Why the Need for Application Security Intensifies as EU Tightens Cybersecurity Requirements
As EU tightens cybersecurity requirements, AppSec importance grows
Two new sets of regulations introduced by the European Union (EU) indicate that the public sector is taking increased interest in improving cybersecurity and resilience.
The EU is introducing the Digital Operational Resilience Act (DORA) for financial institutions and the Cyber Resilience Act (CRA) for software and hardware providers, both designed to enforce software security and secure delivery of services. These legislative acts follow the recent announcement by the White House of the introduction of a new U.S. national cybersecurity strategy designed to defend critical infrastructure, thwart threat actors, increase investment, and build stronger international partnerships to improve cybersecurity worldwide.
The new moves by the EU could have a big potential impact on European organizations and other international organizations operating in Europe. In line with the U.S. legislation, they pivot towards formal regulation because individual organizations’ cybersecurity efforts and voluntary measures by various industries and sectors have proved insufficient for remediating software vulnerabilities and defending against cyberattacks.
Let’s take a brief look at both.
The Digital Operational Resilience Act (DORA): Hardening financial sector cybersecurity
DORA Is focused entirely on implementing effective and comprehensive management of digital risks in financial markets and to harmonize security and resilience best practices within the financial sector throughout the EU.
DORA came into force on 16th January 2023. It applies to more than 22,000 financial entities and ICT service providers in the EU. It includes specific requirements for banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers, and cloud service providers. Areas it covers include risk management, IT and cybersecurity operational capabilities, and third-party management. Any relevant organizations will be expected to comply with the regulations by 17th January 2025.
There are five key pillars to the regulations:
Risk management. Organizations must establish a comprehensive IT risk management framework, including:
- Resilient IT systems and tools that minimize the impact of risk
- Identify, classify, and document critical functions and assets
- Continuously monitor all sources of risk and set up protection and prevention measures
- Establish prompt detection of anomalous activities
- Implement business continuity policies and disaster and recovery plans, including yearly testing
Incident management. Organizations must:
- Log all issues and determine major incidents according to the criteria specified by the ESAs — European Supervisory Authorities (EBA, EIOPA, and ESMA),
- Submit an initial, intermediate, and final report on these incidents
- Harmonize reporting of these incidents through the standard templates of the ESAs
Digital operational resilience testing. Organizations must:
- Annually perform basic testing of IT tools and systems
- Identify, mitigate, and promptly eliminate any weaknesses, or deficiencies, with counteractive measures
- Periodically perform advanced threat-led penetration testing (TLPT) for IT services which impact critical functions. IT third-party service providers are required to participate.
Third-party risk management. Organizations must:
- Monitor risks arising from IT third-party providers
- Report all outsourced activities and services to third-party IT service providers
- Account for risks arising from sub-outsourcing activities
- Harmonize the relationship with IT third-party providers to enable ‘complete’ monitoring
- Ensure that contracts with these third-party providers contain all the necessary monitoring and accessibility details
- Critical third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified IT risks.
Information sharing arrangements.
- Organizations should set up arrangements to exchange cyber threat intelligence
- The supervisory authority will provide relevant anonymous intelligence on threats for organizational review and action.
The Cyber Resilience Act (CRA)
This act includes two guidelines. The first focuses on networks and information systems. It aims to improve member states’ cybersecurity capabilities and encourages information sharing. The second is the Cybersecurity Act, which came into force in 2021 and defines the tasks of the European cyber watchdog, ENISA.
According to the EU’s own overview, the EU wants to create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle. It also aims to create conditions that allow and require users to take cybersecurity into account when selecting and using products with digital elements. To this end, the EU has laid out the following four objectives:
- Ensure that manufacturers improve the security of products with digital elements throughout the whole design, development, and production life cycle, including the SDLC
- Set up a coherent cybersecurity framework, facilitating compliance for hardware and software producers
- Enhance the transparency of security properties of products with digital elements
- Enable businesses and consumers to use products with digital elements securely.
The CRA was published on 15 September 2022 and is yet to be fully ratified, but it is expected to do so, because the European Parliament passed a resolution on 10 June 2021 calling for cybersecurity requirements for digital or connected products. As well, in the final report of the Conference on the Future of Europe, 18 citizens have already called for “a stronger role for the EU in countering cybersecurity threats”.
What does all of this mean for application security?
This isn’t just about hardware and the Internet of Things that connects devices. It’s about every part of a product or service that’s “digital,” as the EU calls it. This will extend to every piece of code, software, and every interconnected component and dependency that forms the building blocks of applications, software, products, and services that businesses and consumers use throughout the EU and beyond.
With these Acts in place, it will be necessary for every organization to account for every component and dependency they use in their applications. Consequently, we expect the spotlight on application security and tools such as the software bill of materials (SBOM) to intensify as they become even more vital tools to strengthen cybersecurity to comply with the EU regulations. Plus, there will be greater responsibility on any organization operating with or within the EU, to effectively scan, detect, and remediate any vulnerabilities in their applications and components and assure dependency health.