Navigating EU Cyber Regulations: Thriving Strategies

Cyber security is a dynamic and ever-changing field, as new types of attacks emerge every day. Therefore, technology vendors are constantly trying to keep up. However, we’ve reached a stage where efficient cyber security programs exist and can be implemented. We have mature technologies and products. We can rely on a variety of standards and best practices, international and regional regulations, plenty of national CSIRTs/CERTs and government agencies, a wide range of global vendors, and even the insurance providers to top it up. Cyber security is a young but maturing industry, having all the components in place to provide adequate protection for those who need it. The challenge is that it’s becoming complex and fragmented, which requires more coordination and integration.

If you live in Europe, you might have noticed the huge number of cyber security related regulations that have emerged in the last years. Just by briefly looking at the UN ITU Global Cyber Security Index 2020  you realize that Europe (all countries) is particularly strong in terms of regulations. The complex and rather harsh regulatory environment comes as EU’s response to a tech industry that has evolved mainly outside of its borders (top 20 tech companies globally reside in USA and China). The EU wants to protect its market and citizens by creating one of the most advanced cyber legal systems, with more regulations to come in the next years. However, this also means EU companies must comply with many obligations and requirements. 

The days when you just quickly launched an online store and advertised it to an old email list that you had are long gone. Now, you have to be mindful of the digital services you offer and their impact on your customers and partners. You must respect their privacy by encrypting data at rest and in transit, advertising only if you have their consent, implementing mandatory security measures for online payments etc. And these are just the basics, as other types of digital services, such as cloud, financial services, telemedicine, industrial control systems etc., have more complex security challenges. Security has become a critical and multifaceted aspect of any organization. It can either put you out of business or give you a strategic market advantage over your competitors. If you handle a cyber security incident or a data breach poorly, you may lose your customers, your reputation, and your revenue. According to some estimates, “60 percent of small companies go out of business within six months of falling victim to a data breach or cyber-attack”.

But regulation can be a challenge if you are not ready for it. If not treated properly, it can be a burden for companies, and can affect productivity and efficiency in the long run, especially if your company operates on a global scale. That is why compliance should be an intrinsic part of any enterprise security program.

An enterprise security program is essential for any organization that wants to achieve cyber resilience and compliance. A security program is a continuous process that involves using your resources, such as people, processes, and technologies, in an organized and efficient way, to ensure that your systems are protected from threats and comply with all relevant EU/national requirements or international standards. A key word here is “enterprise,” which means that the security program should be part of any organization-wide strategy. It has to be embedded in its core modus operandi.

Running a security program is not an easy task nowadays. First, it has become a complex topic that requires a multidisciplinary approach. Depending on the organization type, running cyber security operations requires multiple roles, covering all the layers of the stack (tool managers, incident analysts, risk managers and governance, regulatory and compliance experts, backup, and recovery etc.). You also need to consider the migration of the modern SOC to cyber resilience, where response & recovery are being covered also. That, combined with the current work force gap on the market and the aftermath of the economic crisis generated by the pandemic will give a lot of headaches to current CISOs. Just consider that organizations use roughly between 45 and 75 security tools in their environment, with their defense being less effective as the number of tools grows. Where would you get so many engineers to manage all that portfolio?

On top of any technical or workforce-related challenges you might face, you must comply with the complex and diverse cyber security regulations. The EU has issued eight major regulatory packages - listed at the end of this article - that set mandatory requirements for cyber security and data protection. However, these regulations are not always consistent and coherent with each other. There are cases where one company might need to comply with all of them. Now imagine also having a small army of tech-legal experts to take care of that line of work. 

After you have overcome all these challenges, you still need to deal with the strategic and governance part, where you have to align all the components of your security program to achieve your desired outcome. Now, think about the resources that you need and the feasibility of maintaining that program, and that team for at least three years.

Building and running a cyber security program in-house may no longer be feasible for everybody. Time has come where specialized services must be used so that you can keep costs at a minimum, avoid the workforce gap, find support in selecting the proper tools for your environment and achieve compliance with all regulatory demands. You should rely on experts to assist you.

Managed security services (MSS) are the smart way to deal with cyber security challenges nowadays. You need a professional and comprehensive security service provider, that can cover at least the following areas:

1. Be able to ASSESS your current situation.

Robust security starts with a clear and accurate assessment of your current security landscape and potential risks. This is a continuous process of reevaluation that will help you prioritize and intelligently apply your security investments and resources. Cyber security is not a one size fits all solution. It has to be adapted to your own environment. That is why an assessment is needed, to correctly place your organization on the maturity map and determine the necessary next steps.

Here we talk about security assessments based on standards, audits, vulnerability management etc. Assessment can be done fully, on enterprise level, but also through different modules (CIS, ransomware, NIS2 etc.). Cegeka’s Cyber Security Assessment Framework (CSAF) is already available for carrying out such assessments.

2. Capable of managing your security infrastructure and assure PREVENTION.

Prevention is all about taking the right measures to protect your assets from incidents. Controls have to be implemented at many levels (network, endpoints, cloud, privileged accounts etc.) so that your whole environment is secured.

3. Capable of running an integrated security environment and assure DETECTION and RESPONSE.

Detection and response are crucial as a modern SOC must be response oriented. You need to keep your eyes open for threats that might escalate into serious incidents. Deployment of efficient detection tools (endpoint detection, network detection, brand intelligence etc.) is mandatory, and response has to be prepared accordingly. Cegeka’s C-SOR²C covers all activity related to monitoring, detecting, and responding to cyber security incidents. 

4. Be able to assist you and/or offer RECOVERY options.

Resilience is key nowadays. Always consider the worst-case scenario and be prepared to react accordingly. You need a plan to limit damage and get your business back up and running as quickly as possible, and with minimal or no data loss.

Of course, you can find good tools for each of the areas above. But that’s not enough. You need to integrate all those tools together, add contextual details through your CMDB, run orchestration and automation to handle the large volume of logs and alerts, build powerful reporting so that you can see clearly through the vast amount of data in your environment, and use an efficient ticketing solution to complete the tasks. You need a structured and organized set-up to achieve the desired results. Otherwise, you will face many difficulties.

If you need professional support, take a look at this page.

Annex

A summary of the main pieces of EU legislation below and more details here:

1. GDPR – Protection of personal data of EU citizens. It requires organizations (at a global level) to take appropriate measures to secure personal data against unauthorized access, loss, or theft.
2. Network and Information Security Directive (NIS Directive) - prevention and mitigation of cyber incidents, especially for a particular category of companies (essential service providers and digital service providers) and coordination of EU and national level efforts in this area. The revision of the NIS Directive (called NIS2) was formally adopted in Europe in September 2022. The proposed expansion of the scope covered by NIS2 is effectively obliging more entities and sectors to take measures.
3. eIDAS Regulation - legal framework for electronic identification and trust services, such as electronic signatures, seals, and timestamps. It aims to ensure the security and authenticity of electronic transactions.
4. Payment Services Directive 2 (PSD2) - rules for electronic payment services, including requirements for strong customer authentication and secure communication.
5. Cybersecurity Act - improving the cybersecurity of the EU by establishing a European cybersecurity certification framework for products, services, and processes.
6. EU Cybersecurity Strategy - EU’s approach to cybersecurity, including measures to strengthen cyber resilience, combat cybercrime, and promote international cooperation on cybersecurity.
7. DORA ("Digital Operational Resilience Act") - new EU regulation aimed at strengthening the operational resilience of the EU financial sector against cyber threats (e.g., including banks, investment firms, insurance companies, and trading venues).
8. Cyber Resilience Act (CRA) - A notable proposal for a regulation on cybersecurity requirements for products with digital elements, to ensure more secure hardware and software products.