The Cyber Resilience Act (CRA) and the Network and Information Security Directive 2nd edition (NIS2), are to impact the security industry by raising standards, increasing demand for cybersecurity services, fostering innovation, and emphasising the importance of resilience in the face of cyber threats.
The European Union is actively working to reduce the risk of cyber-attacks to organisations. Business leaders reviewing their compliance now would do well to partner with manufacturers, such as Hanwha Vision, that are committed to cybersecurity and ahead of the curve in complying with NIS2 and CRA.
The European Parliament and European Council have long been vigilant around data use and protection, particularly personal data. However, with cybercrime on the rise and with more and more opportunities for malicious actors to exploit networks and connected devices as technology platforms increase exponentially, legislators are shoring up the cyber defences of EU member states and the organisations operating within them.
The European Union Agency for Cybersecurity, ENISA, reveals that new threats to cybersecurity are emerging because of the wealth of data that devices can now collect; advances in AI, which make cyber-attacks more complex and scalable; supply-chain targeting (with third-party incidents accounting for 17% of intrusions in 2021 compared to less than 1% in 2020); and Internet of Things (IoT) devices being used as gateways to larger attacks. Amid this landscape comes the new CRA, and a replacement for the original NIS Directive that directly addresses the new threats.
The European Parliament and Council adopted the NIS2 Directive in December 2020. It gives member states until October 2024 to transpose the requirements of NIS2 into their national laws. Ultimately, the Directive aims to improve the cybersecurity of network and information systems across the EU.
It applies to both Operators of Essential Services (OES) and Digital Service Providers (DSPs) – identifying where an organisation fits into this is key to understanding its obligations. OES provides critical services to the economy and society, including energy firms, transport, banking, and healthcare. DSPs provide online services to many users, including search engines, social media platforms, and online marketplaces. As a video technology manufacturer, Hanwha Vision is defined as a DSP.
The first NIS focused solely on OES. However, given the increasing prevalence of digital services that can be a weak link exploited by malicious actors, NIS2 expands requirements to DSPs. It ensures that DSPs take appropriate measures to manage the risk posed to their networks and information systems.
The best way to future-proof against cyber attacks is to work exclusively with manufacturers that can prove their readiness for NIS2 compliance, with a strong track record of cybersecurity best practices. Although the exact requirements are yet to be legislated by the EU, a safe bet for now is to look for CRA compliance as there is every chance that a CRA-compliant manufacturer will also be NIS2 compliant.
With more smart devices in businesses and homes, the European Commission is looking to ensure adequate cybersecurity in every product used within member states, with regular security updates throughout the product lifecycle. To help business leaders and consumers identify compliant products, the CE marking will appear on any product or software that meets the requirements. The CRA applies to products that connect to the internet, for example smart TVs, WiFi routers, smart fridges and video cameras.
Although the Act is being deliberated by the European Parliament and Council, and likely won’t come into force until 2024 at the earliest, Hanwha Vision is already following the guidelines with the CRA owing to the comprehensive cybersecurity processes it has implemented.
Vendors must also show that they are conducting regular risk assessments to identify, assess, and mitigate any risks to their network. This is something that Hanwha Vision’s Security-Computer Emergency Response Team (S-CERT) regularly carries out, including penetration testing and security checks.
Hanwha Vision’s products are all designed and developed with security in mind, with UL CAP Certification in the Wisenet 7 Advanced System On Chip (SoC). To further improve security for all of its users, Hanwha Vision regularly publishes potential threats and vulnerabilities as part of an open disclosure policy and provides users with information about their products’ security features and how to use these.
Certifications including UL CAP (UL Cybersecurity Assurance Program) and NDAA (National Defense Authorisation Act) compliance or accreditations such as the UK’s Cyber Essentials scheme can provide further confidence. In particular, since NDAA compliance requires manufacturing companies to avoid manufacturing in and using silicon chips and other components from blacklisted countries, it can be an important indicator of the cyber-resilience of a manufacturer’s supply chain.
Finally, knowledge and resource sharing, as well as contributing to the CVE vulnerability library (Hanwha Vision is a CVE Partner), can show a long-term commitment to improving cybersecurity.
To find out more, please click here.