How will the regulatory and legislative changes continue to drive cyber security spend in 2023?

Regulation and legislation is constantly adapting to the ever-changing cyber security landscape. This is particularly evident for organisations who support critical economic and social functions, who have been a focus for governments and regulators in recent years. However, we are also seeing new laws and regulations affecting manufacturers of electronic goods, software developers and the use of emerging technologies like Artificial Intelligence (AI).

As these requirements evolve it will undoubtedly influence the direction of cyber security spend. Indeed, The European Union Agency for Cybersecurity (ENISA) recently published its third NIS Investments report, which concluded that the NIS Directive and other regulatory obligations, alongside the threat landscape, are some of the main factors influencing information security budgets. Whether organisations are applying new regulations and legislation to their existing systems, products and services, or taking new products to market, they will need to invest to be compliant. Many will also face the challenge of navigating different requirements for the same products in different regions.

Several new cybersecurity laws and regulations have been enacted, introduced or signalled as nations attempt to protect critical infrastructure from threat actors.

The European Union (EU) adopted NIS2 and DORA in December 2022, significantly expanding what it means to be critical infrastructure, strengthening supply chain requirements in financial services and implementing tight compliance deadlines. The United Kingdom (UK) also confirmed its plans to update and strengthen NIS regulations and the Australian Government has begun developing its new Cyber Security Strategy which will place the utmost importance on critical infrastructure resilience. The United States is also gearing up for the release of Biden’s national cyber strategy, aiming to enforce comprehensive regulation for the nation’s critical infrastructure.

Increasing the cyber hygiene of all organisations has to be a positive move. Greater regulation can significantly help to influence decision-making, protecting organisations, end-users and consumers alike. It can help to level the playing field with malicious actors by making it harder to exploit vulnerabilities like legacy unprotected devices. However, we must also recognise that tougher regulations pose a challenge for multinational organisations that must comply with differing rules to remain compliant in all jurisdictions. Building a compliance program to manage these legislative requirements can be complex, time consuming and expensive. This drives a need for specialist security advisory services to help affected organisations achieve the right level of assurance to meet evolving, cross-jurisdiction obligations.

Governments are increasingly recognising that keeping up with the pace of technological evolution is nearly impossible. We are seeing this in the attempt to govern AI. AI decision-making is being opened up to greater scrutiny, whether in the US blueprint for an AI Bill of Rights, the UK’s forthcoming AI White Paper, or the European Commission’s AI Act. In all of these cases, policymakers are looking to develop broader, more flexible frameworks and principles rather than implementing detailed cybersecurity requirements.

Given the nature of the cybersecurity landscape, the difficulty for regulatory bodies is to keep pace with technological change and remain relevant as the industry shifts. This creates challenges for organisations, as they attempt to navigate growing threats, and in turn balance cyber security investment and regulatory requirements. Though complex, it is not impossible – by striking the right balance based on need, organisations can build a truly resilient operation in the face of ongoing change.