What The EU’s Changes To The Cybersecurity Act Mean For Businesses

The European Union is continuing its efforts to strengthen cyber resilience across the bloc by adopting new amendments to the Cybersecurity Act (CSA) that mandate certification schemes for managed security services.

These changes will create new compliance obligations for both the suppliers and end users of cybersecurity services such as incident response and penetration testing platforms. But as tiresome as such regulatory changes can be, experts argue that they could bolster the cyber defences and competitiveness of many affected firms.

A Tightened Cybersecurity Regime

According to Phil McGowan, systems engineer at managed cybersecurity platform Huntress, the upcoming CSA amendments will significantly alter how companies implement cybersecurity strategies and meet their compliance obligations in the foreseeable future.

Specifically, he says these changes will place “greater emphasis on proactive risk management, transparency and accountability” amid a constantly evolving cyber threat landscape.

He adds that as a result, businesses will likely face more pressure to protect sensitive information, report cybersecurity breaches in a timely manner, and demonstrate compliance by undertaking security audits and acquiring industry certifications.

McGowan tells ISMS.online: “In essence, the amendments are designed to ensure that organisations prioritise cybersecurity as an IT issue and a critical component of their overall business resilience and operational strategy.”

According to Ralph Arrate, AI and cyber security partner at law firm Spencer West LLP, these amendments, coupled with new laws like the Digital Operational Resilience Act, the Cyber Resilience Act, and the NIS2 Directive, are a clear indication that the EU is tightening its oversight of cybersecurity matters in the region.

Arrate believes that they will establish a robust, consistent cybersecurity regime that aims to improve confidence in technology products and services among European businesses.

He explains that the EU hopes to achieve this by making certifications an important requirement for digital products, services, and processes. In practice, this means firms will need to conduct a “comprehensive review of existing security measures.”

Despite Brexit, these rules will also impact many UK-based businesses. Arrate says British firms with European operations and trading partners will be compelled to take a “meticulous approach” to IT security and product lifecycle management.

Although some UK business owners may see these rules as a regulatory headache, they could be beneficial in the long run. According to Arrate, acquiring an EU Cybersecurity Certification (EUCC) could help them “gain a competitive edge” as it is a sign of “quality and trustworthiness”.

But some IT vendors may be less optimistic about the amendments, with Arrate arguing that they will “bring added bureaucracy”. He adds: “Many players in this sector already comply with US NIST or ISO standards, which do not map exactly to the new EUCC requirements.”

Sean Wright, head of application security at fraud and financial crime management platform Featurespace, sees the CSA amendments as a positive development for businesses and the broader cybersecurity landscape.

He says many organisations currently spend “extraordinary” sums on cybersecurity products that don’t deliver their advertised benefits, giving firms a “false sense of security”.

However, Wright is confident that well-established standards, such as the new CSA rules, will combat this by ensuring that certified products perform their intended jobs. He continues: “Additionally, having a service provider that you can rely on, as well as faith in, allows organisations to offload some of the complex aspects of information security to those who are better equipped to handle such items.”

Complying With These Amendments

When it comes to complying with these rules, Arrate says businesses first need to assess whether they are within their scope. He explains that the amendments in question are targeted at companies that offer managed security services, 5G, IT applications, and other digital products and services.

Impacted businesses should then audit existing cybersecurity processes and compare them to the requirements set out by this legislation. Doing so, according to Arrate, will enable organisations to find any weaknesses in their cyber defences and tackle them accordingly in order to avoid regulatory action. Arrate also encourages businesses to contact certification bodies as quickly as possible because this is the key to understanding the requirements of different schemes.

Other key recommendations from Arrate include adopting secure-by-design principles in all product development stages, collaborating closely with suppliers on supply chain security standards, and implementing a comprehensive incident response plan. Most importantly, he urges businesses to monitor these requirements as they evolve to ensure compliance with the latest rules.

As businesses implement software updates, perform cybersecurity procedures, and respond to incidents, Spencer Starkey—executive VP of EMEA at American cybersecurity firm SonicWall—says it’s vital that they document all these steps to comply with the CSA. He says, “This documentation is crucial during regulatory audits, demonstrating the company’s commitment to cybersecurity best practices.”

Given that human error is a leading cause of cybersecurity incidents, Starkey says businesses of all sizes should educate their employees about the latest online threats and how to tackle them. He views this as a prerequisite for “effective compliance with the CSA amendments”.

The Importance Of Structured Frameworks

Complying with new regulations like the CSA amendments can be an overwhelming prospect for many businesses. However, there are different ways to streamline this process, such as professional frameworks and software.

Adopting an industry standard like ISO 27001 is an excellent option for businesses impacted by the CSA changes because it offers them a uniform way of handling information security-related issues, argues Nick Palmer, solutions engineering at attack surface management and threat hunting solutions experts at Censys.

He continues: “Certification demonstrates adherence to global best practices, streamlines audits, and reduces duplication of effort when meeting overlapping standards, making regulatory compliance more efficient and effective.”

The latest cybersecurity software can also reduce compliance complexity by offering pre-configured settings, automation, and high scalability, all of which are consistent with regulatory requirements, says Palmer. “They can help centralise threat detection, monitoring, and response, eliminating the need for businesses to build and maintain these capabilities in-house.”

Palmer says cybersecurity platforms can also ensure readiness for the latest rules by providing real-time software updates, integrations with standards, and customer support to help businesses navigate the fast-changing threat and regulatory landscapes. He continues: “Additionally, as per the previous points, those vendors offering solutions with CSA compliance already baked in will have a significant advantage.”

Broader Implications

The CSA amendments will undoubtedly have big implications for the cybersecurity landscape and corporate world over the coming years. On a positive note, Arrate predicts that their strict and uniform nature will “elevate the baseline level of security across industries.” He explains, “Businesses are now compelled to integrate cybersecurity as a core consideration, which in turn strengthens the digital ecosystem as a whole.”

Ilona Cohen, chief legal and policy officer at bug bounty and vulnerability disclosure platform HackerOne, agrees that the certifications have the potential to improve the outcome of bloc-wide cybersecurity processes.

However, this depends on how well they are designed, which Cohen admits is not simple as industry best practices are constantly changing. She says: “ENISA [The European Union Agency for Cybersecurity] must also ensure alignment with the many, many cybersecurity policies that the EU has passed in recent years like CRA, DORA and NIS2.”

So, how can European regulators overcome these challenges and ensure their certification schemes are fit for purpose? Cohen calls on them to compel managed service providers to adopt the same best practices that other key sectors are expected to follow. She says: “This includes establishing robust vulnerability disclosure programs (VDP), implementing authentication best practices, and ensuring data protection.”

Overall, the upcoming changes to the CSA seem like a smart move for the European Union as its ambitions for a digital single market grow. For technology vendors, offering certified security products will help them stand out from their competitors.

Meanwhile, end users get greater peace of mind that they will receive a return on their IT investments. Of course, some will see these changes as yet another layer of bureaucracy. But that’s where established industry standards and SaaS products can help by streamlining compliance processes.