Data is at the heart of digital transformation. Access to and the ability to use ever-increasing data volumes are essential for innovation. The importance of data, especially in critical sectors, is attracting the attention of cybercrime. The issue of cybersecurity and cyber-attacks is increasingly important to our society. We are faced with a massive increase in attacks all over the world, with huge economic damage for the targeted companies, both public and private. Cyber threats to the country's system have become increasingly sophisticated and widespread.
The results of the 2023 Threat Landscape, the annual report of the European Union Agency for Cybersecurity (ENISA) which provides a detailed look at the cybersecurity threat landscape, shows an increase in cybersecurity incidents; From July 2022 to June 2023, there were approximately 2,580 incidents, 220 of which specifically concern two or more EU Member States. The most affected sectors include public authorities with 19% and healthcare with 8%. However, 6% of all events are aimed at the manufacturing, transportation, and financial sectors.
In response to the challenges of cybercrime, efforts were made in 2022 to strengthen the framework for cybersecurity legislation, both at the European and national level, with a series of policies and regulatory proposals, certifications, and new EU and national directives aimed at managing cyber risk.
Cyber Security Legislation: The European Overview
In the package of measures for Europe's digital future, the European Data Strategy is of great importance in the social fabric, proposed in February 2022 to create a single market for data that ensures Europe's global competitiveness and data sovereignty.
It consists of a set of legislative initiatives presented by the European Commission and already in force: Digital Services Act (DSA); Digital Markets Act (DMA); Data Governance Act (DGA); Data Act (DA). Also, very recently, 11 January 2024 saw the Data Act (DA) enter into force, ensuring fairness in the digital environment by clarifying who can create value from data and under what conditions. The data law will come into force in over a year, on 12 September 2025.
At a European level and cascading across member states, it is essential to remember the adoption in November 2022 of the NIS II Directive, which updated and revised the NIS (EU Directive 2016/1148) with clearer and more stringent obligations on cyber security and the provision of more significant burdens and responsibilities in relation to this issue.
The NIS 2 Directive integrates with the various European regulations and guidelines on data protection and privacy, first of all the EU General Data Protection Regulation 2016/679 (GDPR) but also the DORA Regulation (Digital Operational Resilience Act, EU Regulation 2022/2554), the CER (Critical Entity Resilience) Directive, the Cyber Resilience Act and at the national level, the National Cyber Security Perimeter, established by Decree-Law No. 105 of 2019. This ensures that organisations implement appropriate measures to mitigate risks and that digital products and services are developed with a minimum level of cybersecurity.
The obligations of NIS 2
Article 21 of the NIS 2 Directive defines in paragraph 1 that obliged entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the information systems and networks that they use in their activities or in the provision of their services, as well as to prevent or minimise the impact of incidents on the recipients of their services and on other services.
Suppose you are one of the obliged entities. In that case, it is necessary to define, through a gap analysis, what will be the "adequate" technical, operational and organisational measures, with direct reference to the principle of "Accountability" of the GDPR, to protect IT systems and networks by adopting a type of multi-risk approach. Compared to the GDPR, the NIS 2 Directive clarifies what these measures may be. The list also includes policies and procedures related to encryption and, if necessary, anonymization or pseudonymization.
According to the Directive, constant monitoring of one's IT security levels and updating of the measures taken according to vulnerabilities and actual threats, both internal and external, that may affect security will be essential. Therefore, the NIS 2 Directive requires a continuous approach to cybersecurity management through the definition of clear goals and constant monitoring of the results obtained.
Complying with NIS2 is not only an opportunity to comply with regulations but also to introduce a culture of security and technical and organizational best practices that can increase the level of IT security.
Certifications and Safety Standards
At the same time, certification systems and information security standards, such as ISO 27001:2022 and the NIST cybersecurity framework, have also been updated, in relation to which Version 2.0 has been announced for release in February 2024. It is one of the most practical and effective tools for cyber risk analysis, which organisations can use to examine their infrastructure and take proactive measures to identify and address vulnerabilities. Recently, in December 2023, an amendment to the 2022 EU bill on the cybersecurity of connected products, the Cyber Resilience Act (or CRA), was published to strengthen cybersecurity regulations and ensure more secure hardware and software products.
Regarding the Italian regulatory framework, among the initiatives to counter the phenomenon of cyber-attacks, it is also worth mentioning the adoption, by decree of the President of the Council of Ministers of 17 May 2022, of the National Cybersecurity Strategy 2022-2026 with an annexed Implementation Plan, and the start of operations by the National Assessment and Certification Centre (CVCN). The strategy, defined by the National Cybersecurity Agency (ACN), aims to achieve 82 measures by 2026 to make the country more cyber-resilient on several fronts.
SECO: guaranteed hardware and software protection
The purpose of this complex and articulated regulatory scenario is, on the one hand, to create the conditions for the development of secure digital products, reducing their vulnerabilities, and on the other hand, to lead those who develop solutions and technologies for the new generation of digital devices to pay greater attention to security throughout the entire product life cycle, considering that the choices made by users are increasingly focused on safe products.
SECO is committed to ensuring the security of its products, both hardware and software, and to ensuring a proactive response to cybersecurity challenges. Through security-oriented design, SECO's hardware devices and Clea software suite are developed to facilitate customers' compliance with industry regulations, such as the Cyber Resilience Act (CRA, improve the security of IoT devices, and strengthen digital resilience.
SECO hardware devices integrate dedicated security components, such as the Trusted Platform Module (TPM), a cryptographic processor designed to implement advanced security measures such as data encryption, and the watchdog timer, ensuring a device’s stability and security. By constantly monitoring the system's operation, the watchdog detects malfunctions or blockages and can trigger automatic corrective actions, minimizing downtime and maintaining operational safety.
These advanced technologies complement software security measures, including the Secure Boot function, which prevents malicious software from booting by only allowing previously authorised and secure Unified Extensible Firmware Interface (UEFI) drivers to run. Furthermore, each device comes with a robust operating system that supports secure remote updates and tolerance to critical system malfunctions, thanks to dual partitioning, optimised for integration with the Clea software suite. This integrated approach ensures the highest level of security in the construction of data pipelines, and that the OS of devices connected to Clea can be safely updated remotely.
Through the implementation of advanced technologies and safety-oriented design, SECO facilitates companies' journeys towards compliance with European and national directives. This integrated and proactive approach to cybersecurity makes SECO products ideal for organisations that wish to comply with current regulations and effectively protect their digital assets in an increasingly connected and vulnerable world.