The European Union is quite busy producing cybersecurity regulations. Several cybersecurity-related acts have passed during the last few years, and even more are on the way. The EU looks like it really means to improve cybersecurity. However, an avalanche of new legislation can be quite confusing. Let’s take a closer look at the EU cybersecurity initiative.
It is no secret that global cybersecurity is not as good as it should be. As software vulnerabilities are quite common and attackers are very motivated, the damage from cybersecurity incidents continues to pile up. However, this is no surprise. Cybersecurity is a complex topic, requiring an understanding of a broad range of topics. To complicate the matter even more, cybersecurity is often counter-intuitive. It requires trained and experienced professionals, who are quite hard to come by. The complexity of the topic, combined with a lack of expertise, makes it very hard to persuade the management of organizations that cybersecurity should be a priority. Organizations have been struggling with cybersecurity for more than two decades. A systemic and consistent approach to cybersecurity is still quite rare, even though cybersecurity professionals have been advocating for such an approach for as long as we can remember.
The market is notoriously bad at improving the hidden qualities of products. Cybersecurity is a prime example of this phenomenon. Where the market fails, regulation must intervene. The European Union is doing just that, fixing cybersecurity problems with legislation. As the management of organizations does not prioritize cybersecurity on their own, the regulations are here to make them reconsider.
The EU is certainly gaining speed, producing one legislative act after another: NIS2, DORA, CER, CRA, PLD, EUCC, eIDAS2, and of course CSA, to name a few. While this may look like an avalanche of ad-hoc regulations, it is quite far from that. It is all based on the Cybersecurity Strategy for the Digital Decade that was published in 2020.
While the regulations may not be perfect, they are still surprisingly good. It is not an easy task to capture the essence of a complex subject matter in a high-level legislative act. It is even harder in cybersecurity, where one size certainly does not fit all. However, the EU regulations are quite successful at addressing the diversity. The regulations prescribe a risk-based approach, calling for the implementation of proportionate measures, referring to industry best practices and international standards. This is exactly what cybersecurity professionals have been recommending for several decades. Moreover, the legislation goes beyond cybersecurity, adopting a holistic “all-hazards” approach to security. There is also a clear trend to shift responsibility from consumers to vendors, which is an established practice in all industries except for IT. Overall, the EU regulations have a very good chance to be practical and improve cybersecurity across a diverse range of organizations.
The guiding ideas of the EU cybersecurity regulations are good, the approach looks sound, and the methods seem to be appropriate. However, the devil is usually in the details. Many of the legislative acts are just being formed. We will see the practical results later on when the legislation is enforced. We are watching the progress, and we will provide insights and guidance as the EU cybersecurity wheel rolls on. Stay tuned.