New and extended existing EU regulations focusing on information security

In the next five years a slew of new EU regulations will have major impact on your company, your business, and your sector. As a response to the supply chain collapse during COVID, the Chinese challenge and the rampage of ransomware, the EU undertook to lead the transformation of cyber security to cyber resilience. In doing so, the EU directly challenges the existing world order of the US dominated big tech. This document aims to highlight the obligations and opportunities this brings to you.

The first major change has already begun, NIS2

This directive on security of Network and Information Systems sets and extends rules for critical infrastructure providers and its supply chain (that’s IT on reporting security incidents breaches and vulnerabilities) and working with the governments. Considering recent experiences the width of what is vital infrastructure has been massively extended. It mandates all organizations in scope to have mature Incident Response capabilities to work with national and EU CSIRTs. This way, the EU cyber response organization will know what is happening and will coordinate response. In other words, it can tell your company what worked somewhere else. You really need to check if your company is part of the vital infrastructure.

RCE Resilience of Critical Entities) obliges critical infrastructure providers to have provableresilience (business against all causes, including cyber security. DORA expands RCE for the financial sector and its supply chain, specifically for the electronic and digital nature of payments RCE/DORA should make you review current IT contracts and is likely to change and grow the demand for security monitoring and managed response.

The CRA (Cyber Resilience Act) extends the “community of product standards” to the field of cyber security. Vendors and suppliers are expected to self-certify products against EU certification standards (yet to be delivered), as maintained by the ENISA (the EU agency for cyber security). After certification, regular EU product liability applies – if a supplier doesn’t deliver as promised, provable damage can be recovered by the customer via the supplier. The supplier then can hold the vendor responsible for the damages, which is not limited to direct damages alone. Resellers must cover product liability from their suppliers and should consider validating what they resell.

The result of bureaucratic pressure of supply chain security and the economy of scale will be that customers will reduce the number of suppliers and sub-suppliers – which is a direct threat to all small and mid-sized MSSPs. A shakeout is likely – and for the suppliers it is grow or die.

Finally, the EU’s ambition to become autonomous in technology, which in practice means at least less dependent on US big tech, brings chances and threats to cyber security on the European market. The topic, colloquially called ‘sovereignty’ warrants your structural attention, as geopolitics have become an undeniable force in the world of cyber security.

We support you!

We have compiled all the important requirements of the rapidly developing EU regulations and what measures you need to take in the following whitepaper.