In the face of ubiquitous and increasingly aggressive cyber-threats, organisations have no choice but to take steps to protect their infrastructure and resources, in order to anticipate and prevent cyberattacks wherever possible. They do so not only in their own interest and the interests of the third parties – customers, suppliers or service providers – with whom they interact, but also because of an increasing number of ever-stricter regulations, which can create inertia about taking practical action. Indeed, this rise in regulatory requirements, although aimed at strengthening the security of organizations, could paradoxically harm their competitiveness and, in some cases, negatively impact the end customer experience.
According to the 2024 CESIN barometer, 7 out of 10 companies now claim to be affected by at least one regulation, including NIS, DORA, the Cyber Resilience Act and the Cyberscore. With cyberattacks having grown in both number and sophistication, the EU has expanded the regulatory framework to support organisations in adopting appropriate security measures and improve the protection of critical infrastructure and sensitive data. However, the companies in question may feel helpless in the face of an accumulation of regulations, supplemented by both a lack of information and also a reality in which technological innovation remains well ahead of the implementation of these regulations – as has been the case with the IoT, and more recently with AI, to name but a few examples.
Increased overlap of regulations and their scope of application
The NIS1 Directive, which came into force in 2016, laid the groundwork for cybersecurity in Europe, with a focus on technological and regulatory measures to strengthen the resilience of critical infrastructure. It encouraged standardised cybersecurity management by introducing risk management and encouraging companies to continuously improve their security protocols. The NIS2 Directive, which enters into force at EU Member State level in October 2024, represents a significant expansion of NIS1. In particular, it will cover a wider range of sectors and sizes of organisations – 600 types in France spread across eighteen sectors – in order to strengthen the security ecosystem by securing every link in the supply chain. NIS2 also introduces executive responsibility, with potential sanctions in the event of breaches, so that they are more seriously and proactively engaged in cyber risk management.
However, a crucial issue raised by the extension of NIS2 is the capacity of the national control body – which in France is the ANSSI. Without a significant increase in the number of consultant staff, controls could be limited to random checks, potentially reducing the effectiveness of the Directive. In addition to these control issues, there is the scope of the various laws: while regulations like NIS2 and DORA have similarities such as risk analysis, reporting requirements and supply chain control, their applications differ. While NIS2 applies to various sectors, DORA specifically targets the financial sector. This distinction poses questions over the specific and complementary nature of DORA compared to NIS2, underlining the need to tailor cybersecurity measures to the specific characteristics of each sector.
Impacts of legislative complexity on organisations’ costs and competitiveness
The proliferation of cybersecurity laws and regulations also poses a financial challenge for businesses. Each new directive, aimed at enhancing safety, entails additional costs. First, they must invest in an audit that will enable them to assess their security systems and approach in comparison to what regulations require. Next, there are the costs associated with deploying advanced technologies that address specific cybersecurity issues, and therefore meet specific requirements; these changes then require employee training to enable them to use these tools efficiently and appropriately. These investments, which are necessary to meet high standards, can lead companies to raise prices for their goods and services. Moreover, these costs have an impact on international competitiveness. European companies may become less competitive compared to other regions in which regulations are less strict.
Another issue raised by the new regulations is the lack of a specialised cybersecurity workforce. Companies need to recruit more experts to comply, increasing the demand for these specific skills in the labour market. The shortage of qualified cybersecurity professionals is already being felt, and this growing demand is exacerbating the situation. This creates pressure on the sector, making it even more difficult for companies who are struggling to find the necessary human resources to comply with the new regulations. Lastly, potential costs related to sanctions for non-compliance – such as fines, reputational damage that can lead to image impact and customer losses in case of data compromise – also need to be factored in.
Cybersecurity, regulations and a return to reason
Experts are all too aware of the proliferation of current regulations, along with additional sector-specific standards (Doar, Basel III, HDS, etc.). Their similarity is striking, as rules and practices overlap to a great extent. This is understandable, because information systems in the banking sector are fundamentally similar, as they are in industry. The differences are marginal, and require specific technical adjustments. For example, a ModBus is not protected in the same way as a SQL database. However, it is essential for remote maintenance staff to be highly authenticated, and accounts to be regularly audited.
Such a proliferation could give the impression that each entity is seeking to establish its own rules. This regulatory “arms race” could lead to cost inflation (with the burden ultimately falling on individuals) without significantly improving safety. That is why it is vitally important to return to a more rational approach, both for our economy and for our security.
Simple solutions to multiple regulations
Regardless of the standard or regulation in force, it is essential to bear in mind that the information system is a core pillar of a company’s business, and therefore deserves appropriate protection.
Rather than go into detail over the necessary measures, it is better to focus on these key points:
- Incorporate the topic of cybersecurity at Executive Committee level: cybersecurity needs to be treated with the same importance as physical or human risks;
- Manage security according to risk levels: this approach enables resources to be allocated wisely, aligning them with the specific needs of the business;
- Adopt core best practices: perform regular, tested and verified backups; use basic security solutions such as firewalls, antivirus and multi-factorial authentication; and also keep systems up to date;
- Surround yourself with trusted partners: choose reliable partners to ensure you receive adequate support.
Ultimately, the transition from NIS1 to NIS2 and the presence of various new regulations leads to increased coverage and greater legal responsibility for executives without actually representing a major step forward. However, these changes in laws and regulations over time raise challenges relating to costs, legislative complexity and a shortage of skilled labour to comply with them. Companies will therefore be required to implement effective strategies and practical solutions to meet the new requirements, while maintaining their competitiveness in the international market, with the aim of ensuring their business remains sustainable.
