How the IT channel can help on the route to cybersecurity regulatory compliance
To combat the increasing frequency and sophistication of cyber attacks, resulting in untold damage to business continuity and to the economy, we have seen a growing number of regulations aiming to raise cybersecurity standards.
The most significant of these regulations are the Network and Information Security 2 Directive (NIS2), the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act (CRA). These directives, all in various stages of roll-out or implementation, complement each other, addressing different aspects of cybersecurity and industry sectors.
Due to their complexity, businesses will face significant challenges in translating the directives into an action plan, risking being penalized through hefty fines if they fail to meet the deadline for compliance. Failure to comply with the NIS2 directive for instance could result in penalties of up to €10 million (£8.42 million) or 2% of annual global turnover.
Aside from being a challenge for business, regulatory requirements bring real, long-term benefits by instilling an improved code of conduct in the face of cyber risk, one conducive to enhanced stability and profitability. New cybersecurity directives, setting higher standards in the face of advancing cyber risk, are set to become the norm.
To meet cybersecurity regulatory requirements, businesses will need to have a clear picture of their data assets, their location, and the risks they face, with documented processes in place to both prevent and react rapidly to cyber breaches. Risk assessments, compliance audits, and staff training will become routine, standard practice to enable a stronger cybersecurity posture.
The IT channel has an important role to play in assisting organizations make sense of complex legislative directives, breaking them down into simple steps towards compliance. Regulations present a significant opportunity for channel partners to educate and equip customers with the essential tools, services, and expertise needed to strengthen their cybersecurity defences.
How is the regulatory landscape changing?
There are three major regulations impacting today’s European cybersecurity landscape, each of which will place new burdens on IT staff to become complaint.
Network and Information Security 2 Directive
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. NIS2 will strengthen cybersecurity and resilience for companies in critical sectors; 11 are deemed ‘essential’, including energy, transport, and healthcare. A further seven are classed as ‘important’, such as manufacturing, postal services, and food and beverage.
NIS2 specifies strict rules on incident reporting, risk management across EU member states to better protect critical sectors from cyber threats.
Although NIS2 applies across the whole European Union territory, each member state will develop its own specific legislation based on the directive’s baseline requirements. Nations with a strong, long-standing focus on cybersecurity are likely to have more stringent requirements as part of their regional legislation.
Digital Operational Resilience Act
DORA is the EU regulation that entered into force on 16 January 2023 and came into full implementation on 17 January 2025. DORA is designed to ensure financial institutions can handle and recover from digital disruptions – such as cyber attacks – without major harm to the financial system. It applies to a range of financial institutions, including banks, insurance companies, and third-party tech providers.
DORA focuses on strengthening the ability of financial institutions to prevent, detect, respond to, and recover from disruption through risk management, incident reporting, oversight of third-party services, and regular system testing.
Cyber Resilience Act
The European Cyber Resilience Act stipulates the cybersecurity requirements for hardware and software products with digital elements within the European Union. The CRA is aimed at improving the security of digital products and services sold within the European market. It requires manufacturers, developers, and distributors of hardware and software to ensure their products meet cybersecurity standards throughout their lifecycle.
The act focuses on making products safer by mandating ‘secure-by-design’ principles, regular software updates, and the fixing of vulnerabilities. The ultimate aim is to enhance trust in digital products, reduce the risk of cyber attacks, and protect consumers and businesses from vulnerabilities.
The CRA received approval by the European Parliament in March 2024 and was adopted by the Council in October 2024. The main obligations introduced by the CRA will apply from 11 December 2027.
A shared objective and an opportunity for the channel
While each set of regulations has its own specific requirements, they share common goals that apply to all European businesses. Together, they reinforce accountability, strengthen data protection, and ensure operational resilience by ensuring organizations across Europe enhance their cybersecurity posture and manage risks more effectively.
The channel is well placed to help organizations demystify the complex legislative requirements by:
- Taking an advisory role to help customers understand the specific requirements of NIS2, DORA, and the Cyber Resilience Act.
- Offering a range of professional services to pave the way to compliance, including conducting asset detection or risk assessments to establish customers’ risk profile.
- Recommending and implementing best-in-breed security technologies, while developing measures to prevent, detect, and respond to incidents.
- Providing value-added services to constantly maintain and update cyber protection such as incident detection and reporting, and training staff to be cyber-risk aware.
The landscape of cybersecurity regulation is set for significant transformation. For the channel, this presents opportunities to take a leading enabler role as an expert consultant. Customers will increasingly seek expertise and guidance to ensure compliance, especially if lacking in house resources and expertise.
The channel can rise to the challenge, effectively supporting customers in navigating the ongoing changes and enhancing their cybersecurity posture.
MORE FROM ITPRO
Source link
