Europe has emerged as a hub for developing cyber policies, acting to improve software security, and quickly reporting severe breaches. The European Commission has introduced some pretty cutting-edge legislation and regulations in response to the effects the war in Ukraine had on businesses operating in the EU and the shifting of criminal activity away from US territory. These steps intend to adjust European cybersecurity policy to the changing threat environment.
Analysts point out that the EU's actions are "more expansive than recent policymaking in the United States," despite the EU being frequently criticized for its bureaucratic procedures.
Only in the last quarter of 2022, we saw two significant initiatives materializing:
First update on the NIS Directive
The EU approved the first revision to the Network and Information Systems (NIS) Directive on November 28, 2022. The update intends to significantly strengthen the EU, the public and private sectors, and their capacities for incident response. The new regulation, known as NIS2, will establish standards for cybersecurity risk management practices and reporting requirements across all sectors it covers, including energy, transportation, health, and digital infrastructure. The updated regulation keeps a broad principle in place. Still, it adds new clauses to ensure proportionality, more outstanding risk management, and specific criticality standards to let national authorities choose whether other companies should be included. It includes a 24-hour deadline for such organizations to disclose major cyber incidents as soon as they become aware. Governments must incorporate the directive's requirements into national law within 21 months of the directive's effective date.
Proposal of the Cyber Resilience Act
The EU proposed a new Cyber Resilience Act in September 2022 to safeguard customers and businesses against goods with insufficient security features. The proposed Act, based on the 2020 EU Cybersecurity Strategy, will ensure that digital goods for EU customers, including software and wireless and wired products, are more secure. In addition to making manufacturers more accountable by requiring them to offer security assistance and software updates to fix discovered flaws, this will give consumers appropriate knowledge about the cybersecurity of the items they use and purchase.
A far-reaching impact
The United States may be impacted by the rules that Europe is adopting. When Europe published GDPR, a similar issue emerged since sites operating in Europe were required to abide by its regulations, even if they weren't based in Europe.
But these regulations provide the incentive and the motivation to enable secure-by-design products and resiliency. The Cyber Resilience Act mandates that the most critical products have their compliance with EU security standards evaluated by a third party. In addition to the 24-hour reporting requirement, NIS2 addresses additional topics such as supply chain security, executive liabilities, and the imposition of fines and penalties.
Cyber hygiene practices can help you comply with these regulations
If you feel that achieving compliance with these regulations (and many more) is a tenuous exercise, fear not! If you consistently practice good cybersecurity hygiene, you are already on your way to being compliant with NIS2 or the upcoming Cyber Resilience Act.
Although attacks are becoming more advanced, the fact, however, is that most successful attacks are the result of routine lapses:
- Lack of visibility on what endpoints are connecting to your network
- Failing to monitor and deploy patch updates consistently and rapidly
- Misconfigurations or poor and insecure configurations
- Not enforcing strong authentication and authorization
- Slow identification and resolution of breaches, ultimately harming core business operations
Cybercriminals profit from these errors. Cyber hygiene reduces the opportunity for fraudsters to infiltrate an organization's network, or at the very least, makes it so difficult that they give up and hunt for another victim.
Compliance is the key benefit of excellent cyber hygiene, besides the apparent advantage of robust cybersecurity. These laws—among many others—set the incentives and requirements for putting into practice fundamental cyber hygiene best practices, noting that it is the crucial responsibility of businesses to defend themselves against dangers and increase the economy's resilience against cyberattacks. Cyber hygiene is one of the best ways to improve any organization's overall security posture and compliance.
This is the best time to invest in launching your compliance program. Regulations are only getting stricter and increasing in numbers and applicability. Thales offers a broad portfolio of products and services that enable your organization to strengthen its cyber security capabilities, address the security of supply chains, streamline reporting obligations and comply with more stringent supervisory measures and stricter enforcement requirements for NIS2 and other regulations. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden. To learn more, visit our dedicated NIS2 page here or download the NIS2 compliance brief.