The scope of digital resilience goes beyond cybersecurity and technology, encompassing people, processes, and culture. In today’s world, creating a secure digital society has become increasingly crucial. With the advancement of AI (Artificial Intelligence) and other technologies, digital transformation will have a more significant impact on society in the next 5 years than it has in the past 15. New regulations are being introduced by the EU that will enhance the protection of EU citizens, shape Europe’s digital future, and have an impact on EU organizations as well as those doing business with them.
Preparing for the regulations that affect your organization is crucial, and it’s essential to ensure that your organization is ready to comply with them. Here is a list of regulations that could impact your organization in the coming years.
NIS2: Network and Information Security Directive
Applies as of 18 October 2024
The NIS2 Directive aims to maintain a high common level of information security across the EU. By October 17th 2024, EU member states are obliged to adopt and publish the necessary measures to comply with this directive.
The updated NIS2 directive extends the range of organizations required to comply with its regulations beyond those already covered by the original NIS compliance directive of 2016. This expansion includes a broader range of essential services and subcontractors, as well as increased incident response obligations and more severe fines and penalties.
RCE: Resilience of Critical Entities Directive
Applies as of 18 October 2024
By October 17th 2024, EU member states are obliged to adopt and publish the necessary measures to comply with this directive.
The implementation of new regulations will enhance the ability of critical infrastructure to mitigate various risks, such as natural disasters, terrorist attacks, insider threats, or sabotage. These dangers could potentially involve information security / cybersecurity elements. The directive relates to eleven sectors that are deemed critical. These are: energy, transportation, banking, financial market infrastructures, healthcare, water supply, water sanitation, digital infrastructure, public administration, space, and food.
DORA: Digital Operational Resilience Act
Applies as of 17 January 2025
DORA requires financial service providers to prioritize digital resilience across all levels of their operations and adopt a risk-centric approach instead of a compliance-oriented one.
DORA proposes six crucial pillars for achieving digital resilience:
- ICT risk management requirements
- ICT-related incident reporting
- Digital operational resilience testing
- ICT third-party risk management
- Information sharing
CRA: Cyber Resilience Act
The Cyber Resilience Act will apply to all software or hardware products, as well as their remote data processing solutions, including software or hardware components that are intended for separate market placement” This legislation will regulate these products from their initial design phase all the way through to their obsolescence phase, covering their entire lifecycle. The Cyber Resilience Act will complement NIS2.
The proposed Cyber Resilience Act sets out to ensure:
- Harmonised rules when bringing to market products or software with a digital component.
- A framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain.
- An obligation to provide duty of care for the entire lifecycle of such products.
Other directives, acts and schemes from the EU that intent to help to better protect EU citizens and shape Europe’s digital future are:
- Artificial Intelligence Act (AIA)
- Artificial Intelligence Liability Directive (AIL)
- Data Act (DA)
- Digital Markets Act (DMA)
- Digital Services Act (DSA)
- EU 5G scheme (EU5G)
- EU Cloud Services scheme (EUCS)
- EU Common Criteria scheme (EUCC)
About Arash Rahmani
Bridging the gap between CISO and board members. Passionate about digital transformation, information security and public speaking. Strong believer that technology can improve people’s lives, that information security adds value to the business and can create a competitive advantage. Over 15 years of experience in digital transformation with an emphasis on information security governance and strategy. I have worked for several national and international brands in multiple industries, including apparel, automotive, aviation, finance, and hospitality. Where I have managed (multidisciplinary) teams and helped company leaders by aligning their business and information security strategy, mitigating their information security risk, and increasing their information security resilience. In doing so, I don’t only look at technology but also focus on people, processes, and culture. With the end goal to ensure a more secure digital transformation.
More on Arash Rahmani.