Timeline - cybersecurity
-
2025
-
6 June Blueprint for cyber crisis management adopted
On 6 June 2025 ministers adopted the EU blueprint for cyber crisis management, which offers guidance regarding the EU’s response to large-scale cybersecurity incidents or cyber crises.
-
2024
-
2 December Cyber solidarity act adopted
On 2 December 2024, ministers adopted the cyber solidarity act. The new rules aim to strengthen the EU’s solidarity and capacities to detect, prepare for and respond to cybersecurity threats and incidents and to enhance its cyber resilience.
-
10 October EU adopts cyber resilience act
The Council adopted a new law on cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market.
-
24 June EU adopts new sanctions against cyber-attacks
The Council adopted sanctions against six individuals involved in cyber-attacks affecting information systems related to critical infrastructure, critical state functions, the storage or processing of classified information and government emergency response teams in member states.
Sanctioned people include members of the Callisto, Armageddon and Wizard Spider groups.
-
2023
-
19 July Council's common position on cyber resilience act
Member states’ representatives (Coreper) reached a common position on the proposed legislation regarding horizontal cybersecurity requirements for products with digital elements (cyber resilience act).
The proposed new rules wants to ensure that products with digital components, such as connected home cameras, smart fridges, TVs, and toys, are safe before entering the EU single market.
-
26 June Provisional deal on cybersecurity in EU bodies
The Council of the EU and the European Parliament have struck a provisional deal on a common framework for cybersecurity at the EU institutions, bodies, offices and agencies.
The deal will help improve their resilience and incident-response capacities, and ensure common standards and cooperation.
Next, the deal will be finalised at technical level and then sent to EU ambassadors for confirmation. Once confirmed in both the Council and the Parliament, both institutions will formally adopt it.
-
23 May Council adopts conclusions on the EU policy on cyber defence
With cyberspace as a field for strategic competition, risks for EU security and defence increase at a time of growing geopolitical tensions and dependence on digital technologies.
The Council conclusions on cyber defence stress the need for the EU and its member states to:
- further strengthen their resilience to face cyber threats
- increase its common cyber security and cyber defence against malicious behaviour and acts of aggression in cyberspace
-
2022
-
28 November Council adopts new legislation on cybersecurity and resilience (NIS2)
The Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.
The new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).
-
18 November Cybersecurity at the EU institutions, bodies, offices and agencies: Council adopts its position
The Council has adopted its position on a common framework for cybersecurity at EU institutions, bodies, offices and agencies.
Against the backdrop of increased numbers of sophisticated cyberattacks against the EU public administration, in March 2022 the European Commission proposed measures aimed at ensuring a high common level of cybersecurity.
By creating a common framework, these measures set out to improve the resilience and incident response capacities of all EU entities and to address differences in their approach.
Following the Council’s adoption of its position, the next step will be to start negotiations with the European Parliament, once the Parliament has voted on its negotiation mandate.
-
17 October Council adopts conclusions on ICT supply chain security
The Council adopted conclusions calling for stronger security of the EU's information and communication technologies (ICT) supply chains. The conclusions also address dependencies in ICT supply chains. The call for action is even more urgent in the context of Russia's aggression to Ukraine.
In the conclusions, the Council calls for adjustments to public procurement or foreign direct investment screening frameworks, including cybersecurity-related selection criteria. Member states invited the Commission to issue methodological guidelines to encourage contracting authorities to put appropriate focus on the cybersecurity practices of tenderers and their subcontractors.
The conclusions identify existing and upcoming cyber-specific legislation that can also contribute to ICT supply chain security:
- the reviewed Network Information Security (NIS2) directive
- certification schemes issued within the framework set out by the Cybersecurity Act
- the Cyber Resilience Act proposal
The conclusions further suggest using supporting mechanisms for financing secure digital infrastructure building, enhancing common understanding and awareness, and deepening international cooperation to increase ICT supply chain security in the EU and beyond.
-
21 June Council adopts conclusions on a framework for a coordinated EU response to hybrid campaigns
In the context of the Russian aggression in Ukraine and following the endorsement of the Strategic Compass by the European Council on 24 and 25 March, the Council of the EU reiterated in its conclusions the importance of developing an EU Hybrid Toolbox.
This toolbox introduces the framework for a coordinated response to hybrid threats and campaigns affecting the EU and its partners. It brings together all relevant actors, policies and instruments to counter the impact of hybrid threats in a more coordinated manner.
The Council reiterated that primary responsibility for countering hybrid threats lies with member states and stressed that decisions on a coordinated EU response to hybrid campaigns should:
- serve to protect democracy and international law
- serve to achieve the objectives of the Union
- be proportionate to each campaign
- have a situational awareness
- take into account the broader context
- respect international law and protect fundamental rights and freedoms
-
23 May Cyberspace: Council agrees to strengthen EU cybersecurity and prevent cyberattacks
The Council approved conclusions on developing the EU’s cyber posture, which concerns the overall cybersecurity strength and resilience in relation to cyber threats.
By developing the cyber posture, the EU can better counter offensive cyber activities that target the EU and its member states. The aim is to provide both immediate and long-term responses to actors seeking to deny the EU a secure and open access to cyberspace, including by preventing, discouraging and deterring threats while also improving cyber capabilities.
The conclusions stem from several EU laws and policies, including the Strategic Compass, the EU’s action plan to strengthen its security and defence policy by 2030.
-
16 May Cyberattacks: Council extends sanctions regime
The Council decided to prolong the framework for restrictive measures against cyberattacks threatening the EU and its member states for a further three years, until 18 May 2025.
This framework allows the EU to impose targeted restrictive measures on persons or entities involved in cyber-attacks which cause a significant impact, and constitute an external threat to the EU or its member states.
-
13 May Strengthening EU-wide cybersecurity and resilience – deal on the NIS 2 directive
The Council and the European Parliament reached a provisional agreement on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.
Once adopted, the new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).
The new legislation will:
- ensure stronger risk and incident management and cooperation
- widen the scope of rules
-
11 May Digital Operational Resilience Act (DORA): provisional agreement reached
The Council and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.
DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
The EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms, given the ever-increasing risks of cyber attacks.
-
8-9 March EU ministers united in strengthening cyber resilience in the EU
EU ministers responsible for telecommunications and digital affairs met on 8 and 9 March 2022 at an informal meeting organised by the French presidency of the Council.
Ministers called for bolstering and accelerating the pace of European cooperation in the area of cybersecurity, following an increase in cyber threat levels, worsened by the situation in Ukraine and the risk of cyber incidents within the EU. They also called for more information on risks threatening European communications networks and infrastructure, and for recommendations on how to strengthen their resilience.
The 27 ministers adopted a political declaration intended to boost the EU’s cybersecurity capabilities.
-
2021
-
3 December Council agrees its position on new cybersecurity directive
During the December Telecommunications Council, EU ministers agreed a ‘general approach’ on measures for a high common level of cybersecurity across the EU under the so-called ‘NIS2’ directive.
The aim of the legislation is to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. It aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states.
-
19 October Council adopts conclusions on exploring the potential of a joint cyber unit
The Council adopted conclusions inviting the EU and member states to further develop the EU cybersecurity crisis management framework, including by exploring the potential of a joint cyber unit.
In its conclusions, the Council emphasises the need to consolidate existing networks and to establish a mapping of possible information sharing gaps and needs within and across cyber communities. This should subsequently lead to an agreement on possible primary objectives and priorities of a potential joint cyber unit.
-
17 May Cyberattacks: Council prolongs framework for sanctions for another year
The Council decided to prolong the framework for restrictive measures against cyberattacks threatening the EU or its member states for another year, until 18 May 2022.
This framework allows the EU to impose targeted restrictive measures on persons or entities involved in cyberattacks which cause a significant impact, and constitute an external threat to the EU or its member states.
Restrictive measures can also be imposed in response to cyberattacks against third states or international organisations where such measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).
-
29 April Combating child abuse online – informal deal with European Parliament on temporary rules
The negotiators from the Council and the European Parliament reached a provisional agreement on a temporary measure to allow providers of electronic communications services such as web-based email and messaging services to continue to detect, remove and report child sexual abuse online, also covering anti-grooming, until permanent legislation announced by the European Commission is in place.
The agreement provides for a derogation to articles 5(1) and 6(1) of the ePrivacy directive and it is subject to approval by the Council.
-
20 April Bucharest-based Cybersecurity Competence Centre gets green light from Council
The EU is set to boost the security of the internet and other critical network and information systems by establishing a Cybersecurity Competence Centre to pool investment in cybersecurity research, technology and industrial development. The new body, to be based in Bucharest, Romania, will in particular channel cybersecurity-related funding from Horizon Europe and the Digital Europe Programme.
This 'European Cybersecurity Industrial, Technology and Research Competence Centre' will work together with a network of national coordination centres designated by member states.
The Council adopted the regulation establishing the Centre and the network n 20 April 2021. This will be followed by a final adoption by the European Parliament.
-
22 March Council adopts conclusions on the EU's cybersecurity strategy
The Council adopted conclusions on the EU's cybersecurity strategy for the digital decade. This strategy was presented by the European Commission and the EU High Representative for Foreign Affairs and Security Policy in December 2020. It outlines the framework for EU action to protect EU citizens and businesses from cyber threats, promote secure information systems and protect a global, open, free and secure cyberspace.
The conclusions note that cybersecurity is essential for building a resilient, green and digital Europe. They set as a key objective achieving strategic autonomy while preserving an open economy. This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, with the aim to strengthen the EU's digital leadership and strategic capacities.
-
2020
-
15 December Council calls for strengthening resilience and countering hybrid threats, including disinformation
The Council adopted conclusions which call for further enhanced responses at EU level to counter hybrid threats, including disinformation, and strengthening resilience. The Council noted that new technologies and crises, such as the ongoing pandemic, offer opportunities for hostile actors to expand their interference activities. These pose an additional challenge for the member states and the EU institutions, besides the crisis itself.
The Council acknowledged that the COVID-19 pandemic makes the EU and its member states more vulnerable to hybrid threats. Such threats include the increased spread of disinformation and manipulative interference. Addressing such threats, in particular malicious cyber activities, disinformation and threats to economic security, requires a comprehensive approach involving effective cooperation and coordination.
-
11 December Provisional agreement on the EU Cybersecurity Competence Centre
The Council and the European Parliament reached a provisional agreement on a proposal to set up the European Cybersecurity Industrial, Technology and Research Competence Centre and a network of national coordination centres.
Together, these structures will help secure the digital single market, including in areas such as e-commerce, smart mobility and the Internet of Things, and increase the EU's autonomy in the area of cybersecurity.
-
9 December Bucharest will host the seat of the new European Cybersecurity Competence Centre
Bucharest (Romania) was selected by representatives of the governments of the EU member states as the prospective seat of the new European Cybersecurity Industrial, Technology and Research Competence Centre.
The Cybersecurity Competence Centre will improve the coordination of research and innovation in cybersecurity in the EU. It will also be the EU's main instrument for pooling investment in cybersecurity research, technology and industrial development.
How the seat of the Cybersecurity Industrial, Technology and Research Competence Centre will be selected (infographic)How the seat of the Cybersecurity Industrial, Technology and Research Competence Centre will be selected (infographic)
-
2 December Cybersecurity of connected devices – Council adopts conclusions
The Council approved conclusions that acknowledge the increased use of consumer products and industrial devices connected to the internet and the related new risks for privacy, information security and cybersecurity.
The conclusions underline the importance of assessing the need for horizontal legislation in the long term to address all relevant aspects of the cybersecurity of connected devices, such as availability, integrity and confidentiality.
Connected devices, including machines, sensors and networks that make up the Internet of Things (IoT), will play a key role in further shaping Europe’s digital future, and so will their security.
-
30 July EU imposes the first ever sanctions against cyber-attacks
The Council decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks. The sanctions imposed include a travel ban and an asset freeze, while EU persons and entities are forbidden from making funds available to those listed.
-
9 June Council conclusions: shaping Europe’s digital future
The Council adopted conclusions addressing a wide range of issues related to the implementation of the EU digital strategy. The text highlights the impact of the digital transformation on fighting the pandemic, and its critical role in the post-COVID-19 recovery.
In relation to cybersecurity, as cyber threats and crimes are increasing in number and sophistication, EU ministers aim to improve the EU's response capabilities and safeguard the integrity, security and resilience of digital infrastructure, communication networks and services. The EU also supports the need for a coordinated approach to mitigate risks related to cybersecurity and to ensure a secure 5G deployment.
-
5 June Mandate on cybersecurity centres and state of play of 5G networks
A new mandate for negotiations with the European Parliament was agreed by Coreper on 3 June 2020 concerning the proposed regulation establishing the European Cybersecurity Competence Centre and the Network of Coordination Centres. The next step is for the Croatian presidency to contact the Parliament’s main negotiator to explore the possibility of organising a trilogue meeting.
The presidency also presented the state of play of the implementation of the EU toolbox on security of 5G networks.
-
2019
-
3 December Significance and security risks of 5G technology: Council adopts conclusions
The Council's 5G-related conclusions referred to the implications on European economy and the need to mitigate security risks.
EU ministers stressed that 5G networks will form a part of crucial infrastructure for the maintenance of vital societal and economic functions.
-
17 May Cyber-attacks: Council is now able to impose sanctions
The Council established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states.
More specifically, this decision allows the EU for the first time to sanction persons or entities that:
- are responsible for cyber-attacks or attempted cyber-attacks
- provide financial, technical or material support for such attacks
- are involved in other ways
Sanctions may also be imposed on persons or entities associated with them.
This framework also applies to cyber-attacks against non-EU states or international organisations where restrictive measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).
The EU and its member states are getting ready to be more resistant and to respond to cyber-attacks -
9 April Council adopts Cybersecurity Act
On 9 April 2019, the Council adopted the regulation also known as the Cybersecurity Act which introduces:
- a system of EU-wide certification schemes
- an EU cybersecurity agency to take over from the current European Union Agency for Network and Information Security (ENISA)
-
13 March Pooling cybersecurity expertise: Council to start negotiations with European Parliament
EU ambassadors granted the Council presidency a mandate to start talks with the European Parliament on pooling cybersecurity expertise.
The negotiations will focus on two initiatives:
- establishing a top knowledge base for cybersecurity, called the European Cybersecurity Industrial, Technology and Research Centre
- setting up a network of national coordination centres
-
2018
-
19 December Cybersecurity Act: EU ambassadors approve proposed regulation
The approval of the proposed Cybersecurity Act will allow the European Union to introduce an EU-wide cybersecurity certification and to consolidate a permanent EU agency for cybersecurity.
A provisional agreement on the new law was reached between the presidency and the European Parliament on 10 December.
The EU-wide cybersecurity certification will soon be available for Internet-connected devices, enabling consumers to make more informed choices and making it easier for companies to market their smart products across Europe.
-
19 November Cyber defence: Council updates policy framework
The EU member states are increasingly cooperating on cyber defence, with a view to strengthening their capacities.
In order to achieve this goal, the Council adopted an updated version of the EU cyber defence policy framework.
The update allows the EU to take account of the changing security challenges since the initial framework was adopted in 2014. It identifies priority areas for cyber defence and clarifies the roles of those involved.
At its last meeting, on 18 October 2018, the European Council called for measures to build strong cybersecurity in the EU.
EU leaders referred in particular to restrictive measures able to respond to and deter cyber-attacks.
EU is building stronger resistance to cyber attacks -
18 October European Council calls for measures to build strong cybersecurity in the EU
EU leaders called for further strengthening of the EU's deterrence, resilience and response to hybrid, cyber as well as chemical, biological, radiological and nuclear (CBRN) threats.
They did so in connection with the cyber-attacks against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.
The European Council also called for the negotiations on all cybersecurity proposals to be concluded 'before the end of the legislature' - in April 2019.
-
13 September Cybersecurity Act: Council starts negotiations with European Parliament
The Council started negotiations with the European Parliament with a view to reaching an agreement on the Cybersecurity Act by the end of the year. The general approach on this proposal was reached on 8 June.
The Cybersecurity Act is meant to enhance cyber resilience by setting up an EU-wide certification framework for ICT products, services and processes. It would also upgrade the current EU Agency for Network and Information Security (ENISA).
-
16 April Malicious cyber activities: Council adopts conclusions
The Council adopted conclusions on malicious cyber activities, which underline the importance of a global, open, free, stable and secure cyberspace where human rights and fundamental freedoms and the rule of law fully apply.
The Council expressed its serious concern about the increased ability and willingness of non-EU states and non-state actors to pursue their objectives by undertaking malicious cyber activities. The EU will continue to bolster its capabilities to address cyber threats.
-
2017
-
20 December EU institutions strengthen cooperation to counter cyber-attacks
EU institutions took an important step in strengthening their cooperation in the fight against cyber-attacks.
An inter-institutional arrangement established a permanent Computer Emergency Response Team (CERT-EU) covering all the EU's institutions, bodies and agencies.
CERT-EU will ensure a coordinated EU response to cyber-attacks against its institutions.
-
24 October EU ministers agree on cybersecurity action plan
The Council agreed to set up an action plan for the reform of EU cybersecurity.
Ministers stressed that online security is essential for European citizens and businesses.
-
2016
-
9 June Council agrees on next steps to fight criminal activities in cyberspace
EU justice ministers discussed further how to improve criminal justice in cyberspace. They adopted two sets of conclusions which define practical measures to improve cooperation, as well as a timeline for further action.
- conclusions on improving criminal justice in cyberspace
- conclusions on the European judicial cybercrime network
Last review: 6 June 2025