Prepare for the future of cybersecurity regulation

With new EU cybercrime rules coming down the line, now is the time to step up your organisation’s ICT security strategy, writes Neil Redmond

Increased regulatory scrutiny is among the five most important ways businesses have been impacted since 2020, according to the Irish senior executives who participated in PwC’s Global Digital Trust Insight Survey 2023. Regulators are becoming increasingly cognisant of the risk posed by cyber threats to businesses and their customers.

As part of new legislation, the European Union (EU) aims to address cyber, and information and communications technology (ICT) risks. By understanding these regulations and knowing how to prepare, organisations can act now to align with the requirements of new EU legislation.

Four key pieces of the new legislation are introducing additional requirements for business:

• the Network and Information Security Directive Revision 2 (NIS2);
• the Digital Operational Resilience Act (DORA);
• the Digital Services Act (DSA); and
• the Digital Markets Act (DMA).

How can your business best prepare to comply with these legislative changes? By taking the following key actions, you can ensure that your organisation is ready ahead of time.

1. Assess the maturity of your organisation’s cybersecurity

Reviewing your business’s systems and information security is critical to prepare for the upcoming regulations. Assessing your organisation’s cybersecurity and ICT risk management controls can provide executives with valuable information regarding the business’s cyber risk profile.

By finding potential compliance gaps in their cybersecurity, firms can improve their posture before legislation comes into force, mitigating the risk of non-compliance and subsequent consequences, such as brand damage and financial penalties.

2. Test your business’s operational resilience at the enterprise level

As part of a cyber maturity assessment, evaluating the organisation’s resilience to disruptive events will be key in preparing for upcoming regulations.

While executives may believe that their business is robust and can continue to operate in adverse circumstances, the testing of business continuity and disaster recovery plans allows businesses to measure their resilience and continuously enhance their cybersecurity posture.

The first step is to ensure that the organisation has contingency plans for different scenarios. These scenarios should be exercised and iteratively improved to ensure that they are fit for purpose.

Examples include switching failing systems to backups or simulating a response to a malware attack on your network. All relevant stakeholders, including third parties, should participate in the testing of contingency plans—in today’s world of sophisticated threat actors, executives must ensure that their entire business is ready to respond.

3. Enhance your incident reporting processes

A cornerstone of NIS2 and DORA is reporting ICT and cyber incidents. Businesses need to review their existing reporting channels and procedures, implementing processes to monitor, log, classify and report on incidents consistently.

An effective way to ensure that reporting is standardised and complies with regulatory requirements is to centralise incident reporting across the organisation. Establishing formalised processes for managing reported incidents can support businesses in fulfilling their regulatory obligations.

Furthermore, the DSA and DMA will require organisations to report to authorities regularly. National Digital Service Coordinators will be established, and they will be responsible for compliance monitoring. Reporting to new supervisory bodies will be a feature of these upcoming legislative changes—a trend likely to be seen in future regulations.

4. Analyse and understand your ICT and third-party cyber risk

Today’s business world is deeply interconnected, with organisations often relying on a wide network of suppliers to conduct business. Reliance on third parties can increase the organisation’s susceptibility to cyber-attacks, increasing both the attack surface available to threat actors and the potential for attacks to affect operations significantly.

Regulators have grown concerned about gaps in organisations’ third-party risk management processes in recent years as businesses become increasingly reliant on third parties. NIS2 and DORA build on existing guidance and legislation, such as NIS1 at the EU level and the Central Bank of Ireland’s Operational Resilience Guidelines and Guidance on Outsourcing at the national level.

In particular, DORA will set out many provisions for businesses to report on the ICT risks stemming from their dependency on third parties, requiring them to describe this reliance in detail.

Analysing your business’s exposure to cyber risk through the lens of third parties is a key means of securing your customers’ data and satisfying regulators.