There is no legal definition of cyber resilience. Loosely interpreted, the term can be defined as a company’s resistance to hacker attacks and preparation for the failure of system-relevant components.
Cybercrime poses one of the greatest threats to companies, notes the BSI in its 2022 Situation Report. It is therefore crucial for the success and survival of companies to be prepared for these threats and to build up appropriate cyber resilience.
To establish a general resilience against cyber attacks in Europe, the EU has launched the Cyber Resilience Act (CRA) and NIS2.
We have been supporting our customers in achieving the best possible security standard for 15 years. We see the new standardization through the Cyber Resilience Act as an opportunity and are happy to help our customers use it for even more security.
With the Cyber Resilience Act, or CRA for short, the EU Commission provides for new binding security requirements for products with digital elements. This applies both to products that are sold to end consumers, but also used in the company for production, sourced as intermediate products and processed further and are thus part of supply chains. The CRA provides for a number of measures to enhance the cybersecurity of products.
The new European cybersecurity regulations for industrial companies, such as the Cyber Resilience Act or NIS-2, may seem complex at first. However, these regulations can be your allies when it comes to effectively protecting against cyber attacks.
The European Commission proposes to establish risk-adequate cybersecurity measures for the above-mentioned products in the phases of design, development and production as well as during marketing and use.
In doing so, the European Commission differentiates according to the criticality of the products:
- Non-critical products with digital elements (e.g., storage media, graphics programs).
- Class I: critical products with digital elements (e.g. browsers, password managers, firewalls, microcontrollers),
- Class II (e.g., routers or firewalls for industrial use, IoT devices),
- As well as highly critical products with digital elements
The European Commission estimates that about 90 percent of products will fall into the non-critical category. Manufacturers and distributors dealing in critical products will be subject to stricter requirements, particularly with regard to conformity assessment, which will be based on harmonized EU standards. Compliance with the standards will be indicated by the CE marking on the product, with national market surveillance authorities monitoring proper implementation.
The CRA defines lifecycle security requirements:
- Reporting known vulnerabilities and known exploits to ENISA within 24 hours.
- Reporting of incidents to product users, including remediation actions
- Reporting identified vulnerabilities in third-party elements to the appropriate third-party vendors
Product vendors must provide:
- Software Bill of Materials (SBoM) of the products.
- Vulnerability scan showing no vulnerabilities in order to obtain CE certification
- Continuous vulnerability scans,
- Process and infrastructure for documenting and reporting product vulnerabilities.
Companies are called upon by the Cyber Resilience Act to carry out vulnerability analyses and external audits on a regular, permanent and sustainable basis. We can help you comply with the requirements. The Greenbone Vulnerability Management product series, the Greenbone Enterprise Appliances, enable compliance with the CRA on premise or in the cloud.
The NIS-2 directive, an important part of the EU’s digital strategy “Shaping Europe’s Digital Future“, aims to enhance cybersecurity across Europe. It aims to better protect organizations and critical infrastructure from cyber threats and ensure a high level of security across the EU. The directive came into force on January 16, 2023, and EU member states have until October 17, 2024, to incorporate the rules into their national laws.
“Essential/essential” (very critical) sectors and “important/important” (other critical) sectors.
Sectors such as energy, transport, finance, healthcare, digital infrastructure and public administration fall into the first category, while the second category includes manufacturing, postal services, chemicals and more.
Which companies within these sectors are covered by the directive is determined by each country’s laws.
For affected companies, the NIS-2 directive brings new responsibilities. They must report cybersecurity incidents to authorities based on certain criteria:
- Early warning: notification within 24 hours of an incident.
- Incident notification: Notification within 72 hours of an incident.
- Interim Report / Intermediate Report.
- Incident progress report / Progress Report: in case of unresolved incidents, one month after incident notification.
- Final Report: within one month of incident notification or one month after completed incident treatment.
- Voluntary reporting is an option.
Companies must also actively manage risk and comply with standards for network and system security, incident handling, crisis management, secure supply chains and asset management. The protection mechanisms and technologies used must be up to date. Countries could even introduce certification requirements to demonstrate compliance.
In Germany, the NIS-2 directive will lead to adjustments in the existing IT Security Act 2.0 or a possible new law. German CRITIS operators with an established information security management system (ISMS) and reliable cybersecurity technology are well prepared and likely need only minor adjustments. This directive sets the stage for a more robust cybersecurity landscape across all industries.
The European Parliament and the Council are examining the currently submitted proposal for the Cyber Resilience Act.
Once adopted, economic operators and member states will have two years to adapt to the new requirements.
The obligation to report actively exploited vulnerabilities and incidents will apply after one year.
The Commission will regularly monitor compliance with the new cybersecurity rules for the EU and sanction non-compliance if necessary.
The NIS-2 Directive was published in the Official Journal L333 of the European Union on 27.12.2022. On January 16, 2023, the new NIS2 Directive entered into force. The EU member states have 21 months, i.e. until October 2024, to transpose the directive into national law. From this date, the provisions will apply to all affected companies
We can help you comply with the requirements.
We would be happy to work with you to develop your individual vulnerability management process – tailored to your systems, your structures and your requirements.
You want to test our solution?