Since then, digital threats to citizens, businesses and government organisations have only increased. Organisations have been tormented by a wave of ransomware attacks, while the war in Ukraine “has mobilised many hacktivists, cybercriminals and state sponsored groups”, according to the Commission. 15
The strategy has led to new regulation, with new requirements for businesses on the horizon. In September 2022, the Commission presented a proposal for a new Cyber Resilience Act, 16 which would introduce “mandatory cybersecurity requirements for products with digital elements”, including any software or connected hardware products.
Then, in January 2023, the EU adopted its revised Networks and Information Security Directive (NIS2). 17 NIS2 significantly expands the scope of the rules to encompass digital and managed service providers and introduces new incident reporting requirements for regulated bodies, among other new obligations. EU member states are required to implement NIS2 into law by October 2024. The UK government, meanwhile, is now in consultation over its adoption of the NIS2 regulations. 18
83% of respondents expect cybersecurity regulation to pose commercial threats
Cyber safety regulations: a double-edged sword
Although cyber safety regulation is primarily focused on eliminating risk, nearly nine out of ten respondents (87%) believe that these recent and upcoming rules offer commercial opportunities (see Figure 8). This is especially true of content providers and respondents in the banking and finance sector.
The greatest commercial opportunity from cyber safety regulation, respondents believe, is improved access to data and analytics. There are many ways in which cyber safety regulation might increase this access. For example, if the Cyber Resilience Act succeeds in making digital products secure, consumers and businesses may be more inclined to use them, offering greater opportunities for data collection and use.
But this regulation also poses commercial threats, according to 83% of respondents – more than any other area of digital regulation included in the study – including 18% who expect these threats to be significant. Platform providers are the most alert to this, with 91% expecting commercial threats to arise from cyber safety regulation, while the automotive sector is the least concerned (68%).
€29bn Estimated compliance cost of Cyber Resilience Act.
Increased technology adoption costs are the most widely anticipated threat. Respondents expect increased controls to require investment in technology and personnel, this demonstrates. This is followed by a reduced ability to innovate, suggesting a fear that new security rules will make it harder to develop and launch new products and processes (although this perhaps overlooks the crucial role of trust in user adoption of new technology innovations).
More than eight out of ten respondents also expect cyber safety regulation to have negative legal implications. Increased legal costs to ensure compliance are again the most widely anticipated legal implication, followed by increased technology costs (see Figure 9).
The Commission estimates that the aggregated compliance costs of the Cyber Resilience Act will be €29bn, against a total market value of qualifying products of €1.4trn. 19 As a result, it warns, consumers and citizens may face higher prices for products with digital elements.
Businesses stand to gain a lot from safer digital economy in Europe. The annual, global cost of cybercrime was an estimated €5.5trn in 2020, twice the amount in 2015. 20 But every organisation has a role to play in improving cyber safety, and businesses understand that the EU’s proposed regulatory approach will incur costs.
Those companies that make a plan for compliance with cyber safety regulations, and incorporate it into the digital transformation strategies, will be better placed to accommodate those costs and capture opportunities to offset them.
