The evolution of mobile cybersecurity regulations in the European Union
Categoria dell'articolo: Research Article
Pubblicato online: 30 mar 2025
Pagine: 52 - 63
Ricevuto: 03 mar 2025
Accettato: 03 apr 2025
DOI: https://doi.org/10.2478/mmcks-2025-0004
Parole chiave
© 2025 Cosmin Alexandru Teodorescu et al., published by Sciendo
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
The ubiquity of mobile devices in modern life has transformed the way we communicate, access information, and conduct business. However, this reliance on technology has also exposed users to unprecedented cybersecurity risks. Cyber-attacks, defined as intentional efforts to steal, alter, or destroy data through unauthorized access, are increasing in complexity and frequency. By 2025, the European Union (EU) anticipates over 41 billion devices connected to the network, underscoring the critical need for robust cybersecurity measures.
Mobile devices store vast amounts of personal and sensitive data, making them attractive targets for cybercriminals. The coronavirus disease 2019 (COVID-19) pandemic accelerated digital transformation, further increasing the volume of mobile device usage and, consequently, the associated cybersecurity risks. This context underscores the need for a strong regulatory framework to protect users and ensure the resilience of digital infrastructures. This article examines the EU’s regulatory response to these challenges, analyzing the General Data Protection Regulation (GDPR), the Network and Information Systems Security Directive (NIS2), and the Cyber Resilience Act. These initiatives illustrate the EU’s commitment to safeguarding its digital ecosystem while balancing security, innovation, and economic growth.
The EU has made significant strides in establishing a regulatory framework for cybersecurity, particularly concerning smartphones and other digital devices. This literature review synthesizes key regulatory developments and their implications for cybersecurity in the EU, focusing on the intersection of legislation, standards, and the evolving threat landscape.
One of the foundational elements of the EU’s cybersecurity framework is the GDPR, which has reshaped how organizations manage personal data and cybersecurity risks. Amoo highlights that the GDPR emphasizes principles such as transparency and accountability, which have had a profound impact on cybersecurity practices in both Europe and the USA (Amoo, 2024). The GDPR’s extraterritorial reach mandates compliance from organizations outside the EU that handle EU citizens’ data, thereby elevating global cybersecurity standards (Amoo, 2024). Furthermore, the regulation has prompted organizations to adopt proactive data protection measures, which are essential for safeguarding smartphones and other connected devices against cyber threats.
In addition to the GDPR, the EU Cybersecurity Act (Regulation 2019/881) has been pivotal in enhancing the EU’s cybersecurity posture. This regulation established the European Union Agency for Cybersecurity (ENISA) with a permanent mandate and introduced a cybersecurity certification framework for digital products, including smartphones (Akdemir et al., 2020). Khurshid et al. discuss how this certification landscape is crucial for ensuring that IoT devices meet stringent security requirements, thereby reducing vulnerabilities that could be exploited by cybercriminals (Khurshid et al., 2022). The Cybersecurity Act also aligns with the NIS Directive, which aims to enhance the overall level of cybersecurity across the EU by imposing security and incident reporting obligations on essential service operators and digital service providers (Ludvigsen & Nagaraja, 2022).
The NIS2 Directive, which is a revision of the original NIS Directive, further strengthens the regulatory framework by broadening the scope of entities subject to its requirements and enhancing cooperation among member states (Schmitz & Chiara, 2022). This directive reflects the EU’s recognition of the evolving digital threat landscape, particularly in light of the COVID-19 pandemic, which accelerated digital transformation and increased the attack surface for cyber threats (Schmitz & Chiara, 2022). Schmitz and Chiara emphasize that the NIS2 Directive aims to create a more resilient digital environment by ensuring that critical sectors, including telecommunications and healthcare, adhere to robust cybersecurity practices (Schmitz & Chiara, 2022).
Moreover, the proposed Cyber Resilience Act seeks to address the fragmented nature of existing cybersecurity regulations by establishing a horizontal framework that applies to all products with digital elements, including smartphones (Chiara, 2022). This initiative aims to unify cybersecurity requirements across various sectors, ensuring that manufacturers incorporate security by design into their products (Chiara, 2022). The act is part of a broader strategy to enhance the EU’s cybersecurity resilience and protect consumers from the risks associated with insecure devices (Chiara, 2022).
The literature also underscores the importance of collaboration between public and private sectors in enhancing cybersecurity. Fuster and Jasmontaite note that the EU’s cybersecurity strategy has mobilized various sectors, including telecommunications and critical infrastructure, to address cybersecurity challenges collectively (Fuster & Jasmontaite, 2020). This collaborative approach is essential for developing comprehensive cybersecurity policies that can adapt to the rapidly changing technological landscape.
In conclusion, the EU’s regulatory framework for cybersecurity, particularly concerning smartphones, is characterized by a multi-faceted approach that includes the GDPR, the Cybersecurity Act, the NIS2 Directive, and the proposed Cyber Resilience Act. These regulations collectively aim to enhance data protection, establish certification standards, and promote resilience against cyber threats. As the digital landscape continues to evolve, ongoing research and adaptation of these regulations will be crucial in addressing emerging cybersecurity challenges.
In order to examine thematic trends in scholarly research related to cybersecurity and the EU we used latent Dirichlet allocation (LDA) (Blei et al., 2003), on a dataset of 40 peer-reviewed scholarly research articles identified from the Web of Science database. The data were analyzed with LDA to uncover latent topics that captured the important areas within the scholarly debate regarding EU cybersecurity.
We extracted articles in PDF form and used the
For interpretability purposes, we used LDAvis to allow interaction with the topic structure and terms of interest. In LDA, the
We primarily interpreted topics using
Top distinctive terms:
This theme reflects policy debates at a strategic level for the governance of cybersecurity emphasizing a global dimension, international policy circumstances, and the European Commission’s role in developing strategy (Figure 1).
Topic 1: Strategic & Policy-Level Cyber Governance.
Top distinctive terms:
This subject reflects the regulatory and legal instrumentation of cybersecurity, in the EU. The frequent appearance of “NIS,” “directive,” and “law” indicates attention to compliance, risk management, and governance instrumentation at the European level (Figure 2).
Topic 2: Cybersecurity Law & Regulation (EU).
Top distinctive terms:
This topic discusses both the human and technical capacity of cybersecurity, with a focus on education, certification, and the development of workforce skills. The terms IoT and https together suggest increasing importance within the literature on technological readiness, and secure digital environments (Figure 3).
Topic 3: Skills & Technical Capacity Building.
The LDAvis visualization supported the thematic distinctiveness of these topics by showing relatively well-separated topic clusters in two-dimensional space. Adjusting the lambda parameter was particularly useful in distinguishing general-purpose terms (e.g., “cybersecurity”) from terms uniquely tied to specific themes.
Together, these three topics suggest that cybersecurity research – at least in this sample of Web of Science articles – is largely structured around three pillars: legal regulation, skills and capacity development, and strategic policy governance.
High-profile incidents such as the May 2021 ransomware attack on the Irish health service executive demonstrate the devastating impact of cyber-attacks. This breach disrupted critical healthcare services, affecting over 90,000 individuals and costing approximately €100 million to recover. Such cases highlight the vulnerabilities in existing systems and the urgent need for comprehensive regulations to protect citizens and businesses.
The exponential growth in the number of connected devices has made cybersecurity a critical issue for governments and organizations. Cybercriminals have increasingly adopted sophisticated techniques to exploit vulnerabilities in both software and hardware. Moreover, the financial and reputational damage caused by cyber-attacks has escalated, affecting not only large corporations but also small and medium-sized enterprises (SMEs). The EU’s regulatory efforts aim to address these challenges by creating a unified legal framework that fosters cooperation among member states and promotes technological resilience.
The GDPR, effective since 2018, establishes comprehensive guidelines for handling personal data within the EU. While not exclusively focused on smartphones, the GDPR’s provisions are directly applicable to mobile devices and applications that process personal information. Smartphones often collect and store a vast array of personal data, including contacts, photos, location information, and browsing histories. Under the GDPR, organizations that develop or manage mobile applications must ensure that any personal data collected is processed lawfully, transparently, and for a specific purpose. Users must be informed about what data is being collected, the reasons for its collection, and how it will be used. Moreover, explicit consent from users is required before collecting sensitive information, and they should have the ability to withdraw this consent at any time.
The GDPR also emphasizes the principle of data minimization, meaning that apps should only collect data that is necessary for their functionality. For instance, if an app’s primary function doesn’t require access to a user’s location, it shouldn’t request or collect that information. Additionally, organizations are obligated to implement appropriate security measures to protect personal data stored on smartphones from unauthorized access, loss, or disclosure. This includes using encryption, secure authentication methods, and regularly updating security protocols. Furthermore, the GDPR grants individuals rights over their personal data, such as the right to access, rectify, or erase their information. Mobile applications should provide users with straightforward mechanisms to exercise these rights. For example, an app might include settings that allow users to view the data collected about them and request its deletion if desired.
One of the primary objectives of the GDPR is to ensure transparency and accountability in data processing activities. Organizations are required to obtain explicit consent from users before collecting or processing their personal data. Additionally, the regulation mandates organizations to notify authorities and affected individuals in the event of a data breach. By safeguarding citizens’ rights and reducing the risk of data breaches, the GDPR has become a cornerstone of the EU’s cybersecurity strategy. Organizations and developers must ensure that their mobile applications adhere to GDPR principles to protect user privacy and avoid potential penalties.
Figure 4 illustrates the total number of GDPR fines issued over time, showing a steady and almost linear increase. The enforcement activity started slowly in 2018, but by 2019, the number of cases rose at a faster pace. The consistent upward trend indicates that GDPR enforcement has been persistent, with regulatory bodies actively monitoring and penalizing non-compliance. Even in 2024 and early 2025, new fines continue to be imposed, demonstrating that data protection authorities are still actively ensuring compliance. While the financial penalties have seen occasional sharp increases due to high-profile cases, the enforcement activity itself has remained steady. This reinforces the idea that GDPR compliance is an ongoing requirement rather than a one-time concern for organizations handling personal data.
Cumulative number of GDPR fines over time.
Figure 5 shows how GDPR fines are distributed across different sectors, highlighting the industries most impacted by data protection violations. The Media, Telecoms, and Broadcasting sector leads by a significant margin, accounting for the vast majority of penalties. This is particularly relevant for mobile cybersecurity, as telecom providers and digital media companies process massive amounts of personal data, including location tracking, online behaviors, and communications metadata. Mobile cybersecurity is directly tied to GDPR compliance, as smartphones are at the core of how personal data are collected, processed, and shared. Several key observations emerge when we analyze the chart in this context. Telecom providers and digital platforms often handle personal identifiers, call logs, browsing history, and app usage data. A lack of proper encryption, security vulnerabilities, or failure to obtain explicit consent for data tracking can lead to GDPR violations. High-profile cases, such as fines against major social media platforms and messaging services, show the regulatory focus on mobile-based privacy concern.
Sum of GDPR fines by sectors.
Many mobile apps in retail, finance, and e-commerce fail to implement proper user consent mechanisms, leading to excessive data collection. Security lapses in these apps can expose customer payment details, addresses, and personal data to cyberattacks. Unauthorized tracking of user behavior for marketing purposes has resulted in significant fines. Many organizations have been fined for excessive employee monitoring through mobile tracking tools, biometric data collection, or unauthorized access to personal mobile communications. The increased use of bring-your-own-device policies has introduced new risks, where work-related apps on personal smartphones can create security loopholes. This chart reinforces the fact that sectors handling large amounts of personal data on mobile devices are also the most vulnerable to GDPR violations. The growing reliance on smartphones for communication, banking, work, and healthcare means that mobile cybersecurity must be a top priority for compliance. Companies must ensure that mobile apps and services adhere to GDPR principles, including: Data minimization (collecting only necessary data). User transparency and consent (clear permissions for data tracking). Strong encryption (protecting sensitive information from breaches). Security updates (patching vulnerabilities in mobile apps regularly).
The EU’s Cybersecurity Act, which came into force in 2019, establishes a comprehensive framework for cybersecurity certification across EU member states. This framework is designed to ensure that information and communication technology (ICT) products, services, and processes, including smartphones, meet consistent cybersecurity standards throughout their lifecycle. Under this act, the EU Agency for Cybersecurity (ENISA) is empowered to develop certification schemes that define specific requirements for various ICT products and services. For smartphones, this means manufacturers are encouraged to adhere to these certification schemes to demonstrate that their devices comply with established cybersecurity standards. While the certification is voluntary, it serves as a benchmark for security, promoting trust among consumers and stakeholders.
Building upon the foundation laid by the Cybersecurity Act, the EU introduced the Cyber Resilience Act in 2024. This legislation imposes mandatory cybersecurity requirements on products with digital elements, explicitly including smartphones. Manufacturers are now obligated to ensure that devices are designed and developed with security in mind, addressing potential vulnerabilities from the outset. Additionally, they must provide security updates and inform users about how to maintain the device’s security over its operational lifespan.
In the United States, while there isn’t a singular comprehensive cybersecurity law equivalent to the EU’s framework, various federal regulations impact smartphone security. The Federal Trade Commission Act (FTC Act) prohibits unfair or deceptive trade practices, which the Federal Trade Commission (FTC) interprets to include inadequate data security measures. This interpretation holds smartphone manufacturers and app developers accountable for implementing reasonable security practices to protect consumer data. Furthermore, the National Institute of Standards and Technology has published guidelines, such as SP 800-124, which provide recommendations for securing mobile devices. These guidelines, while not legally binding, serve as valuable resources for organizations aiming to enhance the security of smartphones within their operations.
Both the EU and the United States have established frameworks and guidelines to enhance the cybersecurity of smartphones. The EU’s approach combines voluntary certification with mandatory requirements, ensuring a comprehensive strategy to mitigate risks associated with smartphone usage. In contrast, the United States relies on a combination of regulatory enforcement and advisory guidelines to promote secure practices among manufacturers and users.
Directive 2022/2555, known as the Network and Information Systems Security Directive 2 (NIS2), adopted by the EU in 2022, aims to enhance cybersecurity across critical sectors by establishing comprehensive risk management and incident reporting requirements. The evolution from the NIS Directive to NIS2 brings substantial changes in cybersecurity regulations, particularly in the areas of risk management, incident reporting, harmonization across EU member states, and enforcement mechanisms. These revisions reflect the increasing complexity of cyber threats and the need for a more unified and stringent regulatory framework across the EU. While NIS2 does not explicitly focus on smartphones, its broad definition of “network and information systems” encompasses devices such as smartphones and tablets. Consequently, organizations must consider mobile device security within their compliance strategies. NIS2 mandates that entities implement robust cybersecurity measures, including policies on risk analysis, incident handling, and supply chain security. Given the prevalent use of smartphones in professional settings, securing these devices becomes essential to prevent unauthorized access and data breaches. Implementing mobile threat defense solutions can help organizations detect and mitigate risks associated with mobile devices, thereby aligning with NIS2’s requirements.
Furthermore, NIS2 emphasizes the importance of multi-factor authentication (MFA) to prevent unauthorized access. Applying MFA to smartphone access ensures that only authorized personnel can retrieve sensitive information, thereby enhancing overall security. A significant feature of NIS2 is the establishment of computer security incident response teams to coordinate threat responses and share information. These teams play a crucial role in identifying vulnerabilities and mitigating risks. The directive also promotes cross-border collaboration through the European Cyber Crisis Liaison Organisations Network (EU-CyCLONE), which ensures a coordinated response to large-scale cyber incidents. By fostering cooperation and information sharing, NIS2 enhances the EU’s collective ability to address cybersecurity challenges.
According to Table 1, the scope of cybersecurity regulations has expanded significantly with the transition from the NIS Directive to NIS2. The original NIS Directive primarily focused on essential service operators, such as those in the energy and transport sectors, along with certain digital service providers, including search engines and cloud services. This approach aimed to secure critical infrastructure but left many sectors with less regulatory oversight. With NIS2, the framework has evolved to cover a much broader range of industries. The directive now includes digital infrastructure providers, such as DNS service providers, and extends to public administration and the food sector. This expansion acknowledges the increasing digitalization of essential services and the growing interconnectivity between industries.
Scope extensions of NIS Directive to NIS 2
| NIS 1 | NIS 2 |
|---|---|
| Drinking water supply and distribution | Water – drinking water, waste water |
| Energy | Energy – electricity, district heating and cooling, oil, gas, hydrogen |
| Digital infrastructure | Digital infrastructure |
| Banking | Banking |
| Financial market infrastructures | Financial market infrastructures |
| Health | Health |
| Transport | Transport – air, rail, water, road |
| ICT service management (B2B) | |
| Public administration | |
| Space | |
| Postal and courier services | |
| Waste management | |
| Manufacture, production and distribution of chemicals | |
| Production, processing and distribution of food | |
| Manufacturing – medical devices, computer electronic or optical products, machinery, vehicles | |
| Digital providers | |
| Research |
Additionally, NIS2 introduces a dual classification system, distinguishing between “essential” and “important” entities based on their size and sectoral relevance. This means that companies operating in regulated sectors must comply with cybersecurity requirements depending on their economic and social importance, not just their industry type. As a result, the directive ensures a more comprehensive level of protection across the economy, addressing vulnerabilities beyond critical infrastructure and reinforcing cybersecurity measures across both private and public entities.
One of the most significant enhancements introduced by NIS2 is the reinforcement of risk management and cybersecurity requirements. While the original NIS Directive mandated that entities implement risk management practices, the updated framework imposes stricter and more comprehensive obligations. A key area of focus in NIS2 is supply chain security, requiring organizations to assess and mitigate risks associated with third-party vendors and service providers. The directive also mandates enhanced incident response planning, encryption standards, and business continuity measures, ensuring that organizations are not only equipped to prevent cyber incidents but also prepared to respond effectively in case of a breach.
Another critical change under NIS2 is the tightening of incident reporting requirements. The original NIS Directive required entities to report cyber incidents to national authorities within a reasonable timeframe, which allowed for flexibility but also led to inconsistencies in reporting practices. NIS2 establishes a more stringent and structured timeline: entities must submit an initial report within 24 h of discovering a significant cybersecurity incident, followed by a detailed follow-up report after 72 h. A final comprehensive report, outlining the full impact of the breach and the remedial actions taken, must be submitted within 1 month. These revised requirements ensure that cyber incidents are addressed swiftly and that regulators receive timely and detailed information to mitigate risks.
Beyond risk management and reporting obligations, NIS2 strengthens harmonization across EU member states by introducing clear and uniform classification criteria for determining which entities fall under its scope. Under the original NIS Directive, national authorities had greater discretion in interpreting and enforcing cybersecurity rules, leading to regulatory fragmentation across different jurisdictions. In contrast, NIS2 establishes standardized guidelines for classifying entities as either “essential” or “important,” ensuring greater consistency in cybersecurity governance. This change reduces legal uncertainty for businesses operating in multiple EU countries and fosters a more cohesive and predictable regulatory environment. To further reinforce compliance, NIS2 significantly enhances enforcement mechanisms and strengthens liability provisions. Under this new framework, management bodies within covered entities are now explicitly accountable for ensuring compliance with cybersecurity obligations. Senior executives and board members may be held personally liable if their organizations fail to meet the directive’s requirements. In addition to increased individual accountability, the financial penalties under NIS2 are considerably more severe than those under the original directive. Essential entities that violate the regulations can face fines of up to €10 million or 2% of their global annual turnover, representing a major escalation in enforcement measures.
While NIS2 does not specifically target smartphones, its comprehensive approach to cybersecurity necessitates that organizations include mobile device security in their risk management frameworks. By implementing appropriate security measures, organizations can ensure compliance with NIS2 and protect their information systems from potential threats.
The EU’s regulatory framework reflects a comprehensive approach to cybersecurity, addressing diverse aspects from personal data protection to critical infrastructure security and product resilience. The GDPR, NIS2, and Cyber Resilience Act collectively provide a robust foundation for tackling cybersecurity challenges, but their implementation requires continuous adaptation to the evolving threat landscape.
One of the critical challenges is ensuring compliance across all member states. While these regulations provide a unified legal framework, their effectiveness depends on consistent enforcement and cooperation. Member states must invest in building their cybersecurity capabilities, including education, training, and public awareness campaigns. Additionally, the rapid pace of technological innovation necessitates ongoing updates to the regulatory framework to address new vulnerabilities and threats. Another area of focus is the balance between security and innovation. Regulations must not stifle technological progress or impose undue burdens on businesses, particularly SMEs. The EU has sought to address this concern by incorporating provisions that promote sustainable development and economic growth. For example, the Cyber Resilience Act includes specific measures to support SMEs while ensuring compliance with cybersecurity standards.
The recent report by Mario Draghi, former President of the European Central Bank, has reignited discussions surrounding the competitiveness of the EU in the global technological landscape, particularly in the context of the increasing regulatory burden on technology sectors. Draghi’s report, released on September 9, 2024, emphasizes the urgent need for the EU to enhance its economic growth and competitiveness, which he argues has been stifled by excessive regulation and a lack of coherent policy direction (“The Draghi report interrupts the EU silent “family dinner”,” 2024). This literature review connects Draghi’s insights to the broader discourse on EU regulations in technology, highlighting the challenges posed by regulatory fragmentation and the implications for innovation and economic resilience.
Draghi’s report articulates a clear concern that the EU’s regulatory environment has become overly complex, potentially hindering technological advancement and economic growth. He advocates for a significant investment of €800 billion annually to stimulate growth and competitiveness, suggesting that the current regulatory landscape may not support such ambitious financial commitments (Kempf, 2024). The report underscores the need for a regulatory framework that fosters innovation rather than impedes it, aligning with the views of various scholars who argue that excessive regulation can stifle technological development and economic dynamism (Turk, 2024). For instance, the call for a more streamlined approach to regulation resonates with critiques of the EU’s existing regulatory frameworks, which are often seen as cumbersome and misaligned with the fast-paced nature of technological innovation (Turk, 2024).
Furthermore, the Draghi report highlights the existential risks faced by the EU due to its declining competitiveness relative to the United States and other global players. This concern is echoed in the literature, which points to the need for a cohesive strategy that balances regulatory oversight with the promotion of innovation (“The Draghi report interrupts the EU silent ‘family dinner’,” 2024). The fragmentation of regulations across different sectors, particularly in technology, has been identified as a significant barrier to achieving a unified EU market that can compete effectively on the global stage (Haesendonck, 2023). The complexity of navigating multiple regulatory frameworks can deter investment and innovation, as companies may struggle to comply with varying standards and requirements across member states (Turk, 2024). In addition, the report’s emphasis on the necessity of stakeholder involvement in shaping regulatory frameworks aligns with ongoing discussions about the importance of inclusive policymaking in the EU (Haesendonck, 2023). Engaging diverse stakeholders can lead to more effective regulations that consider the needs of businesses and consumers alike, ultimately fostering a more conducive environment for technological advancement. The literature suggests that a collaborative approach to regulation, which includes input from industry leaders, policymakers, and civil society, can enhance the legitimacy and effectiveness of regulatory measures (Julian et al., 2022).
On the other hand, the work of Vasilescu et al. (2023) provides a complementary perspective. Their research highlights critical security vulnerabilities in IoT devices used in smart homes, emphasizing the need for robust regulatory and technical solutions. While EU regulations focus on broader cybersecurity measures, Vasilescu et al. argue that IoT security demands specific safeguards due to the interconnected nature of smart home ecosystems. This connection underscores the necessity for EU cybersecurity policies to integrate targeted IoT security strategies, ensuring that regulatory frameworks address emerging risks in an increasingly digitized environment. By incorporating insights from Vasilescu et al., this discussion highlights the potential for a more comprehensive approach to cybersecurity governance, bridging the gap between regulatory frameworks and domain-specific challenges.
The role of international cooperation cannot be overlooked. Cyber threats are not confined to national borders, and effective mitigation requires collaboration at the global level. The EU’s approach to cybersecurity serves as a model for other regions, emphasizing the importance of transparency, accountability, and collaboration in addressing shared challenges.
Cybersecurity regulations in the EU are pivotal in safeguarding digital ecosystems and protecting citizens from cyber threats. The GDPR, NIS2, and Cyber Resilience Act collectively establish a proactive and unified strategy to address the complexities of cybersecurity.
By fostering collaboration among member states, promoting technological innovation, and balancing security with economic growth, the EU’s regulatory framework sets a global benchmark for addressing cybersecurity challenges. As the digital world continues to evolve, these measures will play a vital role in building trust, resilience, and sustainability in the EU’s digital future. To ensure the long-term effectiveness of these regulations, the EU must continue to invest in research, innovation, and public awareness, adapting its approach to meet emerging challenges.
All authors jointly contributed to all aspects of the research and manuscript preparation, including conceptualization, methodology, analysis, and writing. All authors reviewed and approved the final version of the manuscript.
Authors state no conflict of interest.