Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

An Update on EU Cybersecurity: NIS2, EU Cybersecurity Schemes, and the Cyber Resilience Act

Home
Industry Insights
An Update on EU Cybersecurity: NIS2, EU Cybersecurity Schemes, and the Cyber Resilience Act

Blog Article Published: 12/14/2023

Originally published by Schellman.

The European Union (EU) has made significant strides lately in shaping cybersecurity regulation—new developments include those related to the NIS2 Directive, the EU Cybersecurity Act, the EU Cloud Services Cybersecurity Scheme (EUCS), and the EU Cyber Resilience Act.

As cybersecurity experts who try to keep abreast of all the progress in our sector, we understand how important it is—particularly for those based in the EU—to understand their changing landscape so that they can prepare to comply with shifting and new requirements.

That’s why, in this article, we’ll provide some important explanations of three key developments related to the NIS2 Directive, the EU cybersecurity schemes, and the Cyber Resilience Act so that you can better understand which ones will apply to you and how.


What is the NIS2 Directive?

First up is the NIS2, which is a repeal and replacement of the original NIS directive that set out to achieve a common, high-level baseline for cybersecurity risk management and incident reporting in the EU. NIS2’s requirements now align closely with those of ISO 27001, though the directive also mandates a penetration test and business continuity requirements.

However, many of the updates made to NIS2 largely relate to the reclassification of who needs to comply with the requirements, as applicability has now expanded to far more industries.


Who Does NIS2 Apply To?

So then, who does NIS2 apply to? Two groups: Essential Entities and Important Entities.

Essential Entities

Important Entities

Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million, or balance sheet of € 43 million.

Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million, or balance sheet of € 10 million.

Includes the following sectors:

  • Energy
  • Transport
  • Banking and financial markets
  • Health
  • Water (drinking and waste)
  • Digital Infrastructure and ICT Service Management
  • Public Administration
  • Space

Includes all the sectors listed under “Essential Entities” and within the size threshold for “important entities” PLUS the following:

  • Postal and courier services
  • Waste Management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing (e.g., of medical devices and various other equipment)
  • Digital providers such as online marketplaces, search engines, and social networks
  • Research

While requirements are the same for both types, supervision and penalties vary between the two:

  • Essential Entities: Required to meet supervisory requirements and penalties for non-compliance can amount to €10,000,000 or 2% of the total annual worldwide turnover in the previous fiscal year, whichever amount is higher
  • Important Entities: Penalties for non-compliance can amount to €7M/1.4%

EU member states have until October 2024 to put legislation in place in their respective jurisdiction to enforce NIS2.


What are the EU Cybersecurity Schemes?

While NIS2 was a follow-up to an original directive, the upcoming EU Cybersecurity Schemes were born out of the EU Cybersecurity Act’s mandate for ENISA—the EU’s Agency for Cybersecurity—to build several cybersecurity frameworks for three different industry categories:

ICT

(expected to go live in Q4 2023)

Cloud Services

(expected to go live in early 2024)

5G Networks

(expected to go live after Cloud Services)

At whatever point these all go live, the new schemes will all consist of:

  • A comprehensive set of rules;
  • Technical cybersecurity requirements;
  • Standards; and
  • Evaluation procedures that are defined at the EU level and apply to the certification of specific products, services, or processes.

Certifications against all of these schemes must be performed by a Conformity Assessment Body (CAB), which will attest that your product, process, or service complies with the specified cybersecurity requirements and rules.


What is the EU Cyber Resilience Act?

The EU has also moved closer to implementing what will potentially be the first legislation regarding the Internet of Things (IoT) in its Cyber Resilience Act (CRA).

As a supplement to NIS2, the CRA aims to close legislative gaps over digital product security by laying out essential requirements for hardware manufacturers, software developers, distributors, and importers who place digital products or services on the EU market.

The CRA will ensure:

  • Harmonized rules when bringing to market products or software with a digital component;
  • A framework of cybersecurity requirements governing the planning, design, development, and maintenance of such products, with obligations to be met at every stage of the value chain; and
  • An obligation to provide duty of care for the entire lifecycle of such products.

Requirements of the CRA include:

  • A risk assessment
  • An EU Declaration of Conformity
  • A Software Bill of Materials (SBOM)
  • A conformity assessment
  • Continuous maintenance of an active vulnerability reporting process


CRA Applicability

Regarding who will be subject to these requirements, there are three categories of applicability for the CRA:

Category

Details

Default
  • Home IoT devices

Class I
  • Identity and access management software
  • Browsers
  • Password managers
  • Malicious software detection
  • Products that use virtual private networks
  • Network management, configuration, monitoring, and resource management tools
  • Security information and event management systems
  • Update and patch management tools
  • Mobile device and application management software
  • Remote access software
  • Physical network interfaces
  • Microcontrollers
  • Integrated circuits and gate arrays intended for use by essential entities described in the NIS2 directive
  • Operating systems, firewalls, routers, modems, microprocessors, industrial automation and control systems, and industrial IoT that are not covered by Class II of the Cyber Resilience Act

Class II
  • Operating systems
  • Hypervisors and container runtime systems
  • Public key infrastructure and digital certificate issuers
  • Firewalls for industrial use
  • Industrial intrusion detection/prevention systems
  • General purpose microprocessors
  • Microprocessors for programmable logic controllers and secure elements
  • Routers for industrial use
  • Modems for industrial use
  • Industrial switches
  • Secure elements
  • Hardware Security Modules
  • Secure cryptoprocessors
  • Smartcards, readers, and tokens
  • Industrial Automation & Control Systems intended for the use by essential entities described in NIS2
  • Industrial Internet of Things devices intended for the use by essential entities described in NIS2
  • Robot sensing and actuator components and robot controllers
  • Smart meters

Depending on the applicability category that you fall into, attesting to the above requirements can be validated through:

  • Default: A self-assessment
  • Class I: Application of a standard or third-party assessment
  • Class II: Required third-party assessment


Important Implications for Open-Source Software

Despite its strides towards better regulation, there are some particulars that will hopefully be ironed out. As the CRA is currently drafted, it applies to anyone who publishes software on the Internet, open source or not, and regardless of the development location if it’s used by those in the EU users, and that creates a few issues:

  • Open-source projects are freely used and incorporated into products distributed to billions of people worldwide and, because of this, developers of open-source software (OSS) often do not know who is using their software.
  • Thus, meeting obligations such as vulnerability remediation and providing security patches to downstream users may not be feasible for OSS developers.
  • Further, the original OSS developers could be implicated when products that incorporate their software have vulnerabilities without their knowledge.

While the CRA is still in draft, many organizations are warning the EU about these implications and are hoping to see revisions in the next version, but for now everyone will have to wait and see what happens in the final publication.


Other Considerations for Your Cybersecurity

All these developments—the NIS2, the EUCS Cybersecurity Schemes, and the EU CRA—represent huge strides forward for the EU in regulating the advancing technological landscape. Though there is some time yet before any of them come into effect, you know at least a baseline of what expectations will be and where your organization will fall in terms of enforcement.

For more information on other cybersecurity progress—both at home and abroad—check out our other content that details other recent and important developments:

ComplianceGDPRPrivacy

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Certificate of Cloud Auditing Knowledge (CCAK)
The industry's first global auditing credential.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Virtual Cloud Trust Summit 2024
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
CPPA AI Rules Cast Wide Net for Automated Decisionmaking Regulation

Published: 04/26/2024

Upselling Cybersecurity: Why Baseline Security Features Shouldn’t Be a Commodity

Published: 04/24/2024

Understanding the Nuances: Privacy and Confidentiality

Published: 04/22/2024

How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024