European Union (EU) legislation NIS2, the Resilience of Critical Entities (CER) and the Digital Operational Resilience Act (DORA), recently came into force to bolster cybersecurity requirements to protect critical and digital infrastructure for applicable entities in member states.
According Fitch Ratings, while directionally positive, enhancing cyber security postures from compliance with regulations is neutral to credit ratings.
Cyberattacks represent tail risks
Cyberattacks represent tail risks, or low probability events that can nonetheless have significant impact. Fitch has not taken a rating action on any issuer as a result of cyberattacks, which are hard to predict and quantify, making them difficult to model in our ratings analysis.
External cyber risk is any risk that comes from outside your organization or its extended ecosystem. These are the threats you might think about first when you think of cyber risk: cyberattacks, phishing, ransomware, DDoS attacks — any attack that comes from the outside world.
Proper cyber hygiene and strong controls will not by themselves lead to positive ratings movement, although poor controls could result in negative rating actions if proven to be material to an entity’s finances and/or reputation.
A cyber event could increase regulatory scrutiny and litigation. Risk management is critical, but it’s not a guarantee against cyberattacks: if your risk assessment indicates your business may be more vulnerable than you thought, it’s worth looking into specialized coverage for some peace of mind. Some of the biggest cyber threats stem from the move to new technologies, like the Internet of Things in insurance (IoT). As networks disperse and more devices develop greater connectivity, security measures will have to evolve, too.
The NIS2 Directive, which replaces its 2016 predecessor NIS, expands the sectors covered to fifteen from and bolsters rules on cybersecurity for EU organizations.
The CER directive, replacing the European Critical Infrastructure Directive of 2008, is intended to strengthen critical infrastructure and networks against cyberattack threats including natural hazards, terrorist attacks, insider threats or sabotage.
Member states have until Oct. 17, 2024, to transpose the two directives into national law. The DORA regulation will apply from Jan. 17, 2025 and sets uniform requirements on digital operational resilience and information security for the financial sector and critical third parties which provide information and communication technology services to it.
Cyber regulation supersedes national laws
The regulation supersedes national laws and targets Europe’s financial sector, including banks, insurance companies, and investment firms, to make it more resilient against cyberattacks.
NIS2 expands into new sectors based on degree of digitization and interconnectedness as well as potential societal and economic effects.
It includes ten key requirements for all companies, including incident handling, supply chain security, vulnerability handling and disclosure, use of cryptography, and encryption.
EU Cyber Legislation Has Expanded in Scope
|May-16||NIS Directive||Sectors covered include healthcare, transport, banking and financial market infrastructure, digital infrastructure, water supply, energy and digital service providers.|
|Mar-19||EU Cyber Security Act||EU framework of cybersecurity certification of products, services and processes, and reinforced the mandate of the EU Agency for Cybersecurity (ENISA).|
|Sept-22||Cyber Resilience Act Proposal||Commission adopts proposal for cybersecurity requirements for digital hardware/software products.|
|Nov-22||Digital Operational Resilience Act Adoption||DORA regulation establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities. This includes information and communication technology (ICT) risk-management; reporting of major incidents and voluntary notification of significant cyber-threats; digital operational resilience testing; and rules for the oversight framework for critical ICT third-party service providers.|
|Jan-23||NIS2 Replaces NIS Directive||Expanded sectors to providers of public electronic communications networks or services, digital services, social networking platforms and data center services, waste water and waste management, manufacturing of critical products, space, postal and courier services, and public administration, food, expanded scope of healthcare sector.|
|Jan-23||CER Directive||Resilience of Critical Entities strengthens resilience of critical infrastructure against cyber risk related to natural hazards, terrorist attacks, insider threats, or sabotage applies to 11 sectors deemed critical: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.|
|Oct-24||NIS2, CER Directives||Compliance deadline|
|Jan-25||DORA||DORA regulation applies|
The NIS2 defines and meaningfully expands the scope and number of organizations that are subject to the NIS2 requirements. Member states no longer have discretion to designate “essential” entities that are subject to the obligations of the directive.
Compliance may be more difficult for small-to-medium companies in unregulated industries that lack robust cybersecurity infrastructure, putting them more at risk than critical infrastructure and large companies in regulated industries.
Cybersecurity budgets are increasingly under pressure amid reduced revenue outlooks, growing recessionary risks and economic uncertainty, which could increase the risk of attacks.
Cost, Frequency of Global Cyberattacks is Rising
Cost for Cyberattacks Rose 29% in 2022
Data compiled from 550 organizations in 17 countries across 17 industries impacted by data breaches.
AUTHORS: Gerald B. Glombicki – Senior Director, Insurance Fitch Ratings, Konstantin Yakimovich – Senior Director, Financial Institutions Enhanced Analytics, Laura Kaster – Senior Director Fitch Wire North and South American Financials
Fact checked by Oleg Parashchak