Column by Tatyana Isakova about European and Russian regulation in the field of cybersecurity

In Russia, regulation in the field of cybersecurity has not surprised anyone for more than a year: requirements for the protection of data and IT infrastructure have appeared everywhere – from presidential decrees to government decrees and orders of industry regulators. In Europe, digital regulation has traditionally been more conservative. But this week the EU Council published a regulation for ensuring the cybersecurity of organizations, which established common data protection methods for all member countries.

While in literally all other political directions the EU and Russia are now in antiphase, the regulation surprisingly echoes the decree of the President of the Russian Federation of May 1, 2022. In the EU, according to the document, by April 8, 2025, every organization must create an internal “cybersecurity risk management structure.” Lawyers explain that the new rules apply mandatory to public sector institutions and organizations and oblige each EU entity to implement protection measures depending on the risks.

Every organization should also strive to allocate “an adequate share of its IT budget to improve cybersecurity, with a target of at least 10% over the long term.” This is intended, among other things, to “prevent a violation of the authenticity, integrity or confidentiality of data.”

Such changes are atypical for the EU, especially in terms of their spread to all member countries, according to my interlocutors in the cybersecurity market: regulators traditionally assign many issues to be resolved at the regional level, due to which the legislation can be called “flexible.” Moreover, the regulation is also intended to stimulate investment by European companies in products of local developers. My market interlocutors believe that this is primarily necessary to limit the presence of American companies in the market and force them to comply with European data policies. Doesn’t remind you of anything?

In the Russian Federation, this problem resolved itself: most of the Western companies, which limited the demand for solutions from local vendors, simply left the market after the outbreak of the military conflict with Ukraine.

A similar exodus of American players from the European market is now almost impossible to imagine. I admit that local developers in EU countries look at Russian competitors with some degree of envy. And Russian regulators may even be inspired by the ideas of their European colleagues: for example, adopt the currently missing condition of increasing investments by state-owned companies and organizations in cybersecurity to 10% of the total IT budget.