Cybersecurity 2025

INTRODUCTION  Contributed by: Christian Schröder and Odey Hardan, Orrick

tive applies to companies in sectors deemed critical and listed in Annex I and II of the Direc - tive, including digital infrastructure and certain manufacturing industries. Specifically, it affects entities such as internet node operators, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, and providers of publicly accessible electronic communication services. Addition - ally, digital service providers like online search engines, online marketplaces, and social net - works, as well as manufacturers of electrical equipment, data processing devices, medi - cal devices, and those in the machinery and automotive industries, are also covered. This directive sets out obligations for essential and important entities, such as digital service pro - viders and operators of critical infrastructure, to implement risk management measures, con - duct regular cybersecurity audits, and report significant incidents to national authorities. By holding management bodies accountable for compliance, NIS2 ensures that cybersecurity is prioritised at the highest levels of organisational leadership. In addition to NIS2, the EU has introduced the Digital Operational Resilience Act (DORA), which targets the financial sector. The regula - tion addresses the critical role of information and communication technologies (ICT) in the finan - cial sector, the vulnerabilities to cyber threats, and the dependencies on external service pro - viders. DORA requires financial entities and criti - cal ICT providers to establish comprehensive ICT risk management frameworks and mandates regular testing of digital operational resilience. This framework should address ICT risks and ensure high digital operational resilience. It must include strategies, policies, procedures, proto - cols, and applications necessary to protect all information and ICT assets. The principle of

proportionality and a risk-based approach are emphasised in DORA, requiring the framework to be tailored to the company’s processes and technical means. To maintain a high level of protection, financial entities must continuously test their digital operational stability. They must develop a programme to assess their defensive readiness, identify vulnerabilities, and implement corrective measures. Tests should be conducted by independent internal or external parties, with sufficient resources provided to avoid conflicts of interest. The Cyber Resilience Act (CRA) further com - plements the EU’s cybersecurity framework by addressing the security of products with digital elements. The CRA imposes life cycle security obligations on manufacturers, importers, and distributors, requiring them to conduct cyber- risk assessments, manage vulnerabilities, and report security incidents to the European Union Agency for Cybersecurity (ENISA) within speci - fied timeframes. By focusing on the security of digital products, the CRA aims to mitigate vul - nerabilities and enhance user trust in the digital marketplace. The draft CRA complements other legislation like NIS2. It applies to all products connected to other devices or networks, with some exclusions such as open-source software and certain regulated services (eg, medical devices, aviation, and cars). One of the key challenges in cybersecurity regu - lation is the harmonisation of standards across jurisdictions. While the EU has made strides in creating a unified cybersecurity framework, achieving global consensus remains a complex task. Differences in legal systems, regulatory approaches, and levels of technological devel - opment can hinder efforts to establish common standards. However, international co-operation and dialogue are essential to overcoming these

6

CHAMBERS.COM

Powered by