In today’s interconnected world, cybersecurity is a critical concern for organizations across all sectors. According to Statista,
Two new EU regulations, the NIS2 directive and the Cyber Resilience Act (CRA), are set to address the threat of cyberattacks. But understanding the complexity of this new legislation is far from simple. Businesses need to know what it means, how it affects their plans and whether it will be sufficient to solve these challenges.
The Network and Information Security Directive (NIS2)
The European NIS2 directive, set to be adopted by member states before October 17th 2024, seeks to enhance the security of network infrastructure and establish a uniform level of cybersecurity across the EU.
This is an expansion on the 2016 NIS Directive (NIS-D), which defined seven sectors as critical, including energy, healthcare, transport, banking, and financial services. NIS2 expands this scope to 18 sectors, impacting an estimate of over 100,000 additional organizations across the EU.
Key Requirements
-
Implementing New Measures
Organizations must implement appropriate technical, operational, and organizational measures to manage risks to the security of network systems, in addition to minimizing the impact of incidents on service recipients.
-
Assessment of Supply Chains
Organizations are required to assess the cybersecurity risks of their ICT supply chains and supplier relationships. Currently, organizations can be compromised if just one of their suppliers experiences a breach – NIS2 aims to eradicate this problem. Even if the supplier is located outside of the EU, they would still be liable for failing to comply.
Also Read: Top Ways to Prevent Remote Work Cybersecurity Risks
-
Shift in Responsibility
Notably, NIS 2 introduces a shift of compliance responsibility to individuals within the organization. For the first time, directors (legal representatives) are personally accountable and can be held financially liable if they do not adhere to NIS 2’s legal mandates.
-
Other Changes
These changes include detailed procedures for implementing controls, guidelines for reporting breaches, and penalties for non-compliance.
The Cyber Resilience Act (CRA)
Recently ratified by the European Parliament, the Cyber Resilience Act (CRA) is set to roll out over the next three years. While NIS2 focuses on organizational cybersecurity, the CRA targets the manufacturers and suppliers of products with a ‘digital element’.
It will establish a uniform cybersecurity standard for such products, encompassing both hardware and software. This means it will apply to a wide range of products, from baby monitors to mobile apps.
Key Requirements
-
Product Cybersecurity Standard
Under the CRA, digital products sold in the EU must meet uniform security standards. This ensures that the planning, design, and development of these products takes security into account from the get-go, rather than as an afterthought.
-
Duty of Care
Manufacturers and software vendors will have to consider security throughout the product lifecycle. They will have a duty of care to ensure these products remain secure with consistent provision of security updates.
-
Increased Transparency
Products which comply with these standards will bear a ‘CE-mark’. This will allow consumers and businesses to make informed choices about which products they use.
Challenges of Compliance
While some organizations may already have security measures in place which comply with this new legislation, many more will have to make significant changes over the next few years.
-
Financial Impact
According to the EU, companies will need to invest around 5% of their global turnover to comply with these new regulations. This will cover expenses such as hiring cybersecurity experts, installing new hardware and software, and maintaining updated cybersecurity processes.
Also Read: How Businesses Can Mitigate IoT Cybersecurity Risks
-
Technology
Organizations will need to invest significantly in new cyber defenses, including Endpoint Detection and Response (EDR) systems, Web Application Firewalls (WAF), and Security Information and Event Monitoring (SIEM).
-
Cultural and Behavioral Shifts
The most substantial challenge lies in changing employee mindsets and organizational culture towards cybersecurity. For new technological investments to be effective, employees must understand the importance of cybersecurity and adhere to the new processes.
Going beyond Regulatory Compliance: While legislation is essential, it alone cannot fully safeguard enterprises from cyber threats. Organizations must integrate cybersecurity into their core operations and align cybersecurity programs with business objectives.
The Path Forward
The primary goal of the EU’s NIS2 and CRA is to significantly reduce the incidence and financial impact of successful cyberattacks. NIS2 will raise awareness of the need for critical services to be secure, while CRA will target manufacturers, ensuring that digital products do not have vulnerabilities that could be exploited.
Organizations must proactively safeguard their data, implement robust processes, and foster a culture of cybersecurity awareness to protect against data theft and system attacks effectively.
Despite the substantial costs of compliance, these expenses are minor compared to the potential damages caused by cyberattacks.
Individual action from the most aware organizations is not enough, we need to cyber-proof entire supply chains if we are to mitigate the risk of cyberattacks. That’s why legislation is important; not only does it give guidance as to the required standard of protection, it leads to collective action towards a common goal.
This is key when it comes to cybersecurity, as a breach of one product or organization often means a breach for an entire ecosystem. Adherence to the NIS2 and CRA regulations represents a crucial step towards enhancing cybersecurity across the EU.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
