- New laws have been brought in to build cybersecurity resilience. | Image: Unsplash/Crew
- |
Cybersecurity rules saw big changes in 2024. Here’s what to know
Spencer Feingold
Digital Editor, World Economic Forum
Filipe Beato
Lead, Centre for Cybersecurity, World Economic Forum
- Governments worldwide are enacting regulations to bolster cybersecurity resilience.
- In 2024, new laws went into force in major economies such as the European Union, the United States and Singapore.
- The evolving regulatory landscape comes as emerging technologies like artificial intelligence continue to have a major impact on cybersecurity.
In 2024, significant new cybersecurity rules were enacted in major economies around the world, effectively transforming the global regulatory environment.
The regulations come as business leaders are increasingly open to enhanced cybersecurity rules. In fact, the World Economic Forum’s latest Global Security Outlook found that 60% of executives believe proper cyber and privacy regulations effectively reduce risk – a major increase from the 21% in 2022.
The new laws, some of which strengthened previously enacted rules, were designed to provide enhanced cybersecurity guardrails that could effectively stymie evolving cyber threats. This included the increasing use of advanced technologies like artificial intelligence by cybercriminals.
Here are four major developments related to cybersecurity regulations from around the world.
1. The European Union’s NIS2
Today, 17 October 2024, marks the deadline for European Union member states to transpose the Network and Information Security (NIS) Directive 2 into applicable national law – and begin enforcing the updated cybersecurity rules.
The NIS2 Directive, which was enacted in early 2023 and had a 21-month implementation period, was designed to strengthen cybersecurity resilience and harmonize regulations across the bloc. In particular, the regulations aim to beef up the EU’s cybersecurity capabilities around critical infrastructure such as energy systems, healthcare networks and transportation services.
The directive also introduced new mechanisms to enhance cooperation between national authorities and establishes a new centre to oversee a coordinated response to major cyberattacks. In addition, it compels organizations to report cyber breaches and attacks within 24 hours of becoming aware of them. Companies that fail to meet this requirement can face heavy fines.
In 2021, the World Economic Forum contributed to the development of NIS2 with a report detailing how to effectively build cyber resilience in the EU. A significant focus of the report looked at countering cyber threats to energy systems.
“Critical energy infrastructure organizations must adapt quickly to the pace of change in the digital threat landscape, to improve detection, prevention, response and recovery from increasingly frequent, larger-scale and more sophisticated cyber attacks,” the report notes. “Moreover, the digital nature of emerging technologies makes them intrinsically vulnerable to cyber attacks that can take a multitude of forms – from data theft and ransomware to the overtaking of systems with potentially large-scale harmful consequences.”
2. The US National Cybersecurity Strategy
In May 2024, the US government announced that several aspects of the US National Cybersecurity Strategy were advanced or had gone into force this year.
This includes progress on scores of objectives including developing cybersecurity scenario exercises to help critical infrastructure owners prepare for attacks from nation states and malicious cyber actors and proposing changes to the way the government buys Internet of Things devices to ensure they are secure by design. The strategy also aims to ensure that the US is at the forefront of developing cybersecurity standards and establishing a State Department Bureau of Cyberspace and Digital Policy to build international partnerships to counter malicious cyber actors.
First released in early 2023, the US National Cybersecurity Strategy was designed to “secure the full benefits of a safe and secure digital ecosystem for all Americans” and bolster collaboration between the public and private sectors to ensure a secure cyber ecosystem, according to a White House statement.
Specifically, the statement notes, the US strategy outlines two “fundamental shifts” in how the US approaches cybersecurity. This includes 1) shifting the “burden for cybersecurity away from individuals, small businesses, local governments, and infrastructure operators, and onto the organizations that are most capable and best-positioned to reduce risks” and 2) incentivizing “long-term investments by striking a careful balance between defending [the US] against urgent threats today and simultaneously strategically planning for and investing in a resilient future.”
In 2024, the US also issued an executive order to bolstered cybersecurity at ports. The directive ordered the US Department of Homeland Security to assess maritime cyber threats and strengthen the cybersecurity capabilities of US ports’ operating systems.
3. Singapore’s Operational Technology Cybersecurity Masterplan
Singapore’s Operational Technology Cybersecurity Masterplan 2024, which was released in August 2024, is a new piece of legislation that aims to bolster cybersecurity around the technology that underpins much of a modern economy.
Such technology, known as operational technology (OT), includes much of the digital equipment that interfaces with the physical world. This includes, for instance, traffic light controllers, fuel station pumps and energy grid control systems.
The plan, the Cyber Security Agency of Singapore (CSA) noted in a statement, is part of a “continuous efforts to enhance the security and resilience of organisations operating industrial control systems, as well as those utilising OT technologies that support physical control functions.”
The secure-by-deployment principles set out in Singapore’s masterplan places equal responsibility on technology manufacturers, installers and end users to ensure that OT devices are secure upon delivery, and remain so throughout the lifecycle of the equipment.
More than 60 organizations came together to develop the masterplan, which was designed to dissuade and thwart cyberattacks from sources ranging from organized cybercrime to state-sponsored attacks. The plan describes cybersecurity as “a team sport” in which a range of stakeholders take responsibility for security.
“The updated Masterplan 2024 reflects the evolving maturity of the OT ecosystem and the dynamic nature of cyber threats targeting OT systems in the wake of geopolitical and technological shifts,” CSA added.
4. The European Cyber Resilience Act
In 2024, the EU Cyber Resilience Act (CRA) went into force, mandating bolstered cybersecurity mechanism in a wide variety of everyday hardware and software products.
“From baby-monitors to smart-watches, products and software that contain a digital component are omnipresent in our daily lives,” the European Commission noted in a statement. “Less apparent to many users is the security risk such products and software may present.”
The CRA aims to guarantee that cybersecurity protocols are maintained throughout the entire lifecycle of digital products. The new regulations include harmonized cybersecurity rules for bringing new digital products or software to market as well as a new framework of cybersecurity requirements governing the planning, design, development and maintenance of such products. The CRA mandates that the cybersecurity obligations to be adhered to at every stage of the value chain.
Moreover, in order to provide consumers with great visibility, smart products that are in compliance with the CRA will carry a European standard marking.
“Requiring manufacturers and retailers to prioritise cybersecurity, customers and businesses would be empowered to make better-informed choices,” the European Commission added.
A cyber-secure future
The evolving global cybersecurity regulatory environment comes as leaders in government and business are increasingly aware of the growing threat of cyberattacks and a rapidly shifting risk landscape.
Nonetheless, the Forum’s Global Cybersecurity Outlook 2024 notes that there is still a wide gap between those organizations taking decisive action and those grappling with cybersecurity challenges without a strategic view of long-term solutions.
The gulf between cyber-secure organizations and those at risk continues to widen.Image: Global Cybersecurity Outlook, 2024
Moreover, in addition to highlighting the risks of growing cyber inequity, the Forum’s report details the “profound impact” that emerging technologies like artificial intelligence are having on cybersecurity.
“As organizations race to adopt new technologies, such as generative artificial intelligence (AI), a basic understanding is needed of the immediate, mid-term and long-term implications of these technologies for their cyber-resilience posture,” the report notes.
The outlook adds that “the path forward demands strategic thinking, concerted action and a steadfast commitment to cyber resilience.”
- -ACSIS
RELATED NEWS
- | November 21, 2024