Cybersecurity is a top concern both for the security industry and EU regulators. It is essential for businesses to stay on top of the curve, to strengthen their resilience, and to exchange good practices with peers. After adoption of the new EU Cyber Resilience Act in European Parliament, Alexander Frank, Deputy Director General at CoESS, discussed cyber-physical security at the Croatian Security Summit and promoted CoESS Cybersecurity Guidelines and its White Paper on Cyber-Physical Security in Critical Infrastructure.
In its ending legislative term, the European Commission has proposed a large range of legislation to strengthen cybersecurity, and cyber resilience, in the European Union – namely:
- EU Cyber Solidarity Act: establishes a governance framework to improve preparedness, detection and response to cybersecurity incidents in the EU.
- NIS 2 Directive: shall enhance the cyberresilience of essential and important entities in a total of 18 sectors – to be transposed by EU Member States by 17 October 2024 (together with the CER Directive, covering physical security aspects of Critical Entities)
- An amendment to the EU Cyber Security Act, establishes a new voluntary cybersecurity certification scheme for managed security services.
- EU Cyber Resilience Act: establishes minimum cybersecurity standards for all connected devices, hence having a concrete impact on technologies bought and used by private security companies – Regulation coming into force as of 2027 once adopted by EU Member States.
This new legislative framework establishes, together with vertical legislation including cybersecurity provisions, such as the EU AI Act and RED Directive, a far-reaching approach to strengthen cyber resilience of EU Member States, Critical Infrastructure, and connected products.
During his presentation, Alexander Frank underlined why EU cybersecurity legislation becomes increasingly important for private security companies – underlining that businesses need to be ahead of the curve and strengthen cyber resilience internally, and within their clients’ infrastructure. To this end, he promoted CoESS Cybersecurity Guidelines, which were developed in collaboration with Euralarm and provide guidance to security companies on how to strengthen cyber resilience along the security value chain from product developers to operators of MARCs and response teams.
Another thought-provoking document published by CoESS and the International Security Ligue is the White Paper on “Cyber-Physical Security in Critical Infrastructure”. The Paper stresses that cyber and physical security are often wrongly thought of in silos (operationally and legally). Alexander Frank highlighted that there is a need for security companies and clients to assess the physical impact of cybersecurity incidents, and vice versa. The White Paper gives respective guidance for taking such holistic approaches in integrated cyber-physical governance, convergence of physical and IT security and IT, joint risk assessments and penetration tests, and bridging physical and cybersecurity strategies.
Both the Guidelines and the White Paper are available at www.coess.eu.