Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

How will the regulatory and legislative changes continue to drive cyber security spend in 2023?

Regulatory Spotlight - McDonald, Global Head of Compliance Services and Verona Hulse, UK Head of Public Affairs at NCC Group.

01 maart 2023

door NCC Group

Regulation and legislation is constantly adapting to the ever-changing cyber security landscape. This is particularly evident for organisations who support critical economic and social functions, who have been a focus for governments and regulators in recent years. However, we are also seeing new laws and regulations affecting manufacturers of electronic goods, software developers and the use of emerging technologies like Artificial Intelligence (AI).

As these requirements evolve it will undoubtedly influence the direction of cyber security spend. Indeed, The European Union Agency for Cybersecurity (ENISA) recently published its third NIS Investments report, which concluded that the NIS Directive and other regulatory obligations, alongside the threat landscape, are some of the main factors influencing information security budgets. Whether organisations are applying new regulations and legislation to their existing systems, products and services, or taking new products to market, they will need to invest to be compliant. Many will also face the challenge of navigating different requirements for the same products in different regions.

But do legislation and regulation drive the right kind of investment?

Or are the costs of compliance just another burden placed on businesses? It is our view that considered, evidence-based regulation can drive better security outcomes for all and reduce costs by enabling future-proof systems that, by their design, avoid mistakes that are expensive to fix later.

Whatever the shape of these emerging laws and regulations, we support our clients to navigate this increasingly complex landscape and comply. Through this work, we have seen a host of regulatory changes introduced across the globe in the last few months alone, with three key trends emerging:

Government activity to identify and secure critical infrastructure has ramped up

Several new cybersecurity laws and regulations have been enacted, introduced or signalled as nations attempt to protect critical infrastructure from threat actors.

The European Union (EU) adopted NIS2 and DORA in December 2022, significantly expanding what it means to be critical infrastructure, strengthening supply chain requirements in financial services and implementing tight compliance deadlines. The United Kingdom (UK) also confirmed its plans to update and strengthen NIS regulations and the Australian Government has begun developing its new Cyber Security Strategy which will place the utmost importance on critical infrastructure resilience. The United States is also gearing up for the release of Biden’s national cyber strategy, aiming to enforce comprehensive regulation for the nation’s critical infrastructure.

Increasing the cyber hygiene of all organisations has to be a positive move. Greater regulation can significantly help to influence decision-making, protecting organisations, end-users and consumers alike. It can help to level the playing field with malicious actors by making it harder to exploit vulnerabilities like legacy unprotected devices. However, we must also recognise that tougher regulations pose a challenge for multinational organisations that must comply with differing rules to remain compliant in all jurisdictions. Building a compliance program to manage these legislative requirements can be complex, time consuming and expensive. This drives a need for specialist security advisory services to help affected organisations achieve the right level of assurance to meet evolving, cross-jurisdiction obligations.

Stricter cybersecurity laws for Internet of Things (IoT) devices

Stricter laws for Internet of Things (IoT) devices and software are also being enacted by governments – with some disparities across regions. The UK, for example, is taking a piecemeal approach – introducing product-specific laws and policies like the Product Security and Telecoms Infrastructure Act (which focuses on consumer IoT devices) and a new Code of Practice for App Stores and App Developers. Meanwhile, the EU is taking a more holistic approach with the cross-sectoral Cyber Resilience Act which covers almost all software and hardware products connected to the internet.

A focus on principles-based regulatory frameworks for emerging technology

Governments are increasingly recognising that keeping up with the pace of technological evolution is nearly impossible. We are seeing this in the attempt to govern AI. AI decision-making is being opened up to greater scrutiny, whether in the US blueprint for an AI Bill of Rights, the UK’s forthcoming AI White Paper, or the European Commission’s AI Act. In all of these cases, policymakers are looking to develop broader, more flexible frameworks and principles rather than implementing detailed cybersecurity requirements.

Given the nature of the cybersecurity landscape, the difficulty for regulatory bodies is to keep pace with technological change and remain relevant as the industry shifts. This creates challenges for organisations, as they attempt to navigate growing threats, and in turn balance cyber security investment and regulatory requirements. Though complex, it is not impossible – by striking the right balance based on need, organisations can build a truly resilient operation in the face of ongoing change.

Want to know more?

Read the full magazine.