Romain Deslorieux | Director, Strategic Partnerships | Thales
Trust is the currency of the digital economy. It fuels innovation, drives customer loyalty, and underpins successful digital transformation. The Thales 2024 Trust Index report indicates that 87% of consumers expect vendors to respect their digital rights, which leads to trusted relationships. However, a relentless barrage of data breaches, ransomware attacks, and sophisticated cyber threats steadily erodes this trust.
Comprehensive cybersecurity legislation is imperative to build and maintain confidence in the future and ensure a secure digital landscape. Business leaders must navigate this constantly evolving regulatory environment to maintain compliance, protect their organizations, and safeguard the trust of their customers.
This blog will briefly overview the most essential developments shaping the legislative and compliance environment.
EU Cyber Resilience Act
The Cyber Resilience Act establishes a groundbreaking framework to ensure that products with digital elements, both hardware and software, enter the European market with strong cybersecurity safeguards. When enforced, the regulation will mandate manufacturers to prioritize security from the design stage and throughout the product's entire lifecycle. The Act is expected to enter into force in 2024, and manufacturers must apply the rules 36 months after they enter into force. Therefore, businesses must be prepared to demonstrate compliance with the essential cybersecurity requirements outlined in the Act. The Cyber Resilience Act complements other legislation, specifically the NIS2 Directive (see below). This proactive approach will protect users and organizations from vulnerabilities that could lead to costly and damaging cyberattacks.
NIS2 (Network and Information Security Directive)
The updated NIS Directive significantly expands the scope and rigor of cybersecurity requirements across the European Union. NIS2 covers a broader range of critical societal and economic sectors. Entities designated as "essential" or "important" by member states in all sectors of the economy and public services must implement robust security measures, including proactive risk management, incident reporting, and supply chain security. Member states must transpose NIS2 into national laws by 17 October 2024, underscoring the urgency for businesses to assess their compliance readiness and take necessary actions.
Digital Services Act (DSA)
The DSA places greater responsibility and accountability on online platforms of all sizes. It targets illegal content, disinformation, and harmful practices. The DSA introduces tiered obligations based on platform size and reach. Very Large Online Platforms (VLOPs), such as Facebook, Booking, and LinkedIn, and search engines like Google Search, will face stricter requirements for transparency, risk assessment, and content moderation. The DSA will come into force in stages, with varying deadlines depending on a company's classification. Businesses operating online should familiarize themselves with the obligations that apply to them and be prepared to make necessary adjustments.
Payment Services Directive (PSD3)
PSD3 is an updated version of PSD2 and provides rules on the efficiency and security of digital payments and financial services in the EU. It aims to improve competition and innovation in the financial industry while increasing consumer protection. PSD3 sets out more extensive Strong Customer Authentication (SCA) regulations and stricter rules on access to payment systems and account information and introduces additional safeguards against fraud. Financial institutions and payment service providers must adapt their systems and processes to meet PSD3 requirements. There is yet to be a clear timeline for implementing PSD3. The finalized version might be accessible by late 2024. The member states usually receive an 18-month transition period, suggesting that PSD3 could take effect around 2026.
eIDAS 2.0
eIDAS 2.0 overhauls the existing eIDAS framework for electronic identification and trust services within the EU. A key focus is the introduction of the European Digital Identity Wallet (EUDI wallet), enabling citizens and businesses to store and manage their digital identities securely. eIDAS 2.0 aims to simplify cross-border transactions and increase the acceptance of electronic signatures. While full implementation deadlines will become clearer, businesses should start exploring how to leverage eIDAS 2.0 to streamline processes and enhance digital trust in their customer interactions.
DORA (Digital Operational Resilience Act)
DORA centers on bolstering the operational resilience of the European financial sector. It mandates rigorous ICT risk management, including the risks related to ICT third parties, continuous security testing, and comprehensive incident reporting. Since financial institutions are now part of the “essential providers”, DORA complements NIS2 Directive by highlighting requirements tailored to the specifics of the banking and finance sector. With the deadline fast approaching – 17 January 2025 – financial institutions must ramp up their efforts to ensure compliance.
PCI DSS 4.0
In a complementary manner, PCI DSS 4.0 updates the globally recognized standard for organizations handling payment card data. It offers greater flexibility with a customized approach, allowing businesses to tailor security controls to their specific risks. Like DORA, PCI DSS 4.0 also places a strong emphasis on proactive risk management and continuous security improvement, requiring businesses in relevant sectors to prioritize compliance and adopt a more outcome-focused view of cybersecurity. Although the deadline for the mandatory requirements is already past (31 March 2024), financial organizations must keep an eye out for the 31 March 2025 due date for implementing the best practices outlined in the standard.
NIST CSF 2.0
To reach compliance, organizations from all private and public sectors can follow their national IT agency's guidelines or certification frameworks, such as ISO27001. To that effect, NIST recently updated its Cybersecurity Framework (CSF) 2.0 to provide valuable guidance for organizations worldwide seeking to strengthen their cybersecurity posture. It emphasizes outcome-driven risk management and now expands its core functions to include 'Governance.' This aligns with the evolving regulatory landscape that underscores the responsibility of business leaders in cybersecurity decision-making. Embracing a continuous cybersecurity approach and aligning with frameworks like NIST CSF 2.0 will offer organizations a structured way to address risks, improve their readiness, and increase the likelihood of achieving compliance across various regulations.
Key Recommendations
The cybersecurity regulatory landscape is rapidly evolving, reflecting the increasing importance of data security and protection in our digital world. Business leaders can no longer afford to view cybersecurity as an IT department concern. It demands proactive attention at the highest levels of an organization. Business leaders have two items to consider.
First, you need to assess your risks and gaps to comply with the various regulatory frameworks. To that effect, you must know your data, where they are, and their sensitivity to cyber risks or compliance. Having visibility into your data gives you better control and helps you prioritize compliance efforts.
Second, you need to define and implement technical, organizational, and contractual measures to mitigate risks and reach compliance. Regardless the priorities set in the assessment phase, cryptography and key management are required in all regulation and certification frameworks. They are technical measures to effectively protect data against cyber threats (breach, ransomware, unauthorized access) and reach compliance.
Thales can help you to comply with the evolving legislative landscape. Download our handy eBook, How Thales Helps Meet Compliance Requirements in Europe, or contact us to schedule a consultation.