The EU’s proposed Cyber Resilience Act, which would introduce cybersecurity standards and regulations for all products and connected devices, is not enough to actually mitigate the increasing risk of cyberattacks.
There is no question that the act, first introduced late last year by European Commission president Ursula Von der Leyen in her State of the Union address, is admirable and may go a long way toward raising awareness about cybersecurity and cybercrime. Heightened threats continue, especially from Russia and China, and are aimed at Europe and the United States—these attacks could ultimately affect civilians. With the proliferation of connected devices, attack surfaces and the potential consequences for both governments and civilians are also growing at record rates.
“If everything is connected, everything can be hacked,” Von der Leyen said. But, even if the regulation—along with another proposal known as NIS2 that would set out uniform cybersecurity standards for those providing critical services—is eventually approved later this year, it will not reduce the number of attacks or the increasing damage they cause. This is true of cybersecurity regulations in general, including the updated password compliance directives from the National Institute of Standards and Technology (NIST) in the U.S.; on their own, they are not sufficient and may even provide a false sense of security.
Regulations are the Outcome of Attacks
These regulations arose after a number of significant cyberattacks were conducted or discovered over the last few years, especially in 2021. One of the major reasons the proposed EU regulations will not materially address cyberrisk is that they are reactive, not proactive, and will likely be out-of-date by the time they are approved and adopted. We are seeing malicious actors constantly changing their tactics and, along with the constant change in technologies and software, these threats are extremely dynamic, exploiting known and unknown vulnerabilities at organizations and disrupting legitimate processes.
This requires constant vigilance and active threat-hunting and threat intelligence to avoid the damage inflicted to a company’s reputation.
At their core, these moves by American and European agencies are well-intentioned; trying to better combat cybercriminals and attackers by creating a baseline level of cybersecurity and network conduct in government, civilian and critical entities and include reporting requirements and time frames during which companies must remedy incidents.
But such regulations will also likely be too broad to bring real protection to any one sector or organization’s product or service. The cybersecurity maturity and abilities within sectors vary widely; for example, the financial sector is more advanced than the retail and medical fields—and FinTech is even ahead of a lot of companies in the high-tech field—when it comes to overall cybersecurity. Not to mention that smaller supply chain companies are easier targets than big ones. For that reason, programs and processes used by one sector or one organization are not necessarily applicable or relevant to others.