The Regulation (EU) 2025/38 and the Protection of Critical Infrastructures - another layer in the EU’s already complex cybersecurity landscape?
José Amaro
EU & Indo Pacific Maritime Cybersecurity/Security Advisor | EU Privacy Law Advisor | Jurist | ISO/27001 Lead Auditor
Regulation (EU) 2025/38[1] of the European Parliament and the Council, dated December 19, 2024, comes into force with the aim of strengthening the Union’s solidarity and capabilities in detecting, preparing for, and responding to cyber threats and incidents. This regulation amends Regulation (EU) 2021/694, known as the Cyber Solidarity Act. As a regulation, it is directly applicable across the European Union without the need for national transposition. However, this requirement often complicates the already intricate relationship between EU and national laws, making it challenging to determine which legal sources apply in specific cases amidst an ever-expanding legislative framework.
?Recognizing the growing reliance on information and communication technologies across all sectors, as well as the increasing frequency and impact of cybersecurity incidents, this regulation aims to strengthen the EU’s competitive position in the digital economy. It seeks to support digital transformation by enhancing cybersecurity in the Digital Single Market and aims to reinforce the resilience of citizens, businesses (including micro, small, and medium-sized enterprises and startups), and entities operating critical infrastructures against cyber threats.
?Building on previous legislative and regulatory frameworks, such as Regulation (EU) 2019/881 on ENISA—aimed at reducing vulnerabilities, strengthening the resilience of critical infrastructures, and certifying cybersecurity for information and communication technologies— this Regulation (EU) 2025/38 incorporates key directives. Notable among them are Directives 2013/40/EU[2] and NIS2 (EU) 2022/2555[3], which address attacks on information systems and cybersecurity, as well as the Commission Recommendation (EU) 2017/1584[4], which establishes coordinated responses to large-scale cybersecurity incidents and crises.?
Thus, in line with the NIS2 Directive, which already imposes strict cybersecurity requirements for critical infrastructures - including submarine cables - the new Regulation (EU) 2025/38 goes further and strengthens protection mechanisms against digital threats, introducing additional defense capabilities and measures based on three fundamental pillars:
?First, expand The European Cyber Shield[5], (protect, detect, defend and deter) whose primary objective is to improve early detection and response to cyber threats through a distributed defense infrastructure across the EU. To this end, it proposes the creation of national and cross-border Security Operations Centers (SOCs) to share threat intelligence, the use of AI and machine learning to detect anomalies and attacks in real time, and EU financial support for member states and critical infrastructure operators to improve their monitoring capabilities.
Secondly, The Cybersecurity Emergency Mechanism[6], aimed at strengthening the EU's resilience against large-scale attacks through coordinated responses between member states and solutions for funding post-attack recovery. The main components of this pillar include the creation of a European Network of Rapid Incident Response Teams (EU-CIRT), funding for mitigation and recovery after large-scale incidents and resilience tests to prepare member states for critical scenarios.
Thirdly, The Cyber-Insurance Scheme[7], which aims to develop financial mechanisms to mitigate the economic impact of cyber-attacks on critical infrastructures and businesses. To this end, it proposes the creation of a European framework for cyber insurance, incentivizing insurers to cover attacks on critical infrastructures, establishing compensation funds for affected operators and improving cyber risk assessments to enable more appropriate insurance models.
Submarine cables, as critical components of global communications, could benefit from this European legislative framework in several areas. These regulations offer financial and technical support for rapid recovery in the event of an attack, ensuring that these infrastructures can be quickly restored. In addition, the frameworks introduce the possibility of cyber insurance options tailored to submarine cable operators, reducing the financial impact of successful attacks, and reinforces monitoring and better information sharing, allowing for a more proactive approach to cyber threats. Finally, by incentivizing investment in security - through requiring robust protection measures from insurers - these legislative measures help to strengthen the overall resilience of submarine cable systems against emerging cyber threats.
But as cyber-attacks grow more sophisticated and global dependence on submarine cables deepens, can we truly feel more secure under the EU’s latest legislative framework?
Do?Regulation (EU) 2025/38, amending the?Cyber Solidarity Act (Regulation (EU) 2021/694),?and the?NIS2 Directive represent a true advancement in safeguarding these critical infrastructures, or do they merely add another layer to the EU’s already intricate cybersecurity framework?