Europe's Cyber Puzzle: ITI Connects the Pieces for Stronger Security
- Dean Charlton
- 9 hours ago
- 3 min read
The ITI's call for a review of the EU Cybersecurity Act, particularly its focus on refining the European Cybersecurity Certification Framework (ECCF), has significant implications for other key pieces of EU cybersecurity legislation: NIS2, DORA, and the Cyber Resilience Act (CRA). These regulations, while distinct in their scope, are increasingly interconnected, and the ITI's recommendations aim to ensure greater coherence and effectiveness across the entire EU cybersecurity landscape.
NIS2 (Network and Information Systems Directive 2):
NIS2 significantly broadens the scope of its predecessor, imposing stricter cybersecurity and incident reporting requirements on a wider range of critical and important entities across various sectors (e.g., energy, transport, healthcare, digital infrastructure).
Impact of ITI recommendations:Â The ITI's push for strengthened stakeholder input and streamlined certification under the Cybersecurity Act could directly benefit NIS2 compliance. If the ECCF becomes more agile and industry-aligned, it can provide clearer benchmarks and easier pathways for entities to demonstrate compliance with NIS2's cybersecurity requirements.
Harmonisation:Â A more effective and harmonised ECCF, as advocated by ITI, could reduce the burden on organisations trying to meet NIS2's diverse obligations across different member states, leading to more consistent security practices.
Incident Reporting:Â The ITI's desire for simplified reporting obligations under the Cybersecurity Act could influence how incident reporting under NIS2 is handled. While NIS2 has strict reporting deadlines, a unified and less fragmented approach stemming from the Cybersecurity Act could make it easier for entities to comply without unnecessary duplication.
DORA (Digital Operational Resilience Act):
DORA is a specific regulation for the financial sector, focusing on the digital operational resilience of financial entities and their ICT third-party service providers. It prioritises the ability to withstand, respond to, and recover from ICT-related disruptions.
Lex Specialis: DORA is considered "lex specialis" (a more specific law) to NIS2 for the financial sector, meaning DORA's requirements often take precedence. However, the underlying principles of cybersecurity and resilience remain interconnected.
Certification and Supply Chain:Â The ITI's emphasis on new, targeted certification schemes (e.g., for Managed Security Services) under the Cybersecurity Act could directly support DORA's focus on managing ICT third-party risks. If ICT service providers to the financial sector can demonstrate their security posture through robust, recognised certifications, it simplifies due diligence for financial entities under DORA.
Operational Resilience Testing:Â A more mature and globally aligned ECCF could also contribute to the effectiveness of DORA's mandated operational resilience testing, including threat-led penetration testing (TLPT).
Cyber Resilience Act (CRA):
The CRA aims to enhance the cybersecurity of products with digital elements by imposing mandatory cybersecurity requirements throughout their lifecycle, from design to end-of-life. It applies to manufacturers, importers, and distributors.
Direct Link to Certification:Â The CRA has a very direct link to the Cybersecurity Act's certification framework. The ITI's recommendations for an improved ECCF are crucial for the CRA's successful implementation. The CRA mandates that certain critical products may require third-party conformity assessments, and the ECCF provides the mechanism for such certifications.
Secure by Design:Â The ITI's support for building on existing legislation and leveraging industry-driven standards within the ECCF will be vital for products covered by the CRA to demonstrate "security by design and by default."
Clarity and Consistency:Â The ITI's call for harmonising and coordinating cybersecurity efforts across EU initiatives is particularly relevant for the CRA. Without clear alignment between the CRA and the Cybersecurity Act's certification schemes, there's a risk of fragmented and potentially conflicting requirements for manufacturers.
The ITI's recommendations for revising the EU Cybersecurity Act are not isolated but form a critical part of the broader effort to create a robust and cohesive cybersecurity framework in Europe. By refining the ECCF and streamlining processes, these recommendations aim to improve the effectiveness and ease of compliance for entities under NIS2, strengthen the digital operational resilience mandated by DORA, and provide a clear, consistent pathway for product security under the Cyber Resilience Act.
The ultimate goal is to foster a more secure and competitive digital single market!