This year, various new regulations come into force in the areas of cyber risks and resilience, which companies should definitely take note of. We present the most important details and show how you should proceed with the implementation in practice.

As the frequency of cyber security incidents increases, both industry and government are taking note and engaging in action. Just as initiatives like the GDPR have transformed the conversation around data privacy, so will new initiatives in cyber security - holding industries accountable for their shareholders, customers, and supply chains.

Some of the drivers for new regulations and directives are due to the new innovations on the side of the bad actors, advances in AI, and easy tools for compromising the security of organisations which previously were left to the hands of experts. Now, a simple download has provided many cybercrime groups with access to tools that expand their arsenal beyond what was possible in years gone by. 

To further complicate the issue, cyber liability insurance premiums continue to rise, and insurers are more likely to refuse insurance to clients, raising the risks for companies. A study in 2021 by S&P Global Market Intelligence showed that the costs for insurance premiums on cyber liability was close to 73% in 2020 up from 34% in 2018. There are likely reforms on the horizon for cyber insurance pay-outs, but also in the requirements for proactive measures for companies to manage their cyber risk.

New regulations in 2023

Several new regulations are coming into play in 2023, around cyber risk and resilience:

NIS2 Directive:
The network and information security (NIS) rules have evolved, and a new NIS2 Directive will present stronger cybersecurity requirements not only for previously targeted state-owned entities and authorities in the critical infrastructure areas of energy, transportation, banking, and so on – but extends the impact to smaller enterprise. In NIS2, a range of new sectors are added (including telecommunications, waste management, healthcare providers, food, chemicals, electronics, machinery, medical device manufacturing, motor vehicles and digital provider).

NIS2 requirements will include new security requirements as well as reporting obligations which companies in certain sectors are required to fulfil. In comparison to the current Directive, the scope will broaden beyond traditional so-called Critical Infrastructure and extend rules on risk, supply chain and disclosures.

NIS2 is expected come into effect on January 16, 2023.

Digital Operational Resilience Act (DORA): 
In November, a draft legislation designed to strengthen the information security of financial entities including banks, insurance companies and investment firms was adopted. DORA will bring about legislation in each EU member state to create regulatory framework on digital operational resilience to address the frameworks by which impacted organisations can resist, react, and recover from ICT (Information Communication Technologies) threats and disruptions. The DORA intends to consolidate and update rules addressing ICT risks as well as fill gaps which previously existed.

Member state legislation is expected in 2024.

Cyber Resilience Act (CRA): 
In September of 2022, the Cyber Resilience Act (CRA) was published, providing a common standard for cybersecurity for devices and services. This act is indented to define critical products and to define a compliance process for categories of devices and services for providers to identify and test for vulnerabilities in their products. A call for feedback is open in January 2023, and EU Member States such as Germany have already called for extension of the scope to Software-as-a-Service. While this area is still under development, the impacts to many organizations will be closely monitored.

KRITIS Umbrella Act / CER: 
Near the end of 2023 of the KRITIS Umbrella act is expected to address a structured approach to critical infrastructure  to address the protection required from operators of certain critical infrastructure including mandatory risk assessments, monitoring, and minimum standards. This act is expected to implement directives already addressed in the EU Directive on the Resilience of Critical Facilities (CER).

Be proactive

Understanding the regulatory environment is also very critical to understand where and how best to approach the requirements for organizations today. Organizations with whom we consult regularly list the complex regulatory requirements as one of the challenges to establishing a proactive cyber resilience policy.

At the same time, while having a strong reactive approach to cyber risk is always an important part of a strategy, the way forward in cybersecurity is a holistic approach to managing risk with proactive frameworks to evidence and defend along with a strong approach to monitoring.

If new developments are challenging, we recommend starting simply with a few practical steps:

Step 1: Assess the current state:
Define your organisation’s current understanding of cyber risk and the appetite for risk. Performing a basic high-level assessment of your organizations cyber risk maturity. Some questions could include

  • Who is responsible for managing cyber security risk?
  • What proactive measures do we have in place?
  • How do we test and ensure our measures are effective?
  • What areas of the business present the most risk?

By gaining insights into your organisations level of cyber resilience, you can begin to map out the areas of which require investment to bring your maturity to the next level.

Step 2: Educate / Empower: 
Whether your organization requires education at the employee level, or you require the insights of expert partners, knowledge is power.

First, in the evolving scope of cybersecurity, its essential that those who hold responsibility for your organizations Cyber Risk profile receive up-to-date insights and education about this rapidly evolving area ripe with risk. Consider many of the open resources available from organizations like the Federal Office for Information Security (BSI).

Secondly, be sure that there are specific individuals in your organization tasked with the responsibility of elevating your organisations goals, conducting the assessments, implementing best practices, moving forward risk reduction programs like data minimization or anti-phishing campaigns. Make sure that you know, and your organisation knows who to turn to for all things cyber-related.

Lastly, get your management team behind the initiatives. Those who are given the task of raising cyber awareness will require the support of the leadership, as a successful cyber resilience plan needs effective collaboration not only in IT, but across the organization.

Step 3: Evaluate your progress: 
Through regular third-party cyber audits, proactive monitoring strategies and follow-up assessments, mark your progress throughout the maturation progress of your cyber resilience strategy. Determine if you’re meeting your goals and reassess your risk together with the evolving climate of regulatory requirements.

A transparent and effective proactive cyber security resilience strategy will give your organization the peace of mind that in an evolving world of cyber risk, you are well equipped to prevent the risks which exist and identify the risks which are brand new.

This is also where partnering with a value-added consultancy of experts like those at Grant Thornton Germany can help – whether you require a simple assessment, advice, or a complete program to address cyber risk in your organisation – we are here to support.