European Cybersecurity Reflections, 2024
This time of year is perfect for reflection — looking back at the challenges and successes of 2024 while anticipating the opportunities and changes that 2025 will bring. As we prepare to enjoy the holidays with family and friends, celebrating with cozy gatherings, delicious food, and cheerful toasts to the new year, we’d like to take a moment to share our reflections on what shaped European cybersecurity, risk, and privacy markets over the past year.
A Year Of Legislative Transformation
2024 was marked by a flurry of legislative activity in the European Union, particularly in cybersecurity, risk, privacy, and artificial intelligence. Key highlights include:
- Digital Services Act (DSA) and Digital Markets Act (DMA): These regulations took effect aiming to create balanced digital ecosystems that foster innovation while protecting consumer rights.
- NIS2 Directive: By October 17, 2024, EU member states were required to transpose this directive into national law to strengthen the resilience of critical infrastructure. Unfortunately, delays remain in most countries. Currently, only Belgium, Crotia, Hungary, Italy, Latvia, and Lithuania have transposed the Directive into national laws.
- Cyber Resilience Act: Adopted by the Council, this Act will start applying 36 months after its entry into force, with select provisions taking effect earlier. While obligations regarding reporting for vulnerabilities don’t kick in until 2026, organizations should start investigating the impact of the Act in 2025.
- ePrivacy Regulation: Still in draft form, this legislation is intended to complement the GDPR, providing specific rules for electronic communications.
- EU AI Act: Formally adopted in May, this regulation paves the way for the responsible development and deployment of artificial intelligence. Read in our predictions what we expect when it comes to 2025.
- Digital Operational Resilience Act (DORA): The financial sector focused heavily on preparing for compliance with DORA, which takes effect in January 2025.
2024 was a significant year for European cybersecurity regulations. Going into 2025, the focus will be on implementation of this avalanche of regulation. We also expect to see this regulation play a role in shaping the global agenda for cyber regulation and what the outline of AI regulation should look like. Many will see the European regulation as strangling innovation and miring European enterprises in red tape — others will see it as a model for how to regulate cyber and AI.
Geopolitical Tensions And Cyber Warfare
Geopolitical tensions escalated in 2024, amplifying cyber threats:
- State-sponsored attacks: Energy grids, healthcare systems, and transportation networks faced growing risks from nation-state attackers. Examples in 2024 included a cyberattack on Germany’s main opposition party in June shortly before the European Parliament elections and a major ransomware attack in Romania that took down 25 hospitals. Suspicions coalesce around the typical state-sponsored threat actors associated with China, Iran, Russia, North Korea, and other malign nonstate threat actors.
- Hybrid warfare: Cyberattacks were integrated into misinformation campaigns and other hybrid tactics, such as the recent interference in elections in Romania and Moldova attributed to Russian hybrid warfare tactics. Also, expect further curious “accidents” impacting undersea cables in sensitive areas such as the Baltic Sea to continue in 2025.
- EU cyber defence initiatives: The EU reinforced its Joint Cyber Unit and expanded collaborative efforts, including cyber rapid response teams, to combat these threats. With a more uncertain commitment to European defence from the incoming US administration, expect more to be spent bolstering EU cyber defences in 2025 and beyond.
The Evolving Role Of The CISO
Over the past few years, we have seen changes in the role of the CISO across Europe.
CISOs are shifting from purely technical experts to strategic leaders, with boards expecting them to show value for security investment and translate technical risks into business risks.
European CISOs are also expected to make industry contributions, via sharing best practices, participating in public policy discussions, or speaking at conferences. CISOs need to make sure that they balance higher levels of external contributions with spending enough time focused on the job at hand and with their own security teams, a balance that not all get right.
Want to know our predictions for 2025? Forrester clients can read Forrester’s full Predictions reports for Europe and cybersecurity, risk, and privacy.
Happy holidays!