Tekve Oy Logo
Article

Week 47: Security Legislation Changes

This week, significant updates have occurred in the field of cybersecurity regulations, affecting many organizations across different sectors.

Week 47: Security Legislation Changes

This week, significant changes have occurred in the security landscape, affecting many organizations across various sectors.

ENISA has published a new report on the costs of implementing the NIS2 Directive, providing valuable insights into cybersecurity investments and organizational maturity. In addition, the Cyber Resilience Act (CRA) has been published in the Official Journal of the European Union and is now available in English.

viikko-47-tietoturvalainsaadannon-muutokset-image-2

NIS2 / Cybersecurity Act

ENISA has published its fifth annual report on NIS implementation costs. The report provides decision-makers with information to assess the effectiveness of the EU’s cybersecurity framework by analyzing how the NIS Directive has impacted organizations’ cybersecurity investments and maturity levels. This year, the report provides a baseline overview of the new sectors and entities falling under the scope of NIS2.

Data was collected from 1,350 organizations across all 27 EU Member States, covering all NIS2 sectors and organizational sizes. Here are a few key findings from the report:

  • Organizations spend approximately 9.0% of their IT budget on security, representing a significant increase of 1.9 percentage points compared to last year.
  • Organizations allocate 11.1% of their IT staff to security.
  • 89% of organizations need additional cybersecurity personnel to comply with the NIS2 Directive, primarily in the areas of cybersecurity architecture and engineering (46%) and cybersecurity operations (40%).
  • 90% of entities expect cyberattacks to increase in the coming year. Despite this, participation in cyber preparedness initiatives is mainly internal, with 74% of organizations conducting such exercises within their own companies.

Link to ENISA’s publication: https://www.enisa.europa.eu/publications/nis-investments-2024

CRA (Cyber Resilience Act)

The regulation was published on November 20, 2024, in the Official Journal of the European Union and is available for reading.

With the entry into force of the CRA, the key deadlines for companies are as follows:

  • December 10, 2024: CRA enters into force.
  • September 11, 2026: Reporting obligations for manufacturers become applicable.
  • December 1, 2027: All provisions of the CRA become fully applicable.

Link to the regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847

Link to the National Cyber Security Centre (NCSC-FI) CRA page: https://www.kyberturvallisuuskeskus.fi/en/our-activities/regulation-and-supervision/cyber-resilience-act-cra

Conclusion

Tekve Oy offers support in navigating and implementing legislative requirements, so feel free to contact us. See you next week!