European Union Ups Cybersecurity: Rules & Third-Party Assist

The European Union has introduced two critical regulatory frameworks: the Network and Information Security (NIS) Directive and the Digital Operational Resilience Act (DORA). These measures aim to ensure that businesses of all sizes implement strong cybersecurity practices to protect sensitive information.

However, industry experts suggest that the regulations’ full potential might only be realized with the involvement of third-party cybersecurity specialists.

The Growing Cyber Threat Landscape

As businesses increasingly depend on digital infrastructure to connect with clients, customize products, and enhance customer experiences, they simultaneously face heightened risks of cyberattacks. Cybercrime is projected to cost the global economy $9.5 trillion in 2024, escalating by 15% annually to reach $10.5 trillion by 2025, according to Cybersecurity Ventures.

Even the most advanced cybersecurity systems can be compromised, as evidenced by a recent data breach of the United Kingdom’s Ministry of Defence payroll system, exposing the names and banking details of both current and former armed forces members.

European Union’s Response: NIS and DORA

Recognizing the urgent need for stronger cybersecurity measures, the Europe Union has implemented the NIS Directive and DORA. These regulations aim to standardize and enhance cybersecurity practices across member states.

NIS Directive: The NIS Directive focuses on establishing high-level, common cybersecurity best practices. It strengthens system security requirements, addresses supply chain vulnerabilities, streamlines reporting, and introduces stringent supervisory measures with potential sanctions for non-compliance. The directive was initiated in the fall of 2021 and formalized in May 2022, and businesses were given until October 2024 to comply with the new standards.

DORA: DORA targets the financial sector, mandating periodic digital operational resilience testing and the implementation of management systems to monitor and report significant ICT-based incidents to relevant authorities. This regulation aims to ensure that financial entities like banks, insurance companies, and investment firms can maintain operational resilience during severe disruptions.

The development of DORA involved three European Supervisory Authorities: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). They established mandatory incident reporting requirements and encouraged cooperation and information sharing among financial entities and regulators to respond effectively to cybersecurity threats.

The Importance of Third-Party Assessments

Darren Humphries, Group CISO & CTO-Partner at Acora, emphasizes the need for continuous measurement of cybersecurity practices. “Risk management is moving away from art to science,” Humphries explains, highlighting the importance of metrics and documentation in meeting regulatory guidelines.

He criticizes the effectiveness of self-attestation, noting that the Ministry of Defence breach partly occurred due to reliance on self-service attestation from suppliers. Instead, Humphries advocates for third-party cybersecurity specialists to evaluate and verify processes, minimizing the risk of oversight.

The evolving threat landscape demands that corporations, especially those in the financial sector, become proactive in addressing potential security vulnerabilities. The new EU regulations push businesses in this direction, but they also need to leverage third-party expertise to thoroughly examine and fortify their cybersecurity frameworks. By doing so, they can better protect network transactions and comply with regulatory requirements, reducing the likelihood of cyber incidents.

Conclusion

The new EU regulations, NIS and DORA, represent a significant step forward in enhancing cybersecurity practices across Europe. However, to maximize their impact and truly safeguard against evolving cyber threats, businesses must incorporate third-party assessments and expertise.

By doing so, they can ensure robust protection of sensitive information and compliance with regulatory standards, ultimately reducing their cybersecurity risks in an increasingly digital world.