EU Cybersecurity Regulations Impact Businesses Worldwide
Now is the time to review your business plan and goals to stay in compliance, says 21CS’s Rebecca Levesque
Cybercrime could cost the world $9.5 trillion in 2024–which breaks down to $302,000 a second–based on figures analyzed by Cybersecurity Ventures. In 2025, that cost is anticipated to increase to $10.5 trillion.
This total accounts for financial resources related to:
- Damage and destruction of data
- Restoration and recovery cost and time
- Stolen money, fraud or embezzlement
- Customer satisfaction and retention
- Harm of intellectual property or reputation
- Disruption to normal business
- Legal costs and fines
Organizations are taking notice of potential threats: 53% of respondents to the 2023 Allianz Risk Barometer identified data breaches as an exposure that concerns them, followed closely by an increase in ransomware attacks at 50%.
As legislation, such as the European Union’s Cyber Resilience Act (CRA), Digital Operational Resilience Act (DORA) and NIS2 Directive (and the U.K.’s similar NIS Regulations), continue to roll out, it becomes more prudent for businesses worldwide to prepare for and comply with the changing cybersecurity landscape.
Recent Cybersecurity Legislation: A Closer Look
The CRA, DORA and NIS2 Directive join a list of alphabet-soup-sounding requirements in place worldwide–PCI DSS, HIPAA, GDPR, CCPA–aimed to protect consumer information and safety.
While each regulation covers different industries, information or end users, the emerging cybersecurity mandates tend to shift the onus to organizations that provide and house data.
That said, CRA, DORA and NIS2 should be top of mind but certainly not the only legislative measures that organizations should consider.
Cyber Resilience Act (CRA)
Approved by the European Parliament in March, the CRA requires manufacturers of hardware and software developers in the EU market to implement cybersecurity measures across the entire lifecycle of a product. This has impacts throughout the supply chain, from manufacturers and developers, to importers and distributors.
The act improves transparency to security measures and vulnerabilities. Creators of hardware and software technologies must demonstrate compliance of requirements based on their product, which can be done via self-assessment or a third party, depending on the product and level of risk.
Products can then display the CE marking to be sold in the EU, indicating compliance with the new standards. Hardware and software providers must be compliant by July 2027.
Digital Operational Resilience Act (DORA)
DORA focuses on IT security and operational resilience in the financial sector within the EU. The act extends responsibility to the institution for Information and Communication Technology (ICT)-related incidents.
Once in effect in January 2025, financial institutions must follow rules around ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.
Related to DORA, the EU has proposed the Financial Data Access (FiDA) Regulation, which establishes rules on the access, sharing and use of certain categories of customer data in financial services. FiDA could impact or even amend DORA, introducing a new category of authorized Financial Information Service Providers (FISP).
NIS2 Directive
An update to EU cybersecurity rules first introduced in 2016, NIS2 will replace these when the directive goes into effect Oct. 18, 2024. The new version of the directive aims to achieve a high common level of cybersecurity across the EU.
Member states must ensure that essential and important entities take appropriate and proportionate measures to manage the risks posed to the security of network and information systems, while minimizing the impacts of incidents on service end-users.
A Business Case for Responsibility and Ownership
While the aforementioned measures were passed in the EU, their impact will be felt by any organizations conducting business in the EU–regardless of a company’s physical location.
However, since the Basel Committee on Banking Supervision issued “Principles of Operational Resilience” and “Principles on Outsourcing,” regulations across the globe are creating an accountability that involves both the owners of the data and their service providers. The ultimate goal of these measures is ensuring technological transparency and protection of the data to the end user.
“We don’t have rules because we were doing it right. We’re being regulated because we weren’t doing it,” says Rebecca Levesque, Chief Revenue Officer with 21CS.
She advises organizations to view these regulations as a positive change, not a burden, and recommends using “regulations and compliance as an opportunity to take time and evaluate how technology serves your business and your customers overall.”
Though both businesses and service providers will be driven by these directives and regulations, it’s clear that the overall responsibility remains on companies. The reputation, brand and future business of the service provider could be called into question if they fail to comply and help their customers meet the standards, but the business is responsible for paying the fines.
Levesque cautions business leaders, “It is evident that businesses and providers must align to perform plausible and reasonable testing of not just the infrastructure but the applications to ensure resiliency. If you know you have gaps and don’t address them, then these regulations will make you accountable.”
Examples of gaps could include a single point of failure, an undocumented process or critical integration.
“Being resilient is the ability to run your business no matter what the disruption, and you can’t achieve that if you ignore the gaps,” she notes.
Gain efficiency in the process
“The benefits that you will gain by putting in practice some of the regulations are actually good for you,” Levesque explains, noting improvements as a result of tighter compliance and scrutiny include:
- Product and process documentation, which can help with skills transfer
- Automation and streamlining workflows, freeing people up for higher level tasks
- Keeping software and hardware current, enabling new functionality and tighter security
- Data governance and optimization through identifying what might be inaccurate or outdated
There’s a lot of wait-and-see happening right now, according to Levesque. She’s also seeing companies taking an “it won’t happen to me” stance related to cybersecurity legislation.
Instead, she recommends organizations use these regulations as an opportunity to examine their businesses, realizing there will be some expense to comply, and invest money that will provide a long-term return on investment to their bottom line, ability to scale and grow, and boost their reputation.
Building a Roadmap Toward Compliance
Levesque wants to see providers give customers not only a plan for compliance, but also proof of resilience for both the infrastructure and applications in the environment.
“This is where the rubber meets the road when you can actually keep your business running when bad things happen,” she explains. “Your business is the breadth of applications; that’s what differentiates your business from your competition, and what makes your business who you are.”
Alongside internal and external stakeholders, create a compliance plan that includes:
- Understanding and communicating the regulations and key dates with which you need to comply
- Identifying gaps in your current infrastructure and environment across all roles and business lines
- Working alongside partners and vendors to understand their plan and accountabilities to eliminate gaps
- Determining process and protocol updates, by whom and when
- Staying up to date on new or changing regulations, threats, practices, etc.
“Now, you’re really talking about the business having to take ownership, look at its applications, and really think about the best means to manage their data,” notes Levesque.
“We need to account for all our data with these regulations. There’s just so much that this is doing; it’s better governance and management, it’s solidifying protection for our customers and our reputation, and it’s going to help us run our infrastructure with a fact-based and focused approach.”