The panel, which consisted of Christiane Kirketerp de Viron (Acting Director for Digital Society, Trust & Cybersecurity at the European Commission), Johan Klykens (Director of the Certification Authority for CCB), Steve Purser (an independent cyber security consultant), Marc Vauclair (technology manager at NXP Semiconductors) and Sebastien Deleersnyder (CTO of Toreon), was moderated by Liliana Musetan (Head of Unit at the Council of the European Union).
Christiane Kirketerp de Viron explained why the EU is at the forefront of cyber security regulations: “The fundamental logic should be that the software we buy and use -whether for government offices or businesses – is secure by design. However, the current market seems to be focused more on innovation and the rapid launch of new products and services than on cyber security. The goal of the NIS2 is thus to safeguard critical entities and their supply chains, while the Cyber Resilience Act (CRA) aims to stimulate and facilitate self-assessment within the industry.”
Good regulation, smart implementation
While these new regulations serve a higher purpose, the devil remains in the details. “New rules should be well-tailored and smartly implemented,” Johan Klykens remarked. “Europe has a very good model and the CRA certification scheme is straightforward. Hopefully it grows into a global system, because the more countries that adopt it, the more efficient it will become for everyone involved.”
At NXP Semiconductors, Marc Vauclair and his colleagues have been preparing for some time for the new CRA requirements. “Within our technology groups, we look ahead and have already been working for some time to comply with the CRA. As providers of chips to our customers, the need is to ensure that the hardware remains upgradeable in the field. This has a big impact on our product development. Ultimately, we are creating the building blocks for better cyber resilience.”
Compliance and risk management are intertwined
The panellists also discussed how to convince companies to comply with new cyber security regulations. “They need to understand what the legislation means for them specifically. Compliance is important, but they should also be looking at risk management,” according to Steve Purser. “That means cyber security experts have to be able to speak directly to the board, so the latter can support management decision-making and accelerate awareness throughout the organisation.”
A security culture is a key success factor. Sebastien Deleersnyder explained, “We’re seeing many new rules for organisations, and security-by-design is definitely the way forward for CRA compliance. This requires implementing a secure development lifecycle, from inception. Train developers on security coding and how to operate the systems safely in the field. If the DevOps team has a security mindset, you will succeed.”
Certification thus enhances cyber security but is not enough on its own: awareness remains critical. “We have been telling our people this for 20 years,” Marc Vauclair stated. “Our training programmes have been tailored to all the different roles in the company.” Sebastien Deleersnyder added: “We bring people together in ‘workshop mode’ to look into technical security vulnerabilities, but also at doomsday scenarios for our customers’ businesses. This can be an eye-opener for developers who hadn’t fully grasped the impact of what they were doing. After doing this, they really start to bother.”