An Update on EU Cybersecurity: NIS2, EU Cybersecurity Schemes, and the Cyber Resilience Act
Published 12/14/2023
Originally published by Schellman.
The European Union (EU) has made significant strides lately in shaping cybersecurity regulation—new developments include those related to the NIS2 Directive, the EU Cybersecurity Act, the EU Cloud Services Cybersecurity Scheme (EUCS), and the EU Cyber Resilience Act.
As cybersecurity experts who try to keep abreast of all the progress in our sector, we understand how important it is—particularly for those based in the EU—to understand their changing landscape so that they can prepare to comply with shifting and new requirements.
That’s why, in this article, we’ll provide some important explanations of three key developments related to the NIS2 Directive, the EU cybersecurity schemes, and the Cyber Resilience Act so that you can better understand which ones will apply to you and how.
What is the NIS2 Directive?
First up is the NIS2, which is a repeal and replacement of the original NIS directive that set out to achieve a common, high-level baseline for cybersecurity risk management and incident reporting in the EU. NIS2’s requirements now align closely with those of ISO 27001, though the directive also mandates a penetration test and business continuity requirements.
However, many of the updates made to NIS2 largely relate to the reclassification of who needs to comply with the requirements, as applicability has now expanded to far more industries.
Who Does NIS2 Apply To?
So then, who does NIS2 apply to? Two groups: Essential Entities and Important Entities.
Essential Entities |
Important Entities |
Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million, or balance sheet of € 43 million. |
Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million, or balance sheet of € 10 million. |
Includes the following sectors:
|
Includes all the sectors listed under “Essential Entities” and within the size threshold for “important entities” PLUS the following:
|
While requirements are the same for both types, supervision and penalties vary between the two:
- Essential Entities: Required to meet supervisory requirements and penalties for non-compliance can amount to €10,000,000 or 2% of the total annual worldwide turnover in the previous fiscal year, whichever amount is higher
- Important Entities: Penalties for non-compliance can amount to €7M/1.4%
EU member states have until October 2024 to put legislation in place in their respective jurisdiction to enforce NIS2.
What are the EU Cybersecurity Schemes?
While NIS2 was a follow-up to an original directive, the upcoming EU Cybersecurity Schemes were born out of the EU Cybersecurity Act’s mandate for ENISA—the EU’s Agency for Cybersecurity—to build several cybersecurity frameworks for three different industry categories:
ICT (expected to go live in Q4 2023) |
Cloud Services (expected to go live in early 2024) |
5G Networks (expected to go live after Cloud Services) |
At whatever point these all go live, the new schemes will all consist of:
- A comprehensive set of rules;
- Technical cybersecurity requirements;
- Standards; and
- Evaluation procedures that are defined at the EU level and apply to the certification of specific products, services, or processes.
Certifications against all of these schemes must be performed by a Conformity Assessment Body (CAB), which will attest that your product, process, or service complies with the specified cybersecurity requirements and rules.
What is the EU Cyber Resilience Act?
The EU has also moved closer to implementing what will potentially be the first legislation regarding the Internet of Things (IoT) in its Cyber Resilience Act (CRA).
As a supplement to NIS2, the CRA aims to close legislative gaps over digital product security by laying out essential requirements for hardware manufacturers, software developers, distributors, and importers who place digital products or services on the EU market.
The CRA will ensure:
- Harmonized rules when bringing to market products or software with a digital component;
- A framework of cybersecurity requirements governing the planning, design, development, and maintenance of such products, with obligations to be met at every stage of the value chain; and
- An obligation to provide duty of care for the entire lifecycle of such products.
Requirements of the CRA include:
- A risk assessment
- An EU Declaration of Conformity
- A Software Bill of Materials (SBOM)
- A conformity assessment
- Continuous maintenance of an active vulnerability reporting process
CRA Applicability
Regarding who will be subject to these requirements, there are three categories of applicability for the CRA:
Category |
Details |
Default |
|
Class I |
|
Class II |
|
Depending on the applicability category that you fall into, attesting to the above requirements can be validated through:
- Default: A self-assessment
- Class I: Application of a standard or third-party assessment
- Class II: Required third-party assessment
Important Implications for Open-Source Software
Despite its strides towards better regulation, there are some particulars that will hopefully be ironed out. As the CRA is currently drafted, it applies to anyone who publishes software on the Internet, open source or not, and regardless of the development location if it’s used by those in the EU users, and that creates a few issues:
- Open-source projects are freely used and incorporated into products distributed to billions of people worldwide and, because of this, developers of open-source software (OSS) often do not know who is using their software.
- Thus, meeting obligations such as vulnerability remediation and providing security patches to downstream users may not be feasible for OSS developers.
- Further, the original OSS developers could be implicated when products that incorporate their software have vulnerabilities without their knowledge.
While the CRA is still in draft, many organizations are warning the EU about these implications and are hoping to see revisions in the next version, but for now everyone will have to wait and see what happens in the final publication.
Other Considerations for Your Cybersecurity
All these developments—the NIS2, the EUCS Cybersecurity Schemes, and the EU CRA—represent huge strides forward for the EU in regulating the advancing technological landscape. Though there is some time yet before any of them come into effect, you know at least a baseline of what expectations will be and where your organization will fall in terms of enforcement.
For more information on other cybersecurity progress—both at home and abroad—check out our other content that details other recent and important developments:
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024