Last year was a tumultuous year for the cyber world. The outbreak of war in Eastern Europe at the start of 2022 paved the way for an onslaught of state-sponsored cyber-attacks that forced organizations across the globe to heighten their defenses. In the face of these increasing cyber threats and risks, the EU has been working on two pieces of legislation to combat the effects of such risks and limit the potential damage they can cause. Let’s take a look at each in turn.
The Digital Operational Resilience Act (DORA)
When the European Commission (EC) outlined plans for legislative proposals on digital operational resilience in September 2020, it described them as “closing the door to cyber-attacks and enhancing oversight of outsourced services.” The legislation would require firms to ensure they can withstand all types of IT-related disruptions and threats.
DORA is a highly targeted regulation designed to harmonize the approach to cybersecurity of more than 22,000 entities in the financial sector. It sets out detailed requirements on every aspect of cybersecurity, including monitoring cyber threats and reporting cyber-attacks. There’s even an article that details backup requirements. While it doesn’t indicate any specific solution, to date, it appears to favor on-premises backup over the cloud. DORA also contains some interesting provisions around the contractual relationship between financial institutions and IT providers. It requires financial entities to keep a register outlining contractual arrangements with IT providers and include specific provisions in contracts with them.
So what are we likely to see next? Implementing the requirements set out in DORA is likely to incur short-term costs to financial institutions and providers. There will be costs associated with preparing to comply with DORA and related investments in IT systems, along with a review of legacy IT systems.
But there will be significant benefits too. By harmonizing the rules, DORA will eliminate regulatory fragmentation, making it easier and more cost-effective for financial entities that deal across various markets. In the medium to long term, the regulation will bring down costs for the whole sector by improving risk management and strengthening operational resilience against IT disruptions and threats. It will take two years or so for organizations to meet the requirements contained in DORA, but it will put them in a much stronger position in dealing with – and communicating – an outage, leak, unauthorized access, loss of data or other IT-related disruption.
The Cyber Resilience Act (CRA)
More recently, in September 2022, the EC set out a proposal to introduce regulated cybersecurity requirements for IoT products to make them more secure. These products are increasingly vulnerable to cyber-attacks, with an estimated global annual cost from cybercrime of €5.5 trillion in 2021.
The EC said IoT products suffered from two major problems: a low level of cybersecurity and insufficient understanding and access to information by users. Many of those products are not covered by any EU legislation tackling their cybersecurity.
The four main objectives of the regulation are to:
- Ensure manufacturers improve the security of products with digital elements in the design and development phase and throughout the whole lifecycle
- Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers
- Enhance the transparency of security properties of products with digital elements
- Enable businesses and consumers to use products with digital elements securely
Exemptions apply to medical devices, aviation and car equipment. While still at the preliminary stage, legislation will emerge within the next couple of years, followed by a 24-month transition period. The final outcome is likely to be something similar to the CEE mark on hardware products in the EU. IoT products will be classified into two categories: regular products with little risk and those with high risk. This will give businesses and consumers more visibility over what they can expect from what they are buying.
The Future of the UK
As post-Brexit regulations, there is no requirement for UK businesses to follow suit, but to ignore it will mean the UK cutting itself off from the EU market. With most vendors likely to conform to access the EU common market, the pressure will be on the UK to develop a similar regulatory environment.
Although the preparations to ensure compliance may be costly in the short term, organizations will reap the benefits in the long term. The higher level of cybersecurity that this legislation provides will limit attacks, reduce downtime and potentially save businesses up to €290bn annually. It’s fair to say that nothing happens overnight, but with the framework for organizations, vendors and service providers to heighten their defenses and fend off cyber threats, this could be the start of a new era where cyber-criminals lose their power. 2023 could be the year that regulators and businesses fight back.