In Brussels cafés, coffee and beer flow, but above all, people debate cybersecurity. The Slovak envoy of the National Security Authority in Brussels explained what is being regulated in Europe today, why companies feel it in their costs, and where the agenda is heading. Here is a clear summary without bureaucratic jargon.
What is actually being dealt with in Brussels
Cybersecurity only became a major topic after 2016, when the first Directive on the security of networks and information (later updated to NIS2) arrived. It expanded the circle of obligated entities and raised protection requirements, which brought companies new investments into compliance with the rules. Alongside that, we are learning the difference between a directive, which sets minimums and is transposed by member states into their own law, and a regulation, which applies uniformly across the Union.
In the "Brussels cafés", over coffee or beer, practical questions are therefore often heard: to whom and by when to report an incident, what documents are needed, and which interpretation actually applies. The lack of uniformity in notification obligations across multiple instruments increases the administrative burden. The task of national authorities is therefore to consult with businesses in time and help them navigate the new rules.
New priorities: from resilience to crisis scenarios
On the table is the Cyber Resilience Act, which focuses on internet-connected devices – from cameras to toys – and their supply chains. Alongside it, a revision of the mechanism for managing major cyber incidents is being prepared so that in the event of an attack it is clear who acts and when, and chaos does not reign. Post-quantum cryptography is also getting special attention: countries are to align their plans, because the level of preparedness is not the same everywhere.
ENISA, the European cybersecurity agency, remains a key advisory player and is gradually receiving a broader mandate. Without common certification schemes, other rules are hard to translate into practice, which will be a topic for the coming years. The new European Commission is also signaling an emphasis on cloud – including a scheme for assurance levels, which may affect companies’ access to public contracts.
International cooperation and the Slovak voice
In the Brussels understanding, "cyber" goes beyond IT: it also includes defense, diplomacy, and the fight against cybercrime. The Slovak envoy in the working groups explains European aims at home and at the same time brings feedback to Brussels; Slovakia has long been invited to these discussions. The new European competence center in Bucharest and national branches also help, making it easier for companies to access EU-level calls beyond the classic EU funds.
Transatlantically, common ground is being sought between Europe and the USA: while ENISA issues guidance and recommendations, the U.S. CISA contributes to standards and the harmonization of procedures. Joint projects promise the unification of incident reporting and "trust marks" for products. The debate about "overly strict" regulations thus moves toward practice: less unnecessary bureaucracy, but security as the indispensable foundation of every digital product and service.
