In an era of dynamic digital technology development and a growing number of cyberthreats, cybersecurity and personal data protection are becoming key aspects of how organizations operate in the European Union. New regulations, such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the current GDPR, create a comprehensive security system aimed at raising protection standards and ensuring greater transparency in data processing.

NIS2 and GDPR: Strengthening Data Protection and Incident Response

The Network and Information Security Directive (NIS2) is another step towards increasing the cyber resilience of entities operating in key economic sectors. In 2025, its implementation will require organizations to take a number of actions, including:

• Expanding security measures against cyberattacks,
• Introducing more rigorous incident reporting procedures,
• Strengthening cooperation between supervisory authorities and the private sector.

NIS2, in conjunction with GDPR (Regulation 2016/679), means that businesses will not only have to protect personal data more effectively, but also implement new procedures for risk management and auditing of IT security activities.

5 Things You Need to Know About NIS2

01 – Fines up to €10 million or 2% of total annual global turnover

02 – Expanded scope compared to NIS1, changing the way companies are classified and requiring more of them to comply with the directives

03 – Management staff is liable for violations and the authorities may suspend activities or functions

04 – Broad security risk management measures and shift to a risk-based approach

05 – Initial reporting of security incidents within 24 hours, further action within 72 hours, and final summary within 1 month

DORA: Cyber Resilience and Personal Data Security in Finance

DORA is the Regulation of the European Parliament and of the Council (EU) of 14 December 2022 on the digital operational resilience of the financial sector. This is another of many recent regulations concerning cybersecurity and the broadly defined security of information technology.

The Digital Operational Resilience Act (DORA) focuses on the financial sector, which is particularly vulnerable to cyberattacks. Key requirements imposed by DORA include:

• Testing the operational resilience of IT systems,
• Implementing risk management strategies based on threat analysis,
• Obligation to monitor and report digital incidents.

DORA applies to:

1. credit institutions;
2. payment institutions, including payment institutions exempted under Directive (EU) 2015/2366;
3. providers of account information access services;
4. electronic money institutions, including electronic money institutions exempted under Directive 2009/110/EC;
5. investment companies;
6. crypto-asset service providers,
7. central securities depositories;
8. central counterparties;
9. trading systems;
10. transaction repositories;
11. alternative investment fund managers;
12. management companies;
13. information sharing service providers;
14. insurance and reinsurance undertakings;
15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
16. institutions of occupational pension programs;
17. rating agencies;
18. administrators of critical benchmarks;
19. crowdfunding service providers;
20. securitization repositories;
21. external ICT service providers.

In the context of GDPR compliance, financial institutions must ensure adequate security measures to protect customer data against unauthorized access and information leakage. GDPR also mandates cooperation with cloud service providers and external IT operators, which requires thorough verification of their security standards.

Article 33 of the DORA Directive requires personal data breaches to be reported without undue delay, and within 72 hours where possible. In the event of a delay, an explanation of the reason for the delay must be included.

AI Act and GDPR: Managing Artificial Intelligence and Data Protection

The AI Act regulations classify AI systems according to risk level and impose obligations on entities that implement them. In the context of data protection, the AI Act requires:

• Transparency of artificial intelligence algorithms and mechanisms,
• Possibilities of controlling and auditing decisions made by AI,
• Compliance with the principles of data minimization and limitation of the processing purpose.

Companies that use AI to process personal data will have to meet stringent GDPR requirements, giving users greater control over their information and minimizing the risk of abuse.

CRA: Cyber Resilience Act – Security of Digital Products

The Cyber Resilience Act (CRA) introduces obligations related to the security of digital software and hardware. Its key requirements include:

• Designing secure digital products,
• Monitoring vulnerabilities and updating them regularly,
• Manufacturers’ responsibility to ensure continued safety throughout the product life cycle.

CRA aims to increase cybersecurity across the entire digital ecosystem, minimizing the risk of attacks based on device and application vulnerabilities.

eIDAS 2.0: Strengthening digital identification

The amendment to the eIDAS (electronic IDentification, Authentication and trust Services) regulation – known as eIDAS 2.0 – introduces a European digital identity wallet that:

• Allows citizens to securely store and share their identity data,
• It enables public and private institutions to provide secure online services,
• Strengthens authentication standards in digital transactions.

In conjunction with GDPR, eIDAS 2.0 improves users’ control over their identity data and increases the security of online transactions.

Challenges and benefits of new regulations

Adapting to new regulations poses numerous challenges for companies, including:

• The need to invest in modern security systems,
• Employee training in cybersecurity and data protection,
• Implementation of effective incident monitoring and reporting mechanisms.

However, the new regulations also bring numerous benefits, such as:

• Better protection of customer data and greater trust in the organization,
• Increased resistance to cyber attacks,
• Possibility to avoid high fines for violating data protection regulations.

The impact of new regulations on small and medium-sized enterprises (SMEs)

New regulations such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0 can pose challenges for small and medium-sized enterprises (SMEs). Implementing these regulations requires investment in modern security systems and employee training in cybersecurity and data protection. SMEs may face challenges related to limited financial and human resources, which can make it difficult to fully comply with the new requirements.

However, compliance with these regulations also brings benefits, such as better protection of customer data, increased trust in the organization, and the ability to avoid significant fines for violating data protection regulations. Therefore, it is worthwhile for SMEs to consider partnering with external IT service providers and cybersecurity specialists to effectively implement the required security measures.

The future of cybersecurity in the EU

In the coming years, we can expect further development of regulations regarding cybersecurity and personal data protection. The European Union will continue to work on strengthening the legal framework to address growing cyber threats and ensure a high level of data protection. Organizations will need to be prepared to continuously adapt to new requirements and invest in modern security technologies and procedures.

Summary

In 2025, organizations will have to comply with a range of regulations regarding cybersecurity and personal data protection. NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the GDPR, create a modern legal framework aimed at improving data protection and increasing resilience to cyber threats across various economic sectors. Implementing these regulations will be a challenge, but also an opportunity, to build a more secure and digitally resilient business environment in the EU.

Artykuł Cybersecurity and GDPR Compliance in 2025 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

European Union legislator, considering the previous Member States’ experiences, modified the professionalization of electronic communication idea and passed the new law – REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC [1], so-called eIDAS Regulation.

The aim of this Regulation was to increase confidence in the electronic trade market area in extent of e-business and contact with public entities by the introduction of the unified IT solutions legal frames for the entire European Union. These legal frames provide a reliable determination of the natural persons’ and organizational units’ identity.

The eIDAS Regulation repealed the previous Polish regulation, namely the Act of 18 September 2001 on Electronic Signature and the (EU) Directive 1999/93 implemented to this Act. After passing the Resolution 910/2014, previous Acts and Directives are repealed and the Regulation is directly applicable to the national law.

In this respect the current legal acts consist of:

1. (EU) eIDAS Regulation,
2. The Act of 5 September 2016 on Trust Services and Electronic Identification.

SUBJECT MATTER of eIDAS Regulation

Article 1 of the Regulation reads that:

With a view to ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic identification means and trust services this Regulation:

(a) lays down the conditions under which Member States recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State;

(b) lays down rules for trust services, in particular for electronic transactions; and

(c) establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.[2]

The main aim of this Regulation and the legislator intentions are coincided with the (abovementioned) genesis of the regulation.

LEGAL DEFINITIONS

In order to provide a sufficient protection and clarity in interpretation, eIDAS Regulation has a sizeable catalogue of legal definitions. There should be indicated crucial ones, namely electronic signature definition and qualified electronic signature definition:

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(10) ‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;

(11) ‘advanced electronic signature’ means an electronic signature which meets the requirements set out in Article 26;

(12) ‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;

(27) ‘qualified electronic seal’ means an advanced electronic seal, which is created by a qualified electronic seal creation device, and that is based on a qualified certificate for electronic seal;[3]

also there is a definition of electronic identification which is a crucial term in the electronic signature area. It is proper to say that this definition constitutes the Regulation matter:

• ‘electronic identification’ means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;[4]

PROTECTION LEVELS

Article 8 requires to introduce various electronic security levels.

Article 8

Assurance levels of electronic identification schemes

1. An electronic identification scheme notified pursuant to Article 9(1) shall specify assurance levels low, substantial and/or high for electronic identification means issued under that scheme.

2. The assurance levels low, substantial and high shall meet respectively the following criteria:[5]

Having regard to this division of assurance levels of electronic identification, article 3 distinguishes 3 types of electronic signatures:

1. Electronic signature;
2. Advanced electronic signature;
3. Qualified electronic signature.

EUROPEAN LEGISLATURE PRESUMPTIONS

The idea of the EU legislator is that the eIDAS Regulation:

1. sets out the legal conditions for the member states acknowledgement of the electronic identifications measures for natural and legal persons covered by the notified electronic identification notification of another Member State;
2. sets out the laws concerning the trusts services including establishing legal frames for: i) electronic signature, ii) electronic seal, iii) electronic registered delivery service, etc.

Thus the eIDAS Regulation concerns 2 issues:

1. Electronic identification system;
2. Trust services.

European legal act applies to the electronic identification schemes notified by Member States and applies to the trust service providers based in the European Union. Although the eIDAS Regulation with the EU secondary legislation is a comprehensive legal solution it is necessary to concretise certain issues in the national law. Thereby the Polish legislator has passed the Act of 5 September 2016 on Trust Services and Electronic Identification concretizing and specifying the European act.[6] The Polish Act introduces as follows:

1. National trust infrastructure;
2. Trust services providers business activity;
3. National electronic identification scheme;
4. Trust services providers supervision;
5. National electronic identification scheme supervision;
6. Criminal provisions;
7. Pecuniary penalties provisions.

TYPES OF ELECTRONIC SIGNATURE

There are 3 types of electronic signature: i) electronic signature; ii) advanced electronic signature and iii) qualified electronic signature.

1. Non-qualified electronic signature certificate (non-qualified signature) is the common term for any electronic signature (other than qualified). It is used for signing emails and for logging into a domain. It can be also used to sign documents, but a signature created using this type of certificate does not have the same legal force as oleographic signature.
2. Qualified electronic signature (certificated). Qualified signature certificate (qualified electronic signature) is a certificate issued by a qualified trust services provider. This type of electronic signature fulfills the eIDAS requirements. A signature made with this type of certificate is equivalent to oleographic signature.

WHAT IS THE QUALIFIED ELECTRONIC SIGNATURE – PRACTICAL INFORMATION

1. Definition

A qualified signature is an electronic signature which has the same legal force as oleographic signature.

This legal force can be found in the Polish Civil Code:

Article 78(1) [Electronic form]

§  1. To meet the written form requirement of a legal act of law, it is sufficient to submit a declaration of will in electronic form and caption it with a qualified electronic signature.

§  2. The declaration of will submitted in electronic form is equivalent to the declaration of will submitted in a written form. [7]

• How to obtain a qualified electronic signature

A qualified electronic signature can be bought from one of the certified providers (entities). The list of the certificate providers can be found under this link (on the National Certification Centre website): https://www.nccert.pl/.

The most popular qualified signatures (certificates) include:

• Sigilium Sign,
• Szafir 2.0.
• proCentrum SmartSign,
• PEN- HEART 3.9,
• SecureDoc2
• EuroCert
• What can be done with the use of the qualified electronic signature

For instance:

• Executing an agreement;
• Participation in auctions on electronic tendering platforms;
• Remote conclusion of civil law contracts;
• Signing and filing of financial statements sent to the National Court Register;
• Sending electronic invoices online.

To see full list of qualified electronic signature utilization: https://www.biznes.gov.pl/pl/firma/sprawy-urzedowe/chce-zalatwic-sprawe-przez-internet/podpis-kwalifikowany.

To see the detailed information about technology used in the construction of the qualified electronic signature:

file:///C:/Users/OEM/Downloads/WP2016%203-2%2016%20Relying%20Parties%20QSig.pdf

https://www.zealid.com/en/the-definitive-guide-to-qualified-electronic-signatures

https://www.electronicid.eu/en/blog/post/eidas-regulation-electronic-signature/en

Sources:

https://eur-lex.europa.eu/legal-content/PL/TXT/PDF/?uri=CELEX:32014R0910&from=PL

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&qid=1628666235807&from=PL

https://sip.lex.pl/#/act/18344658/2870950/uslugi-zaufania-oraz-identyfikacja-elektroniczna?keyword=ustawa%20o%20podpisie%20elektronicznym&cm=SFIRST

https://sip.lex.pl/#/act/16785996/2827383?directHit=true&directHitQuery=kc

https://msp.money.pl/wiadomosci/poradniki/artykul/podpis-elektroniczny-8211;-czym-jest-i-w,242,0,2414578.html

https://www.gov.pl/web/cyfryzacja/obowiazek-stosowania-rozporzadzenia-parlamentu-europejskiego-i-rady-ue-nr-910/2014-od-1-lipca-2016-roku

https://www.biznes.gov.pl/pl/firma/sprawy-urzedowe/chce-zalatwic-sprawe-przez-internet/podpis-kwalifikowany

https://www.parp.gov.pl/component/content/article/53930:rozporzadzenie-eidas-nowe-ramy-prawne-elektronicznej-gospodarki-i-zinformatyzowanych-urzedow

https://www.nccert.pl/

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN, (access date: 11^th August, 2021).

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN, (access date: 11^th August, 2021).

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN, (access date: 11^th August, 2021).

[4] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN, (access date: 11^th August, 2021).

[5] To see full list of criteria: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN, (access date: 11^th August, 2021).

[6] To see full Act: https://sip.lex.pl/#/act/18344658/2870950/uslugi-zaufania-oraz-identyfikacja-elektroniczna?keyword=ustawa%20o%20podpisie%20elektronicznym&cm=SFIRST, (access date: 11^th August, 2021).

[7] https://sip.lex.pl/#/act/16785996/2827383?directHit=true&directHitQuery=kc, (access date: 11^th August, 2021).

Artykuł POLISH REGULATIONS ON E-CERTIFICATE pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.