ZealiD Blog

Opinion: Europe’s Rising Cybersecurity Bar – From ETSI to NIS2 and Beyond

Written by Philip Hallenborg | Sep 26, 2025

Returning from CA Day 2025

I just came back from a fantastic joint session organized by ENISA: Trust Services, eID Forum and CA Day 2025. The room was full of trust service providers, policymakers, and supervisors. 

What struck me most was how quickly the regulatory landscape is shifting in Europe—and how much more demanding it has become since I first lived through it five years ago.


Remembering 2020: The ETSI Mountain

In 2020, ZealiD was still a young company. To operate as a qualified trust service provider, we had to comply with ETSI EN 319 401 and related standards. For those outside our niche: this was not a light touch. We had to document every process, implement controls at enterprise level, and present auditors with clear evidence.

For us, it was painful. We were a small team operating on limited resources, yet we were suddenly expected to meet the compliance standards of banks and large institutions. Looking back, I thought at the time: this is the highest bar possible. Passing that audit felt like the summit.

 

2025: A New Layer of Regulation

What I realize now is that 2020 was just the beginning. The regulatory bar has risen—and it has multiplied. Companies are not facing a single peak, but a whole range of obligations:

  • NIS2 (effective October 2024): Expands scope to essential entities, mandates board-level accountability, and imposes fines of up to €10M or 2% of turnover.

  • CIR-NIS2 (November 2024): Sets strict incident reporting deadlines, including a 20-minute initial threshold.

  • DORA (January 2025): Brings ICT providers to financial institutions under direct supervision of the European Supervisory Authorities.

  • CRA (December 2027): Introduces security-by-design requirements for all products with digital elements, reshaping supply chains.

  • eIDAS2 (in force May 2024): Extends obligations for trust service providers under national supervisory authorities.

The result is that companies are now subject to overlapping, non-harmonized requirements. Each framework comes with its own scope, supervisor, and penalties. 

 

Why This Feels Different

In 2020, success meant showing you had policies, risk assessments, and control structures in place. Today, it is about operational proof:

  • Demonstrating that controls actually work in practice.
  • Providing evidence logs and audit trails at a forensic level.
  • Reporting incidents within hours—or minutes.
  • Involving boards and executives directly in governance, with documented accountability.

In short: it is no longer enough to design a compliance framework. You must live it every day.

 

The Double Edge

On one hand, I welcome this evolution. As someone who works in identity and trust, I know society benefits from stronger digital security and resilience. On the other hand, the burden is undeniable—especially for small and mid-sized companies.

Complying with ETSI in 2020 nearly stretched us to breaking point. Today’s combined requirements of NIS2, DORA, CRA, and eIDAS2 demand even more resources, expertise, and operational maturity. For many, the compliance burden is no longer a side project; it defines how they must run their businesses. 

 

A Founder’s Takeaway

My advice to fellow leaders is clear:

  • Plan early – compliance can no longer be managed reactively.
  • Embed governance at the core – standards like ISO 27001 or ETSI are a baseline to map against multiple regulations.
    Educate your board – because accountability now extends to them.
  • See compliance as strategic – the cost is high, but the trust gained is real competitive advantage.

Closing Reflection

Back in 2020, I believed ETSI 319 401 was the toughest hurdle we would ever face. I now see it was just a warm-up. The bar in 2025 is higher, wider, and heavier. But if Europe is to lead the world in digital trust, this is the path we must walk.

As founders, leaders, and service providers, our challenge is not just to survive this regulatory squeeze, but to turn it into resilience—and ultimately, trust. And trust is the one currency in digital society that never loses its value.

 


About ZealiD

ZealiD is an EU Qualified Trust Service Provider offering identity wallets and qualified electronic signatures across Europe. We are a certified Microsoft ISV Partner and trusted by financial institutions, Fortune 500 companies, and national governments.



 
View full post