Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

An Update on EU Cybersecurity: NIS2, EU Cybersecurity Schemes, and the Cyber Resilience Act

Published 12/14/2023

An Update on EU Cybersecurity: NIS2, EU Cybersecurity Schemes, and the Cyber Resilience Act

Originally published by Schellman.

The European Union (EU) has made significant strides lately in shaping cybersecurity regulation—new developments include those related to the NIS2 Directive, the EU Cybersecurity Act, the EU Cloud Services Cybersecurity Scheme (EUCS), and the EU Cyber Resilience Act.

As cybersecurity experts who try to keep abreast of all the progress in our sector, we understand how important it is—particularly for those based in the EU—to understand their changing landscape so that they can prepare to comply with shifting and new requirements.

That’s why, in this article, we’ll provide some important explanations of three key developments related to the NIS2 Directive, the EU cybersecurity schemes, and the Cyber Resilience Act so that you can better understand which ones will apply to you and how.


What is the NIS2 Directive?

First up is the NIS2, which is a repeal and replacement of the original NIS directive that set out to achieve a common, high-level baseline for cybersecurity risk management and incident reporting in the EU. NIS2’s requirements now align closely with those of ISO 27001, though the directive also mandates a penetration test and business continuity requirements.

However, many of the updates made to NIS2 largely relate to the reclassification of who needs to comply with the requirements, as applicability has now expanded to far more industries.


Who Does NIS2 Apply To?

So then, who does NIS2 apply to? Two groups: Essential Entities and Important Entities.

Essential Entities

Important Entities

Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million, or balance sheet of € 43 million.

Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million, or balance sheet of € 10 million.

Includes the following sectors:

  • Energy
  • Transport
  • Banking and financial markets
  • Health
  • Water (drinking and waste)
  • Digital Infrastructure and ICT Service Management
  • Public Administration
  • Space

Includes all the sectors listed under “Essential Entities” and within the size threshold for “important entities” PLUS the following:

  • Postal and courier services
  • Waste Management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing (e.g., of medical devices and various other equipment)
  • Digital providers such as online marketplaces, search engines, and social networks
  • Research

While requirements are the same for both types, supervision and penalties vary between the two:

  • Essential Entities: Required to meet supervisory requirements and penalties for non-compliance can amount to €10,000,000 or 2% of the total annual worldwide turnover in the previous fiscal year, whichever amount is higher
  • Important Entities: Penalties for non-compliance can amount to €7M/1.4%

EU member states have until October 2024 to put legislation in place in their respective jurisdiction to enforce NIS2.


What are the EU Cybersecurity Schemes?

While NIS2 was a follow-up to an original directive, the upcoming EU Cybersecurity Schemes were born out of the EU Cybersecurity Act’s mandate for ENISA—the EU’s Agency for Cybersecurity—to build several cybersecurity frameworks for three different industry categories:

ICT

(expected to go live in Q4 2023)

Cloud Services

(expected to go live in early 2024)

5G Networks

(expected to go live after Cloud Services)

At whatever point these all go live, the new schemes will all consist of:

  • A comprehensive set of rules;
  • Technical cybersecurity requirements;
  • Standards; and
  • Evaluation procedures that are defined at the EU level and apply to the certification of specific products, services, or processes.

Certifications against all of these schemes must be performed by a Conformity Assessment Body (CAB), which will attest that your product, process, or service complies with the specified cybersecurity requirements and rules.


What is the EU Cyber Resilience Act?

The EU has also moved closer to implementing what will potentially be the first legislation regarding the Internet of Things (IoT) in its Cyber Resilience Act (CRA).

As a supplement to NIS2, the CRA aims to close legislative gaps over digital product security by laying out essential requirements for hardware manufacturers, software developers, distributors, and importers who place digital products or services on the EU market.

The CRA will ensure:

  • Harmonized rules when bringing to market products or software with a digital component;
  • A framework of cybersecurity requirements governing the planning, design, development, and maintenance of such products, with obligations to be met at every stage of the value chain; and
  • An obligation to provide duty of care for the entire lifecycle of such products.

Requirements of the CRA include:

  • A risk assessment
  • An EU Declaration of Conformity
  • A Software Bill of Materials (SBOM)
  • A conformity assessment
  • Continuous maintenance of an active vulnerability reporting process


CRA Applicability

Regarding who will be subject to these requirements, there are three categories of applicability for the CRA:

Category

Details

Default

  • Home IoT devices

Class I

  • Identity and access management software
  • Browsers
  • Password managers
  • Malicious software detection
  • Products that use virtual private networks
  • Network management, configuration, monitoring, and resource management tools
  • Security information and event management systems
  • Update and patch management tools
  • Mobile device and application management software
  • Remote access software
  • Physical network interfaces
  • Microcontrollers
  • Integrated circuits and gate arrays intended for use by essential entities described in the NIS2 directive
  • Operating systems, firewalls, routers, modems, microprocessors, industrial automation and control systems, and industrial IoT that are not covered by Class II of the Cyber Resilience Act

Class II

  • Operating systems
  • Hypervisors and container runtime systems
  • Public key infrastructure and digital certificate issuers
  • Firewalls for industrial use
  • Industrial intrusion detection/prevention systems
  • General purpose microprocessors
  • Microprocessors for programmable logic controllers and secure elements
  • Routers for industrial use
  • Modems for industrial use
  • Industrial switches
  • Secure elements
  • Hardware Security Modules
  • Secure cryptoprocessors
  • Smartcards, readers, and tokens
  • Industrial Automation & Control Systems intended for the use by essential entities described in NIS2
  • Industrial Internet of Things devices intended for the use by essential entities described in NIS2
  • Robot sensing and actuator components and robot controllers
  • Smart meters

Depending on the applicability category that you fall into, attesting to the above requirements can be validated through:

  • Default: A self-assessment
  • Class I: Application of a standard or third-party assessment
  • Class II: Required third-party assessment


Important Implications for Open-Source Software

Despite its strides towards better regulation, there are some particulars that will hopefully be ironed out. As the CRA is currently drafted, it applies to anyone who publishes software on the Internet, open source or not, and regardless of the development location if it’s used by those in the EU users, and that creates a few issues:

  • Open-source projects are freely used and incorporated into products distributed to billions of people worldwide and, because of this, developers of open-source software (OSS) often do not know who is using their software.
  • Thus, meeting obligations such as vulnerability remediation and providing security patches to downstream users may not be feasible for OSS developers.
  • Further, the original OSS developers could be implicated when products that incorporate their software have vulnerabilities without their knowledge.

While the CRA is still in draft, many organizations are warning the EU about these implications and are hoping to see revisions in the next version, but for now everyone will have to wait and see what happens in the final publication.


Other Considerations for Your Cybersecurity

All these developments—the NIS2, the EUCS Cybersecurity Schemes, and the EU CRA—represent huge strides forward for the EU in regulating the advancing technological landscape. Though there is some time yet before any of them come into effect, you know at least a baseline of what expectations will be and where your organization will fall in terms of enforcement.

For more information on other cybersecurity progress—both at home and abroad—check out our other content that details other recent and important developments:

Share this content on your favorite social network today!