We see an urgent need for stricter legislation such as NIS-2 and the EU Cyber Resilience Act to address the growing threats. Have there been any events that have confirmed this trend?
Yes, numerous events have confirmed the need for stricter cybersecurity regulations. In particular, the increase in cyberattacks on critical infrastructure, such as the Log4j vulnerability and ransomware attacks on the healthcare and energy sectors, underline the urgency of measures such as the CRA and NIS-2. Incidents that are not direct cyberattacks, such as the global outage of computer systems in July 2024 caused by a failed update, also demonstrate the far-reaching consequences that the failure of IT systems can have.
What do you consider to be the most important innovations of NIS-2?
One of the most significant innovations introduced by NIS-2 is the widening of its scope to cover a broader range of sectors, including critical areas such as energy, transport, and healthcare. Additionally, NIS-2 emphasizes the importance of comprehensive risk management systems, incorporating supply chain security measures to defend against increasingly sophisticated supply chain attacks. Another key change is the introduction of personal liability for directors who fail to meet the directive’s security requirements. Finally, non-compliance with NIS-2 provisions can lead to substantial penalties, with fines reaching up to ten million euros or two percent of the company’s global annual turnover.
How are directors responding to the issue of personal liability for non-compliance with NIS-2 security requirements?
The introduction of personal liability is attracting increasing attention from directors. Many companies are responding by stepping up investment in compliance and cyber security strategies to minimize liability risks. There is also a growing focus on training and management engagement.
To what extent have stricter requirements led to increased investment in security? In which sectors has this been particularly high?
The stricter requirements of NIS-2 and the CRA have led to increased investment in security, particularly in sectors such as finance, energy and healthcare. These sectors will need to invest significant resources to meet the new compliance requirements and secure their infrastructure. Companies that bring digital products to market are requesting support to enhance the cybersecurity of their products. This applies to all types of businesses, from those offering consumer products to manufacturers of industrial automation components.
What are the biggest challenges for companies in implementing these requirements?
One of the biggest challenges companies face in implementing the NIS-2 requirements is the complexity of the new regulations, which demands a thorough understanding and careful adaptation of internal processes. Additionally, the cost of implementing comprehensive risk assessment and supply chain security measures can be significant, placing a financial burden on many organizations. Compounding these difficulties is the lack of internal expertise in numerous companies, making it difficult to effectively meet the directive's stringent new requirements.
What are the particular challenges faced by global companies in implementing NIS-2 and the CRA?
When implementing NIS-2, the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED), global companies face the challenge of harmonizing different regulatory requirements in different countries. Global organizations must ensure that they comply with both EU regulations and other international standards, such as NIST guidelines in the US or industry-specific regulations in Asia. Harmonizing these different regulations is particularly challenging as some regions, such as the US, rely more on risk-based approaches, while the EU often has stricter mandatory security requirements and reporting obligations. To overcome these challenges, organizations are increasingly turning to global compliance frameworks that combine different regulatory requirements, such as ISO 27001, IEC 62443 or NIST CSF.
When implementing NIS-2, CRA and RED, global companies face the challenge of harmonizing different regulatory requirements in different countries.
What should organizations do to prepare for the introduction of NIS-2 and the CRA?
Organizations should now conduct comprehensive risk assessments, develop contingency plans and align their IT and OT infrastructures with security standards such as ISO 27001, IEC 62443 or the NIST CSF. In addition, employee training is an important step in promoting a resilient security culture. Companies selling products with digital elements in the EU must ensure that their products comply with the new regulations. This includes conducting an EU CRA readiness analysis to identify which products are covered by the EU CRA and to assess the gaps between the current status and the requirements of the EU CRA. Significant efforts will be required to implement and develop the necessary measures to close these gaps.
What long-term benefits do you see from the CRA, both for businesses and consumers?
The Cyber Resilience Act will bring long-term benefits to businesses and consumers, in particular by introducing the concept of 'security by design'. This principle requires manufacturers to consider security at the product development stage, rather than adding it as an afterthought. Consumers can be confident that the digital products they use are secure and that their personal information is better protected. In addition, companies are obliged to provide security updates for their products for at least five years, ensuring that consumers continue to benefit from higher levels of security after purchase.
Do you want to meet the increasingly strict legal and regulatory requirements in the field of cybersecurity? We're happy to help you!
