What’s on the Regulatory Horizon in the World of Cyber Security?
Cyber threats have, as we all know, swiftly emerged as one of the most pressing risks for organisations worldwide. In addition to the exponential growth of cyber and digital risks, regulatory entities such as the EU are adding to the urgency of establishing a solid systematic cyber and digital risk management as they are implementing several key regulations.
Two of the new key directives are NIS2 and CER that will enter into force during 2024. They are aiming at reducing vulnerabilities and strengthen resilience of critical and digital infrastructure against online and offline threats and cyberattacks. Here is a brief overview of the regulatory horizon in the world of cyber security.
NIS2
The Network and Information Systems 2 Directive (NIS2) is an EU-Directive that addresses the growing threats to cybersecurity against the EU and the increased internal dependencies among companies, sectors, and national borders. It includes more detailed requirements aimed at harmonizing the incorporation of the rules within the EU. The directive also aims at strengthening the resilience of the internal market and enhance its ability to respond to incidents and cyberattacks. NIS2 enters into force on 18 October 2024.
CER
The Critical Entities Resilience Directive (CER) is an EU-Directive that will strengthen the resilience of critical infrastructure to a range of threats. This includes natural hazards, terrorist attacks, insider threats, or sabotage. Organisations that provide critical services (11 sectors are identified) will have legal responsibilities to perform regular risk assessments and evaluate the risks. That may disrupt their delivery of essential services and adopt relevant resilience actions.
Other EU regulations to pay attention to are:
CRA
The Cyber Resilience Act (CRA) is a legal framework that addresses the cybersecurity requirements for hardware and software products with digital elements within the European Union market. Manufacturers will be obliged to take security seriously throughout a product’s life cycle and adhere to mandatory cybersecurity standards as part of the legislation to improve cyber resilience. The CRA was approved on 12 March 2024 by the European Parliament. It now awaits formal approval by the Council.
DORA
For the financial sector, the Digital Operational Resilience Act (DORA) contributes to strengthening its entities’ ICT security. It requires organisations within the financial sector to maintain, for instance, routines for ICT risk management, incident management, and tests of cybersecurity capabilities. DORA entered into force on 16 January 2023 and will apply as of 17 January 2025.
CSA
The purpose of the EU’s Cyber Solidarity Act (CSA) is to instil a pan-European capacity to prepare, detect and respond to cybersecurity incidents. To ensure this, the EU will implement shared mechanisms for detection, response, and recovery. Consequently, organisations in critical sectors might be subject to “coordinated preparedness testing”. The proposal still awaits formal approval from the European Parliament and Council.
AI Act
The EU’s AI Act will regulate AI systems in Europe according to different levels of user risk, from minimal to unacceptable risk. The end goal being that AI systems are used and deployed safely and transparently. The framework will apply to both providers and professional users, although differently depending on the systems’ level of risk. Final approval of the Act is expected in April 2024. Thereafter it will be applicable 24 months after entering into force.
Conclusion
All these regulatory proposals are part of the EU’s push to safeguard digital assets and infrastructure. By keeping track of the evolving regulations, organisations will be better prepared to ensure compliance and digital resilience. For a successful implementation, it is important to integrate the requirements into the everyday business activities and work actively to mitigate the risks.
