A Primer on Regulations for High Common Level of Cybersecurity Across EU Agencies

The European Union has recently promulgated regulations for a “high” common level of security across Europe agencies. ? This article will aim to briefly share its key recommendations and its implications for member states and agencies.

To its credit, the regulations start are based on the correct premise viz.? The EU agencies face a highly skilled, motivated and well-funded set of adversaries, often funded by nation states.? However, as the regulation “charitably notes”, the agencies have very varied capacity and capability secure themselves as well as to react and respond to specific threats.? So what does the regulation recommend?? How much of it is new and interesting , and how much of it is “old wine” in new bottle??

Risk management framework

Each EU entity is required to establish a “risk management, governance and control framework”.? This is nothing new, however, the regulation goes further to mandate some specific requirements-

• An “all hazards approach” that holistically looks at not just the ICT systems but also the physical infrastructure that these systems operate in
• Conduct a regular cybersecurity maturity assessment whose results are integrated into the action plan?
• An action oriented plan that will address the residual risks identified by the framework?
• The framework must be reviewed every four years? and the plan must be reviewed every two years. ? This is very specific and a good recommendation to ensure that agencies are forced to review, and reckon with the changing threat scenario periodically.?

Source code transparency and promotion of open-source code

The regulation mandates that the agencies make their source code “transparent”.? Of course, this would be subject to contractual confidentiality obligations arising out of the usage of vendors’ applications and proprietary source code.? But the regulation’s aim is to ensure as much source code transparency and peer review as possible.? The regulators clearly view the open-source transparency as a key instrument in minimizing “devil in the detail” backdoors and vulnerabilities that have become the mainstay of bad actors in the past couple of years.? The regulators’ intentions are also clear from the follow-on requirement to prefer and “promote” the use of open-source tools for building agencies’ systems and workflows. ?

Money, money, money ...

However, the most significant part of this regulation is tucked away in a nondescript section (14).? It requires the agencies to allocate an adequate level of cybersecurity budget and an “…adequate percentage of its ICT budget...” for executing the control plan in line with its own cybersecurity risk framework.? In fact, it goes even further to state that in the longer term, the agencies should aim for an “…indicative target of at least 10%…” of the ICT budget should be pursued.? Of course, the regulation does not define what it means by longer-term, but its a significant way forward for bringing cybersecurity budgets out of its vicious cycle of underinvestment leading to increased vulnerability which needs progressively even more money to fix…

CERT-EU and (another) new regulatory agency

The regulation recognizes that the agility and effectiveness of response to a cybersecurity incident is crucial to minimizing its impact.? It details more tasks and an expanded role to CERT-EU and sets it up to succeed in an even more complex and insecure world of cybersecurity threats.

Finally, the regulation sets up a new body called the “Inter-institutional Cybersecurity Board” (“IICB”) .? This Board will have an exclusive role in the implementation of this regulation across all EU agencies across different EU nations.? The regulation equips the Board with supervisory as well as enforcement authority.? The most significant of which is an authority to impose an extreme and punitive measure of “suspending data flows” to an EU entity which is proven t be guilty of “long-term, deliberate, repetitive and serious infringement” of these regulations.? The Board will also have the authority to enforce disclosure, reviews and audits of all EU agencies that falls in its remit.?

Who will benefit?

This marks a significant strengthening of the cybersecurity controls enforcement structure within EU agencies.? As the regulation gets rolled out, it will have a wide range of impact to other participants in this ecosystem.? In my opinion, we should expect,

1. Cybersecurity and “foundational ICT” investments (e.g. Identity Management, “Manageable” OT/IOT systems, lifecycle refresh for security support) to rise significantly as EU agencies ramp up their infrastructure spends to align with the requirements of this regulation
2. A surge of opportunities for professional service providers to help agencies develop their Cybersecurity Risk Management framework ,? cybersecurity action plan as well as periodic audits.? I expect research to quantify this addressable market soon
3. Huge demand for trained cybersecurity staff across many EU agencies.? Existing staff need to be trained and new ones with niche skills need to be hired.? Both of these represent potential opportunities for the cybersecurity industry

Citations

https://europeansting.com/2024/01/09/new-rules-to-boost-cybersecurity-of-the-eu-institutions-enter-into-force/

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202302841