Normally, we don’t equate legal complexity with internal collaboration, nor when it comes to cyber. Well, leave it up to the IT department or the CISO team, seems to be the mindset. In the past, that attitude was probably enough to get by, but it isn’t any longer. In the near future, organisations everywhere will have to navigate a much more complex landscape of cyber regulation – and many departments outside IT will have to come together to find that unity and team spirit that are necessary to succeed.
A new threat landscape
Let’s dial back the clock for a minute. We had hardly turned the pages on the calendar to 2023 before new stories of cyberattacks emerged in the Danish media. On January 10, several banks, including the Danish National Bank, were hit by a number of DDoS-attacks making websites and services unavailablei. And just days before, it was reported that a coordinated and possibly state-sponsored attack has taken place to block GPS signals in Danish waters and airspace, using sophisticated military technology to jam the signals that are used by ships and aeroplanes to navigateii.
Deloitte’s newly released Cyber Survey 2023 confirms this trends. 6 percent of cyber security leaders interviewed said in the survey that in the last 12 months alone, they had experienced not just a successful cyberattack, but one with a material impact on their organisation.
A tsunami of legislation is on the way
The European legislators are well aware of these threats and are therefore getting ready to introduce a tsunami of new cyber regulation. Let me just mention the ePrivacy Regulation, Market in Crypto-Assets Regulation, the Artificial Intelligence Act, Digital Markets Act, Data Governance Act, Digital Services Act, Identity Regulation, the Directive on the Resilience of Critical Entities, the Cyber Resilience Act, Digital Operational Resilience Act, the Chips Act, the European Health Data Space Act, the Data Act and of course the Network and Information Security directive (NIS2) that was approved by the European Parliament in late 2022.
"Apart from the legal complexity itself, what’s also new about the coming EU regulation is that it concerns not only a few companies or critical assets, but a wide range of companies, industries and public organisations."
Going back just a few years, this is a major development from the NIS1 directive that targeted financial institutions and in general suffered from many exceptions and weak wording. This approach has certainly changed since then and at the latest with NIS2, and the EU today is much more forceful and determined to ensure a high common level of cybersecurity across the member states than ever before.
Where to start?
No matter past investments or current cyber maturity, what’s sure is that the dramatically expanding scope of cyber security regulation in 2023 and beyond will entail many new safety impacts that need to be addressed by organisations. Here are just four ways to get started:
Get an understanding: First, the combined level of complexity arising from the regulation in the EU pipeline is simply at a level where most companies and public organisations will have to re-assess their basic regulatory landscape, given that most of the regulation introduced spans across industries and sectors, and organisation will be caught in the cross-fire, so to speak, rather than just having to comply with traditional industry standards.
Expect regulatory oversight and enforcement. Secondly, following the successful implementation of GDPR, the majority of the new cyber security regulation also holds top management accountable for compliance, meaning that the appropriate strategies and governance processes can’t just be left to the IT department to implement, but starts with board-level and executive decisions.
Think holistically. Given the many ways in which cyber criminals can attack an organisation, effective security measures need to be widely implemented far beyond the scope of a few cyber specialists or the CISO’s team. Training, processes, technology, governance and collaboration will have to permeate the organisation.
And finally, ignite the passion among your employees. Cyber security is complex, sure, cyber regulation even more so, but behind all the challenges has to be a passionate organisation where people come together across functional silos to solve some of the most pressing issues to keep the organisation protected. Don’t underestimate the power of commitment, collaboration, knowledge-sharing and simply caring about each other and caring about the organisation – it’s often the difference between failure and success.
The good news is that there is time to prepare. If used wisely, that time can bring the organisation to the next level when it comes to cyber security – and also finding the passionate talents either in or outside the organisation that can bridge the gaps in a collaborative and compassionate way.
Tinnamaria har mere end 25 års erfaring som konsulent og rådgiver i den offentlige sektor. Ud fra en solid baggrund som revisor, har hun indgående erfaring med transformation af økonomifunktioner gennem bl.a. implementering af administrative fællesskaber, driftsstøtte, økonomistyring, (re)strukturering af økonomifunktioner, forretningsimplementering, simulering, digitalisering og projektledelse. Tinnamaria har omfattende erfaring med at drive løsninger og sammen med kunden øge modenhedsniveauet, hvor hun særligt har fokus på sammenhængskraften mellem systemer, processer, organisering, governance og kompetencer samt dyb indsigt i og erfaring med flowet mellem budget, regnskab og forretning.