For quite some time, organizations have relied on self-regulation to protect the confidentiality, integrity and availability of their digital environment against malicious actors. However, the picture is quite different now. It has become nearly impossible to keep up with all the latest changes in global cybersecurity regulations, so we offer this roundup of the latest cyber laws to help provide some clarity.
Governments are now regulating their own cybersecurity
Executive Order on improving the Nation’s Cybersecurity
EU institutions Cybersecurity regulation
NIS 2.0 Directive
Governments are not just targets for malicious actors, but they also have complex and heavily decentralized public administrations. Because the continuity of state activity is crucial for democracy and the delivery of critical services, public administrations will have to prepare for regulations coming their way.
In the US, the first step taken by the Biden Administration after the SolarWinds attack was to improve the cybersecurity defenses of the Federal Government through the executive Order on Improving the Nation’s Cybersecurity. This was followed by the adoption of the Binding Operational Directive, which directs federal civilian agencies to better account for what resides on their networks. Although the scope includes only federal agencies, CISA (Cybersecurity and Infrastructure Security Agency) recommends that all businesses and public administrations prioritize asset and vulnerability management programs.
On the other side of the Atlantic, two major pieces of cybersecurity legislation in the European Union reflect similar concerns:
- The proposal on measures for high common level of cybersecurity for EU institutions, bodies, offices and agencies recommends that all EU institutions take measures to raise their cybersecurity level.
- The revised NIS directive, which will soon come into force considers central government as essential entities that will be regulated like other critical entities.
 It sets out “baseline requirements for all Federal Civilian Executive Branch agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.”
 This includes establishing an internal cybersecurity risk management, governance and control framework, and adopting a cybersecurity strategy to mitigate the risks.
Is your digital product secure by default?
UK PSTI bill versus Cyber Resilience Act
In some ways, the US kickstarted the regulatory discussions on the security of digital products with the IoT Cybersecurity Improvement Act of 2020, giving NIST “the authority to manage IoT Cybersecurity risks for devices acquired by the federal government.” However, the real movement to ensure that digital products comply with basic cybersecurity requirements will take place in 2023 with the adoption of the UK Product Security and Telecommunications Infrastructure bill (PSTI)  and the EU Cyber Resilience Act (CRA).
So, do they have anything in common?
While the PSTI bill only covers “consumer connectable products“ (smart TV, interconnectable devices, cameras, etc.), the CRA covers a broad category of products with “digital elements” with a special focus on industrial products like IACS, IIoT or cybersecurity products subject to more stringent requirements.
While the PSTI bill is quite straightforward with requirements derived from the ETSI IoT Cybersecurity standard (ban of default passwords, vulnerability disclosure policy, transparency on security updates), the CRA includes both security and vulnerability management requirements that at this stage do not rely on any specific standard.
Once you, as manufacturer, importer or distributor, place your product in one of these two markets, your product must comply with their respective rules. You will have to document compliance and might need a third-party assessment if you fall under the “most critical products” category of the CRA. After that, market surveillance authorities will enforce the laws.
Fines proposed in the CRA can reach 2.5% of the company’s total worldwide annual revenue, while under PSTI bill, it can go up to 4%.
Some countries (like the US) have a different strategy. President Biden has taken measures to set security standards for software purchased by the government, in hopes that its massive purchasing power can raise cybersecurity standards across the market.
One thing is clear: if your digital product does not comply with the basic cybersecurity requirements, you will not be authorized to place it in the UK or European market, or sell it to the US Government.
Keep an eye on NIS.2.0 and sector-specific regulations, even if you think you’re not critical infrastructure
Cybersecurity Network code
In case you missed it, the NIS directive has been revised. Once it is published in the official journal of the European Union, it will be transposed to the member states within 21 months.
Ultimately, what matters to your organization is whether your sector is identified in NIS 2.0. To bring homogeneity in the way member states identify entities covered by NIS, it has introduced a size-cap rule that applies to “all medium and large entities that operate within the sectors or provide the services covered by the NIS 2 Directive.”
If you aren’t regulated yet, we would recommend that you:
Start a dialogue with the competent authority in the country of your main establishment, although your business operation might be regulated in several countries
Analyze and document your compliance (or any gaps) with the current requirements
Keep in mind that the NIS 2.0 directive is not the only law that you have to care about, because sector-specific cybersecurity regulations are also moving forward. In the European financial sector, for example, the DORA regulation is quite close to coming into force. Organizations will then have two years to comply.
In 2023, the European Commission will roll out increased cybersecurity requirements for electricity networks in Europe. In the US, new security directives have been issued to strengthen the transportation sector and associated infrastructure.
More reporting is coming your way
One thing is clear: the earlier we share threats, incidents and vulnerabilities, the easier it is to detect campaigns from threat actors and adapt our defenses. This is why certain governments are introducing or strengthening cybersecurity incident reporting requirements. . Here are a few of the significant changes coming for certain organizations:
- If you are an essential or important entity operating in the EU, NIS 2.0 requires you to submit an early warning within 24 hours and an incident notification within 72 hours. It must include the severity, impact and indicators of compromise where available. You then need to submit a final report no later than one month after incident notification.
- If you operate in the US, a new regulation on cyber incident reporting is coming. Following the adoption of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CISA is developing an approach to implement the cyber incident reporting requirements. One difference from the EU requirements is that the US includes ransom payment in the reporting.
- If you are the manufacturer of a digital product, the CRA requires you to report any incident that has an impact on the security of your product (including the exploited vulnerability) to ENISA within 24 hours.
Data protection and data adequacy decisions
For European organizations operating globally, GDPR has been part of their compliance programme for quite some time, so what matters most is whether adequacy agreements between third countries and the EU are in place to facilitate data flows and compliance while protecting personal data.
One key aspect of data adequacy that has created instability for organizations is the 2020 invalidation by the EU Court of Justice of the EU-US privacy shield. Since President Biden signed the Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities on October 7, 2022, the European Commission, on December 13 2022 launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework . Let us see next year if this will ensure that the legality of data flows between the EU and the US becomes easier in 2023.
About the author
Responsible for relations with institutional partners and communication for Digital Security
Laurence has held several roles in the European parliament as political advisor, working on regulations related to the digital single market (GDPR, e-privacy, contract law, etc). In her last position at the ANSSI (French national cybersecurity agency), Laurence was European and International Policy Officer, managing the international relations of ANSSI on cybersecurity key topics such as Cloud, IOT, 5G. At Atos, Laurence is responsible for relations with institutional partners and communication for Digital Security.
Follow or contact Laurence