2023 saw a raft of legislative activity in the European Union (EU) relating to security, especially with respect to critical infrastructures. This will impact providers of goods and services, who will need to ensure they comply with relevant EU regulations and national laws as they come into force.
Francesco Bordone, Manager for Cybersecurity Policies at the European Cyber Security Organisation (ECSO), explains which security regulations organisations need to be aware of. (This is an extract from an original longer article.)
EU Cybersecurity Strategy
The developing cybersecurity landscape can be traced back many years, but one of the key documents that helped to shape recent policy and legislation was the EU Cybersecurity Strategy for the Digital Decade. Published in 2020, it was prompted by the digital transformation of society, which was intensified by the COVID-19 crisis.
“The EU Cybersecurity Strategy includes revised rules on the security of network and information systems, which translated into the revision of the NIS Directive – the so-called NIS2 Directive. Then it talks about the European Cyber Shield, which was proposed thanks to the Cyber Solidarity Act, and is essentially a way of saying that the Commission would like to have a network of SOCs [security operations centres] that are connected, possibly enhanced by AI, in order to detect cyberattacks as much as possible in real time and exchange cyber threat intelligence in order to prevent future attacks. The Strategy also talks about defining high standards of cybersecurity for connected objects, and this was done thanks to the Cyber Resilience Act.”
Cyber Resilience Act
“The Cyber Resilience Act provides horizontal cybersecurity requirements for all digital products and services, covering both hardware and software. Essentially, every object that has a digital component is likely to fall in the scope of this Act; the only things considered outside its scope are passive things like cables, or cloud services if they do not provide computational power for enabling IoT objects.
“The requirements of the Cyber Resilience Act will be the same for all digital products and services, including generic aspects like security by design and default, and the whole lifecycle approach, meaning that a product will need to receive vulnerability patches even after it is sold. There are also reporting obligations, whereby you will need to inform the relevant public authority if you find a vulnerability after you have placed a product on sale, and say how you are going to resolve this.”
Cyber Solidarity Act
The Cyber Solidarity Act was proposed by the Commission in April 2023 to improve the preparedness, detection and response to cybersecurity incidents across the EU, specifically significant and large-scale ones. It introduces three pillars: a European Cyber Shield; a Cyber Emergency Mechanism; and a Cybersecurity Incident Review Mechanism.
The concept of the Cyber Shield is that there should be at least one public administration SOC per Member State and these will be connected at EU level to exchange cyber threat intelligence and improve the detection of cyberattacks.
In the second pillar, the Cyber Emergency Mechanism aims to strengthen the preparedness of critical infrastructures, for example by applying activities under the NIS2 Directive (see below). It also covers the creation of an EU Cyber Reserve of private European companies, certified under the Cybersecurity Act, that can be called on to provide support and recovery services if there is a cross-border cyberattack.
The third pillar is a Cybersecurity Incident Review Mechanism through which the EU Agency for Cybersecurity (ENISA) will review past cyberattacks, assess their impact and any response, and share information, including lessons learned and recommendations.
NIS2
The NIS2 Directive, which covers the cybersecurity that must be implemented by critical infrastructure entities and their supply chains, came into force in January 2023. It replaces the NIS Directive of 2016, extending its reach to include additional industries and digital service providers, implementing stricter measures and fines, and adding incident reporting.
To accord with NIS2, critical infrastructure organisations need to look at areas such as encryption, penetration testing, vulnerability patching, software quality assessment and so on. There are also reporting obligations should an incident occur, with provision for reporting cross-border cybersecurity incidents to enable coordination between Member States on how to solve the problem, recover from the attack and prevent future similar attacks. Such coordination will happen under the supervision of ENISA.
The Directive says that it applies to entities considered essential and important, such as those related to healthcare, transport, banking, digital infrastructure and water supply, but each Member State will need to create a list of every single hospital, water supply company etc. that falls under the Directive.
Critical Entities Resilience Directive
The Critical Entities Resilience Directive (CER) creates an overarching framework addressing the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.
Similar to the way NIS2 has enlarged the scope of a previous Directive, CER has done the same for a 2009 Directive that focused on the energy and transport sectors; it now encompasses banking and financial markets, health, drinking and wastewater, digital infrastructure, public administration and space.
Vertical legislation
“Vertical legislation is everything that is sector specific, such as the Electronic Communication Code for telecoms, or the EUCS Certification Scheme [EU Cybersecurity Certification Scheme on Cloud Services] for the cloud, or DORA [the Digital Operational Resilience Act] for the finance sector. This kind of legislation only affects companies if they operate in a specific sector.”
As an example, DORA regulates the protection, detection, containment and recovery of cybersecurity incidents affecting ICT across the operations of the EU financial sector. The Regulation seeks to achieve a common level of digital operational resilience by establishing uniform requirements concerning the cybersecurity of ICT systems supporting financial entities. Unlike Directives, DORA is a Regulation, so it is binding and directly applicable in all EU Member States.
Getting prepared
With so much new legislation around cybersecurity, where should organisations start?
“If you are a company, you should first make sure you are applying horizontal legislation. So if you produce digital products, you should apply the Cyber Resilience Act, which specifies the minimum requirements. Then you should check if any sector-specific legislation applies to you, such as DORA, which goes into more depth about what is required for your sector.”