A Tsunami of European cybersecurity regulation – are you ready to surf?

The EU's Digital Decade initiative sets ambitious targets for 2030, all aimed at empowering businesses and individuals to thrive in a sustainable and prosperous digital future. According to the initiative, these targets will be achieved through a digital transformation of businesses and public services based on a secure and sustainable digital infrastructure.

To this end, the European Commission and the Member States have initiated a comprehensive regulatory package that spans several areas, all with the aim of accelerating the development of new digital services and exploitation of the potential of data reuse. At the same time, it is assumed that there are mechanisms in place to eliminate or limit the risks of cyber-attacks and other types of security breaches. Due to the initiatives transformative impact on the legislative landscape the initiative can be likened to a legislative tsunami sweeping over Union legislators, public authorities, and business all grasping for ways to understand and apply divergent regulatory frameworks.  

In summary, the EU’s Digital Decade is reshaping the legislative environment with its comprehensive and forward-looking approach, driving Europe towards a more digitally sovereign, resilient, and competitive future. It is a powerful wave of change, much like a tsunami, that is set to redefine the digital and legislative contours of the EU. 

This blog will highlight how EU initiatives and regulatory packages may affect your business and how you can strategically adapt to these changes. We will delve into the specifics of each major regulation, examining their implications for various sectors, especially the financial industry. By understanding the key requirements and potential impacts of the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Act (CER), and the Cyber Resilience Act (CRA), among others, you can better prepare your organization for compliance. 

Additionally, we will provide actionable insights on implementing robust cybersecurity measures and enhancing your operational resilience. Our goal is to equip you with the knowledge and tools necessary to not only meet regulatory standards but also leverage these changes as opportunities for growth and innovation. Whether you are a small business or a large enterprise, understanding and navigating this wave of regulation will be crucial for maintaining your competitive edge in the digital landscape. 

Stay with us as we explore the nuances of this legislative transformation, offering practical advice and expert perspectives to help you surf this regulatory tsunami with confidence and agility. 

Digital decade – financial sector – regulation

The EU's Digital Decade policy program sets ambitious targets for 2030 to guide Europe's digital transformation, aiming for a human-centered, sustainable, and prosperous digital future. Objectives include enhancing digital skills across the population, accelerating the digital transformation of businesses, achieving secure and sustainable digital infrastructures, and fully digitizing public services. Key among those objectives are those pertaining to the banking industry, and with that comes a massive package of new regulations.

Proposed on 24 September 2020 and adopted on 14 December 2022, entities in the financial sector are potentially being hit by the Digital Operational Resilience Act [DORA], and the Critical Entities Resilience Act [CER], which entered into force in early 2023, and the Cyber Resilience Act [CRA] which is expected to be enacted in 2024. This in addition to whatever other regulation that they are already operating under, and if including the Network and Information Systems Security Directive [NIS], this too is getting an update in a second amendment in the NIS2. 

Regulation in a nutshell  

Digital Operational Resilience Act (DORA): DORA aims to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber-attacks and other ICT (Information Communication Technology) risks. This act mandates financial entities to establish ICT risk management measures, report major ICT-related incidents, and conduct digital operational resilience testing.  

Critical Entities Resilience Act (CER): The CER focuses on enhancing the resilience of critical entities against a range of threats, including natural disasters, cyber-attacks, and other man-made threats. It requires Member States to identify critical entities and enforce measures to improve their resilience, ensuring the continuity of essential services such as energy, transport, and banking. 

Cyber Resilience Act (CRA): The EU's Cyber Resilience Act categorizes products with digital elements into three classes based on their cybersecurity risk, with a focus on security-by-design for all covered products. It mandates that companies adhere to stringent cybersecurity requirements and conduct vulnerability assessments to ensure compliance. The Act also establishes essential security and vulnerability handling requirements, alongside reporting obligations for cybersecurity incidents. 

Data Governance Act: This act is part of the European strategy for data and aims to foster the availability of data for use within the EU. It establishes a framework for data governance and sharing, including mechanisms to facilitate data sharing across sectors and Member States, and measures to ensure high standards of data protection and privacy.  

Data Act: The Data Act is designed to ensure fairness in the digital environment, promote data sharing across sectors, and boost innovation by setting rules on who can use, and access data generated in the EU across all economic sectors. It addresses issues related to the access and use of data, the rights of data holders, and obligations of data processors and users. 

Network and Information Systems Security Directive 2 (NIS2): As an update to the original NIS Directive, NISD2 aims to improve cybersecurity capabilities at a national level and enhance the cooperation between EU Member States. It also expands the range of sectors covered by the directive, including digital providers, and introduces stricter security and incident reporting requirements. 

Key takeaways 

While it would be overly dismissive to consider all these regulations as “same, same, but different,” our analysis identifies some common traits and trends that emerge across the various frameworks. 

Risk Management: A robust risk management strategy is central to all the new regulations. Entities are required to identify, assess, and mitigate ICT risks to ensure operational resilience. This includes implementing strong internal controls and regularly updating risk management frameworks to address evolving threats.  

Governance and Accountability: There is a heightened focus on governance and accountability within organizations. Regulations mandate clear roles and responsibilities, ensuring that senior management is directly involved in overseeing cybersecurity measures and resilience strategies. This shift underscores the importance of leadership in driving cybersecurity initiatives.  

Third-Party Risk: Managing third-party risks has become a critical component of regulatory compliance. Organizations must scrutinize their vendors and service providers, ensuring they adhere to stringent security standards. This includes conducting regular assessments and maintaining detailed documentation of third-party interactions.  

Incident Management and Reporting: The ability to promptly respond to and report cybersecurity incidents is emphasized across the regulatory landscape. Organizations are required to establish comprehensive incident response plans and ensure timely reporting to relevant authorities. This proactive approach aims to minimize the impact of incidents and facilitate coordinated responses. 

Data and Information Sharing: Enhancing data and information sharing is another common theme. Regulations encourage interoperability, transparency, and collaboration both within organizations and with external stakeholders. By fostering a culture of information sharing, entities can improve their collective security posture and respond more effectively to threats. 

Tsunami analogy  

This is reminiscent of a tsunami, an analogy uttered by representatives from the Swedish Banking Industry and OECD alike. We also find it apt and perhaps you too when considering in more detail the four stages of Tsunami formation.   

Tsunamis are large, powerful waves caused by disturbances under the sea, such as earthquakes. The process of tsunami formation typically involves the following four stages:

1. Initiation: This occurs when a large volume of water is suddenly displaced due to seismic activity or other underwater disturbances. Earthquakes under the sea are the most common cause, especially when they occur at tectonic plate boundaries. The movement of the Earth's crust during such an earthquake lifts a large volume of water above sea level, creating potential energy that will be transformed into the kinetic energy of the tsunami waves.
   
   The introduction phase of these frameworks is akin to the initiation stage of a tsunami, where a significant event or realization triggers the need for new regulation. For DORA, this could be the increasing number of cyber incidents affecting the financial sector; for CER, the recognition of vulnerabilities in critical entities; and for CRA, the emerging threats to critical infrastructure resilience.
   
   
2. Split: After the initial displacement, the water begins to spread out from the disturbance site, forming waves that travel across the ocean. Tsunami waves in the deep ocean are relatively low in height but can travel at speeds of up to 800 kilometers per hour, allowing them to cross entire ocean basins.
   
   The implementation stage, where the details of the regulation are worked out and put into practice, resembles the split phase of a tsunami. This is when the regulatory wave begins to move outward as affected entities start adopting and adapting to the new requirements. Financial institutions under DORA would begin enhancing their ICT risk management practices, while critical entities affected by CER would start conducting risk assessments and strengthening their resilience measures. Early prevention and readiness are crucial at this stage to ensure that organizations can swiftly adjust their strategies and frameworks to meet the new standards. Proactive measures and thorough preparation can significantly mitigate the impact of these regulatory changes, helping organizations build a robust foundation for compliance and resilience.
   
   
3. Amplification: As the waves approach shallower waters near coastlines, their speed decreases, causing the waves to grow in height through a process known as wave shoaling. The energy of the wave is compressed into a smaller volume of water, causing the wave height to increase dramatically.
   
   Evaluation of these frameworks can be likened to the amplification stage of a tsunami. As the regulations come into closer contact with the realities of their application, feedback mechanisms and impact assessments can lead to adjustments and refinements. This phase assesses the effectiveness of the implemented measures, their adequacy in mitigating risks, and the overall enhancement of resilience. It emphasizes the need for a comprehensive approach, evaluating the regulations’ impacts on various aspects of the organization. The evaluation might highlight areas where the regulatory waves need to grow stronger to better protect against threats and vulnerabilities. By starting early and focusing on prevention, readiness, and resilience, organizations can better manage the complexities of these regulatory waves, ensuring they not only comply but also thrive in the evolving digital landscape.
   
   
4. Run up: The final stage is when the tsunami waves reach the shore and surge inland, potentially causing devastating flooding and damage. The run-up is the maximum vertical height onshore that the tsunami reaches above sea level. The run-up's extent depends on the shape of the seafloor and coastline, as well as the tsunami's initial energy.
   
   The consequences phase parallels the run-up stage of a tsunami, representing the impact of the regulations on the ground. This is when the full effects of DORA, CER, and CRA are felt by the financial sector, critical infrastructures, and other essential services. Positive consequences might include improved resilience against cyberattacks, more robust critical entities, and a higher level of preparedness for natural and man-made disasters. Negative impacts could involve compliance challenges, financial burdens for smaller entities, or unforeseen operational complexities.  

In the next section, we will explore how businesses can leverage these regulatory changes to their advantage, transforming potential challenges into opportunities for growth and innovation. Are you ready to surf the regulatory wave and emerge stronger on the other side? 

We have the solution – are you ready to surf? 

The complexity of threats, the dependency of all activities on IT, and the uncertainty of the world around us have put cybersecurity at the top of the agenda for most boards and management teams. Navigating this landscape requires a strategic blend of management acumen, technological innovation, and legal expertise. The need for a mix of cybersecurity and legal skills is now a crucial part of almost every business, both in terms of risks and business opportunities.  

With our combination of these skills, we will help you identify your current status, your targets, and a continuous process for working with cybersecurity, law, and privacy. By working systematically with these matters and taking new legislation, your risk aversion, and operative goals into consideration, we can enable you to stay one step ahead of your competitors, find new business opportunities, and decrease risks.  

Our approach ensures that your organization is not just compliant but resilient and competitive in the face of ever-evolving digital threats. Management strategies will provide   the leadership and vision needed to drive cybersecurity initiatives, while cutting-edge technology will offer the tools and solutions required to implement them effectively. Legal expertise will ensure that all actions are within regulatory frameworks, protecting your organization from legal pitfalls and enhancing your overall security posture. 

By integrating these perspectives, we offer a holistic solution that empowers your business to navigate the regulatory tsunami and turn potential challenges into avenues for growth. Whether it is through robust risk management, enhanced incident response, or comprehensive data protection strategies, our combined expertise will help you build a secure, compliant, and innovative digital future. 

Are you ready to ride the wave and emerge stronger? Contact us today to start your journey towards a resilient and thriving digital presence. 

Read other blog posts about the Digital Decade here (in Swedish): Digital Decade – Ett rättsligt landskap i förändring