Two new sets of regulations introduced by the European Union (EU) indicate that the public sector is taking increased interest in improving cybersecurity and resilience.
The EU is introducing the Digital Operational Resilience Act (DORA) for financial institutions and the Cyber Resilience Act (CRA) for software and hardware providers, both designed to enforce software security and secure delivery of services. These legislative acts follow the recent announcement by the White House of the introduction of a new U.S. national cybersecurity strategy designed to defend critical infrastructure, thwart threat actors, increase investment, and build stronger international partnerships to improve cybersecurity worldwide.
The new moves by the EU could have a big potential impact on European organizations and other international organizations operating in Europe. In line with the U.S. legislation, they pivot towards formal regulation because individual organizations’ cybersecurity efforts and voluntary measures by various industries and sectors have proved insufficient for remediating software vulnerabilities and defending against cyberattacks.
Let’s take a brief look at both.
DORA Is focused entirely on implementing effective and comprehensive management of digital risks in financial markets and to harmonize security and resilience best practices within the financial sector throughout the EU.
DORA came into force on 16th January 2023. It applies to more than 22,000 financial entities and ICT service providers in the EU. It includes specific requirements for banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers, and cloud service providers. Areas it covers include risk management, IT and cybersecurity operational capabilities, and third-party management. Any relevant organizations will be expected to comply with the regulations by 17th January 2025.
There are five key pillars to the regulations:
Risk management. Organizations must establish a comprehensive IT risk management framework, including:
Incident management. Organizations must:
Digital operational resilience testing. Organizations must:
Third-party risk management. Organizations must:
Information sharing arrangements.
This act includes two guidelines. The first focuses on networks and information systems. It aims to improve member states’ cybersecurity capabilities and encourages information sharing. The second is the Cybersecurity Act, which came into force in 2021 and defines the tasks of the European cyber watchdog, ENISA.
According to the EU’s own overview, the EU wants to create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle. It also aims to create conditions that allow and require users to take cybersecurity into account when selecting and using products with digital elements. To this end, the EU has laid out the following four objectives:
The CRA was published on 15 September 2022 and is yet to be fully ratified, but it is expected to do so, because the European Parliament passed a resolution on 10 June 2021 calling for cybersecurity requirements for digital or connected products. As well, in the final report of the Conference on the Future of Europe, 18 citizens have already called for “a stronger role for the EU in countering cybersecurity threats”.
This isn’t just about hardware and the Internet of Things that connects devices. It’s about every part of a product or service that’s “digital,” as the EU calls it. This will extend to every piece of code, software, and every interconnected component and dependency that forms the building blocks of applications, software, products, and services that businesses and consumers use throughout the EU and beyond.
With these Acts in place, it will be necessary for every organization to account for every component and dependency they use in their applications. Consequently, we expect the spotlight on application security and tools such as the software bill of materials (SBOM) to intensify as they become even more vital tools to strengthen cybersecurity to comply with the EU regulations. Plus, there will be greater responsibility on any organization operating with or within the EU, to effectively scan, detect, and remediate any vulnerabilities in their applications and components and assure dependency health.