Skip to content

Timeline - cybersecurity

  • 2025

  • 2024

  • 2023

  • 2022

    • 28 November

      Council adopts new legislation on cybersecurity and resilience (NIS2)

      The Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

      The new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).

    • 18 November

      Cybersecurity at the EU institutions, bodies, offices and agencies: Council adopts its position

      The Council has adopted its position on a common framework for cybersecurity at EU institutions, bodies, offices and agencies.

      Against the backdrop of increased numbers of sophisticated cyberattacks against the EU public administration, in March 2022 the European Commission proposed measures aimed at ensuring a high common level of cybersecurity.

      By creating a common framework, these measures set out to improve the resilience and incident response capacities of all EU entities and to address differences in their approach.

      Following the Council’s adoption of its position, the next step will be to start negotiations with the European Parliament, once the Parliament has voted on its negotiation mandate.

    • 17 October

      Council adopts conclusions on ICT supply chain security

      The Council adopted conclusions calling for stronger security of the EU's information and communication technologies (ICT) supply chains. The conclusions also address dependencies in ICT supply chains. The call for action is even more urgent in the context of Russia's aggression to Ukraine.

      In the conclusions, the Council calls for adjustments to public procurement or foreign direct investment screening frameworks, including cybersecurity-related selection criteria. Member states invited the Commission to issue methodological guidelines to encourage contracting authorities to put appropriate focus on the cybersecurity practices of tenderers and their subcontractors.

      The conclusions identify existing and upcoming cyber-specific legislation that can also contribute to ICT supply chain security:

      • the reviewed Network Information Security (NIS2) directive
      • certification schemes issued within the framework set out by the Cybersecurity Act
      • the Cyber Resilience Act proposal

      The conclusions further suggest using supporting mechanisms for financing secure digital infrastructure building, enhancing common understanding and awareness, and deepening international cooperation to increase ICT supply chain security in the EU and beyond.

    • 21 June

      Council adopts conclusions on a framework for a coordinated EU response to hybrid campaigns

      In the context of the Russian aggression in Ukraine and following the endorsement of the Strategic Compass by the European Council on 24 and 25 March, the Council of the EU reiterated in its conclusions the importance of developing an EU Hybrid Toolbox.

      This toolbox introduces the framework for a coordinated response to hybrid threats and campaigns affecting the EU and its partners. It brings together all relevant actors, policies and instruments to counter the impact of hybrid threats in a more coordinated manner.

      The Council reiterated that primary responsibility for countering hybrid threats lies with member states and stressed that decisions on a coordinated EU response to hybrid campaigns should:

      • serve to protect democracy and international law
      • serve to achieve the objectives of the Union
      • be proportionate to each campaign
      • have a situational awareness
      • take into account the broader context
      • respect international law and protect fundamental rights and freedoms
    • 23 May

      Cyberspace: Council agrees to strengthen EU cybersecurity and prevent cyberattacks

      The Council approved conclusions on developing the EU’s cyber posture, which concerns the overall cybersecurity strength and resilience in relation to cyber threats.

      By developing the cyber posture, the EU can better counter offensive cyber activities that target the EU and its member states. The aim is to provide both immediate and long-term responses to actors seeking to deny the EU a secure and open access to cyberspace, including by preventing, discouraging and deterring threats while also improving cyber capabilities.

      The conclusions stem from several EU laws and policies, including the Strategic Compass, the EU’s action plan to strengthen its security and defence policy by 2030.

    • 16 May

      Cyberattacks: Council extends sanctions regime

      The Council decided to prolong the framework for restrictive measures against cyberattacks threatening the EU and its member states for a further three years, until 18 May 2025.

      This framework allows the EU to impose targeted restrictive measures on persons or entities involved in cyber-attacks which cause a significant impact, and constitute an external threat to the EU or its member states.

    • 13 May

      Strengthening EU-wide cybersecurity and resilience – deal on the NIS 2 directive

      The Council and the European Parliament reached a provisional agreement on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

      Once adopted, the new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).

      The new legislation will: 

      • ensure stronger risk and incident management and cooperation
      • widen the scope of rules
    • 11 May

      Digital Operational Resilience Act (DORA): provisional agreement reached

      The Council and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.

      DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

      The EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms, given the ever-increasing risks of cyber attacks.

    • 8-9 March

      EU ministers united in strengthening cyber resilience in the EU

      EU ministers responsible for telecommunications and digital affairs met on 8 and 9 March 2022 at an informal meeting organised by the French presidency of the Council.

      Ministers called for bolstering and accelerating the pace of European cooperation in the area of cybersecurity, following an increase in cyber threat levels, worsened by the situation in Ukraine and the risk of cyber incidents within the EU. They also called for more information on risks threatening European communications networks and infrastructure, and for recommendations on how to strengthen their resilience.

      The 27 ministers adopted a political declaration intended to boost the EU’s cybersecurity capabilities. 

  • 2021

    • 3 December

      Council agrees its position on new cybersecurity directive

      During the December Telecommunications Council, EU ministers agreed a ‘general approach’ on measures for a high common level of cybersecurity across the EU under the so-called ‘NIS2’ directive.

      The aim of the legislation is to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. It aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. 

    • 19 October

      Council adopts conclusions on exploring the potential of a joint cyber unit

      The Council adopted conclusions inviting the EU and member states to further develop the EU cybersecurity crisis management framework, including by exploring the potential of a joint cyber unit.

      In its conclusions, the Council emphasises the need to consolidate existing networks and to establish a mapping of possible information sharing gaps and needs within and across cyber communities. This should subsequently lead to an agreement on possible primary objectives and priorities of a potential joint cyber unit.

    • 17 May

      Cyberattacks: Council prolongs framework for sanctions for another year

      The Council decided to prolong the framework for restrictive measures against cyberattacks threatening the EU or its member states for another year, until 18 May 2022.

      This framework allows the EU to impose targeted restrictive measures on persons or entities involved in cyberattacks which cause a significant impact, and constitute an external threat to the EU or its member states.

      Restrictive measures can also be imposed in response to cyberattacks against third states or international organisations where such measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).

    • 29 April

      Combating child abuse online – informal deal with European Parliament on temporary rules

      The negotiators from the Council and the European Parliament reached a provisional agreement on a temporary measure to allow providers of electronic communications services such as web-based email and messaging services to continue to detect, remove and report child sexual abuse online, also covering anti-grooming, until permanent legislation announced by the European Commission is in place.

      The agreement provides for a derogation to articles 5(1) and 6(1) of the ePrivacy directive and it is subject to approval by the Council.

    • 20 April

      Bucharest-based Cybersecurity Competence Centre gets green light from Council

      The EU is set to boost the security of the internet and other critical network and information systems by establishing a Cybersecurity Competence Centre to pool investment in cybersecurity research, technology and industrial development. The new body, to be based in Bucharest, Romania, will in particular channel cybersecurity-related funding from Horizon Europe and the Digital Europe Programme.

      This 'European Cybersecurity Industrial, Technology and Research Competence Centre' will work together with a network of national coordination centres designated by member states.

      The Council adopted the regulation establishing the Centre and the network n 20 April 2021. This will be followed by a final adoption by the European Parliament.

    • 22 March

      Council adopts conclusions on the EU's cybersecurity strategy

      The Council adopted conclusions on the EU's cybersecurity strategy for the digital decade. This strategy was presented by the European Commission and the EU High Representative for Foreign Affairs and Security Policy in December 2020. It outlines the framework for EU action to protect EU citizens and businesses from cyber threats, promote secure information systems and protect a global, open, free and secure cyberspace.

      The conclusions note that cybersecurity is essential for building a resilient, green and digital Europe. They set as a key objective achieving strategic autonomy while preserving an open economy. This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, with the aim to strengthen the EU's digital leadership and strategic capacities.

  • 2020

    • 15 December

      Council calls for strengthening resilience and countering hybrid threats, including disinformation

      The Council adopted conclusions which call for further enhanced responses at EU level to counter hybrid threats, including disinformation, and strengthening resilience. The Council noted that new technologies and crises, such as the ongoing pandemic, offer opportunities for hostile actors to expand their interference activities. These pose an additional challenge for the member states and the EU institutions, besides the crisis itself.

      The Council acknowledged that the COVID-19 pandemic makes the EU and its member states more vulnerable to hybrid threats. Such threats include the increased spread of disinformation and manipulative interference. Addressing such threats, in particular malicious cyber activities, disinformation and threats to economic security, requires a comprehensive approach involving effective cooperation and coordination.

    • 11 December

      Provisional agreement on the EU Cybersecurity Competence Centre

      The Council and the European Parliament reached a provisional agreement on a proposal to set up the European Cybersecurity Industrial, Technology and Research Competence Centre and a network of national coordination centres.

      Together, these structures will help secure the digital single market, including in areas such as e-commerce, smart mobility and the Internet of Things, and increase the EU's autonomy in the area of cybersecurity.

    • 9 December

      Bucharest will host the seat of the new European Cybersecurity Competence Centre

      Bucharest (Romania) was selected by representatives of the governments of the EU member states as the prospective seat of the new European Cybersecurity Industrial, Technology and Research Competence Centre.

      The Cybersecurity Competence Centre will improve the coordination of research and innovation in cybersecurity in the EU. It will also be the EU's main instrument for pooling investment in cybersecurity research, technology and industrial development.

      Illustration: how the seat of the Cybersecurity Industrial, Technology and Research Competence Centre will be selected
      How the seat of the Cybersecurity Industrial, Technology and Research Competence Centre will be selected (infographic)

      How the seat of the Cybersecurity Industrial, Technology and Research Competence Centre will be selected (infographic)

    • 2 December

      Cybersecurity of connected devices – Council adopts conclusions

      The Council approved conclusions that acknowledge the increased use of consumer products and industrial devices connected to the internet and the related new risks for privacy, information security and cybersecurity

      The conclusions underline the importance of assessing the need for horizontal legislation in the long term to address all relevant aspects of the cybersecurity of connected devices, such as availability, integrity and confidentiality

      Connected devices, including machines, sensors and networks that make up the Internet of Things (IoT), will play a key role in further shaping Europe’s digital future, and so will their security.

    • 30 July

      EU imposes the first ever sanctions against cyber-attacks

      The Council decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks. The sanctions imposed include a travel ban and an asset freeze, while EU persons and entities are forbidden from making funds available to those listed.

    • 9 June

      Council conclusions: shaping Europe’s digital future

      The Council adopted conclusions addressing a wide range of issues related to the implementation of the EU digital strategy. The text highlights the impact of the digital transformation on fighting the pandemic, and its critical role in the post-COVID-19 recovery. 

      In relation to cybersecurity, as cyber threats and crimes are increasing in number and sophistication, EU ministers aim to improve the EU's response capabilities and safeguard the integrity, security and resilience of digital infrastructure, communication networks and services. The EU also supports the need for a coordinated approach to mitigate risks related to cybersecurity and to ensure a secure 5G deployment

    • 5 June

      Mandate on cybersecurity centres and state of play of 5G networks

      A new mandate for negotiations with the European Parliament was agreed by Coreper on 3 June 2020 concerning the proposed regulation establishing the European Cybersecurity Competence Centre and the Network of Coordination Centres. The next step is for the Croatian presidency to contact the Parliament’s main negotiator to explore the possibility of organising a trilogue meeting.

      The presidency also presented the state of play of the implementation of the EU toolbox on security of 5G networks.

  • 2019

    • 3 December

      Significance and security risks of 5G technology: Council adopts conclusions

      The Council's 5G-related conclusions referred to the implications on European economy and the need to mitigate security risks.

      EU ministers stressed that 5G networks will form a part of crucial infrastructure for the maintenance of vital societal and economic functions.

    • 17 May

      Cyber-attacks: Council is now able to impose sanctions

      The Council established a framework which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states.

      More specifically, this decision allows the EU for the first time to sanction persons or entities that:

      • are responsible for cyber-attacks or attempted cyber-attacks 
      • provide financial, technical or material support for such attacks
      • are involved in other ways

      Sanctions may also be imposed on persons or entities associated with them.  

      This framework also applies to cyber-attacks against non-EU states or international organisations where restrictive measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).

      The EU and its member states are getting ready to be more resistant and to respond to cyber-attacks
    • 9 April

      Council adopts Cybersecurity Act

      On 9 April 2019, the Council adopted the regulation also known as the Cybersecurity Act which introduces:

      • a system of EU-wide certification schemes 
      • an EU cybersecurity agency to take over from the current European Union Agency for Network and Information Security (ENISA)
    • 13 March

      Pooling cybersecurity expertise: Council to start negotiations with European Parliament

      EU ambassadors granted the Council presidency a mandate to start talks with the European Parliament on pooling cybersecurity expertise.

      The negotiations will focus on two initiatives:

      • establishing a top knowledge base for cybersecurity, called the European Cybersecurity Industrial, Technology and Research Centre
      • setting up a network of national coordination centres
  • 2018

    • 19 December

      Cybersecurity Act: EU ambassadors approve proposed regulation

      The approval of the proposed Cybersecurity Act will allow the European Union to introduce an EU-wide cybersecurity certification and to consolidate a permanent EU agency for cybersecurity.

      A provisional agreement on the new law was reached between the presidency and the European Parliament on 10 December.

      The EU-wide cybersecurity certification will soon be available for Internet-connected devices, enabling consumers to make more informed choices and making it easier for companies to market their smart products across Europe.

    • 19 November

      Cyber defence: Council updates policy framework

      The EU member states are increasingly cooperating on cyber defence, with a view to strengthening their capacities.

      In order to achieve this goal, the Council adopted an updated version of the EU cyber defence policy framework.

      The update allows the EU to take account of the changing security challenges since the initial framework was adopted in 2014. It identifies priority areas for cyber defence and clarifies the roles of those involved.

      At its last meeting, on 18 October 2018, the European Council called for measures to build strong cybersecurity in the EU.

      EU leaders referred in particular to restrictive measures able to respond to and deter cyber-attacks.

      EU is building stronger resistance to cyber attacks
    • 18 October

      European Council calls for measures to build strong cybersecurity in the EU

      EU leaders called for further strengthening of the EU's deterrence, resilience and response to hybrid, cyber as well as chemical, biological, radiological and nuclear (CBRN) threats.

      They did so in connection with the cyber-attacks against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

      The European Council also called for the negotiations on all cybersecurity proposals to be concluded 'before the end of the legislature' - in April 2019.

    • 13 September

      Cybersecurity Act: Council starts negotiations with European Parliament

      The Council started negotiations with the European Parliament with a view to reaching an agreement on the Cybersecurity Act by the end of the year. The general approach on this proposal was reached on 8 June. 

      The Cybersecurity Act is meant to enhance cyber resilience by setting up an EU-wide certification framework for ICT products, services and processes. It would also upgrade the current EU Agency for Network and Information Security (ENISA). 

    • 16 April

      Malicious cyber activities: Council adopts conclusions

      The Council adopted conclusions on malicious cyber activities, which underline the importance of a global, open, free, stable and secure cyberspace where human rights and fundamental freedoms and the rule of law fully apply.

      The Council expressed its serious concern about the increased ability and willingness of non-EU states and non-state actors to pursue their objectives by undertaking malicious cyber activities. The EU will continue to bolster its capabilities to address cyber threats.

  • 2017

    • 20 December

      EU institutions strengthen cooperation to counter cyber-attacks

      EU institutions took an important step in strengthening their cooperation in the fight against cyber-attacks.

      An inter-institutional arrangement established a permanent Computer Emergency Response Team (CERT-EU) covering all the EU's institutions, bodies and agencies.

      CERT-EU will ensure a coordinated EU response to cyber-attacks against its institutions.

    • 24 October

      EU ministers agree on cybersecurity action plan

      The Council agreed to set up an action plan for the reform of EU cybersecurity.

      Ministers stressed that online security is essential for European citizens and businesses. 

  • 2016