ensuring a safe and secure digital landscape for citizens and businesses

The cyber solidarity act entered into force on 4 February 2025.

EU cybersecurity act

The EU cybersecurity act was adopted by the Council in April 2019 and introduced:

  • an EU-wide certification scheme 
  • a permanent and stronger mandate for the EU agency for cybersecurity (ENISA)

European certification schemes

Previously, EU countries’ used different cybersecurity certification schemes for information and communication technologies (ICT) products, leading to market fragmentation and regulatory barriers. With the cybersecurity act, the EU introduced a single EU-wide certification framework 
which aim to:

  • build trust
  • increase the growth of the cybersecurity market
  • facilitate trade across the EU

The framework provides a comprehensive set of rules, technical requirements, standards and procedures. 

In December 2024, the EU adopted a targeted amendment to the cybersecurity act to enable the establishment of EU certification schemes for ‘managed security services’, like incident handling, penetration testing, security audits, and consulting related to technical support.

EU agency for cybersecurity

The EU agency for cybersecurity (ENISA), based in Athens, Greece, works to achieve a high common level of cybersecurity across the EU. It supports member states, EU institutions and other stakeholders in improving cybersecurity and dealing with cyberattacks. 

ENISA was established in 2004 and was strengthened by the EU cybersecurity act, which gave it a permanent mandate, more resources and an expanded role. 

In December 2024, the Council approved conclusions containing a series of recommendations and suggestions for a stronger EU agency for cybersecurity.

EU cyber resilience act

Adopted by the Council on 10 October 2024, the cyber resilience act establishes cybersecurity requirements for products with digital elements connected to the internet or to other devices. This ensures that products such as connected home cameras, fridges, TVs and toys are safe before being placed on the market and throughout their lifecycle.

The law also improves consumer transparency, allowing individuals to access information about the cybersecurity of the products they buy and use.

Network and information systems directive

The directive on the security of network and information systems (NIS) was the first ever EU-wide legislation aiming to increase cooperation between member states in cybersecurity. Introduced in 2016, It laid down security obligations for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services).

In 2022, the EU adopted a revised NIS directive (NIS2) to replace the 2016 directive. The new rules ensure a high common level of cybersecurity across the Union in response to the evolving threat landscape and take into account the digital transformation, which has been accelerated by the COVID-19 pandemic.

The NIS2 directive:

  • sets new minimum rules for a regulatory framework
  • lays down mechanisms for effective cooperation between the relevant authorities in each EU country
  • updates the list of sectors and activities subject to cybersecurity obligations
  • handling cybersecurity incidents

 Member states had until October 2024 to fully transpose and implement NIS2.

EU toolbox on 5G networks

5G networks are crucial not only for digital communication, but also for critical sectors such as energy, transport, banking and health. 

5G is also a key asset for enabling Europe to compete in the global market, and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.

In January 2020, the EU agreed on a toolbox to identify a possible common set of measures to mitigate the main cybersecurity risks of 5G networks and to provide guidance.

Funding and research

The EU is acting on several fronts to enhance cyber resilience, protect communications and data, and secure our online society and economy. This includes supporting research and increasing funding for innovation in cybersecurity.

Digital Europe

Under the Digital Europe Programme for the period 2021-2027, the EU has committed to investing €1.6 billion in cybersecurity capacity and the wide deployment of cybersecurity infrastructure and tools across the EU, for public administrations, businesses and individuals.

Horizon Europe

Finding innovative solutions that can protect us against the latest, most advanced cyber threats is crucial. For this reason, cybersecurity is an important part of the EU research and innovation funding framework programmes Horizon 2020 and its successor Horizon Europe. In May 2020, the EU committed €49 million to boosting innovation in cybersecurity and privacy systems.

Digital decade programme 2030

Digital security relies on having enough experts with the right skills. Currently, there is a significant shortage, so the EU is actively investing in cybersecurity skills development.

The digital decade programme 2030 supports investments in key areas such as high-performance computing, common data infrastructure and services, blockchain, low-power processors, the pan-European rollout of 5G corridors, high-tech partnerships for digital skills, secure quantum infrastructure, a network of cybersecurity centres, digital public administration, testing facilities, and digital innovation hubs.

'Path to the Digital Decade': the EU's plan to achieve a digital Europe by 2030

'Path to the Digital Decade': the EU's plan to achieve a digital Europe by 2030

Cybersecurity competence centre

In April 2021, the Council adopted the regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre in Bucharest, Romania, backed by a network of national coordination centres. 

The centre aims to:

  • further improve cyber resilience
  • contribute to deployment of the latest cybersecurity technology
  • support cybersecurity start-ups and SMEs
  • enhance cybersecurity research and innovation
  • contribute to closing the cybersecurity skills gap
Cybersecurity

Cybersecurity

How the EU combats cybercrime

How the EU combats cybercrime

Cyber threats in the EU: facts and figures

Cyber threats in the EU: facts and figures