Data is at the heart of digital transformation. Access to and the ability to use ever-increasing volumes of data are essential factors for innovation. The importance of data, especially in critical sectors, is attracting the attention of Cyber Crime. The issue of cybersecurity and cyber-attacks is increasingly important to our society, faced with a massive increase in attacks all over the world, with huge economic damage for the targeted companies, both public and private. Cyber threats to the country’s system have become increasingly sophisticated and widespread.

The results of the 2023 Threat Landscape, the annual report of the European Union Agency for Cybersecurity (ENISA) which provides a detailed look at the cybersecurity threat landscape, shows an increase in cybersecurity incidents; From July 2022 to June 2023, there were approximately 2,580 incidents, 220 of which specifically concern two or more EU Member States. The most affected sectors include public authorities with 19% and healthcare with 8%. However, 6% of all events are aimed at the manufacturing, transportation, and financial sectors.

In response to the challenges of cybercrime, efforts were made in 2022 to strengthen the framework for cyber security legislation, both at European and national levels, with a series of policies and regulatory proposals, certifications and new EU and national directives aimed at managing cyber risk.

Cyber Security Legislation: The European Overview

In the package of measures for Europe’s digital future, the European Data Strategy is of great importance in the social fabric, proposed in February 2022 with to create a single market for data that ensures Europe’s global competitiveness and data sovereignty.

It consists of a set of legislative initiatives presented by the European Commission and already in force: Digital Services Act (DSA); Digital Markets Act (DMA); Data Governance Act (DGA); Data Act (DA). Also very recently, 11 January 2024 saw the entry into force of the Data Act (DA), which will ensure fairness in the digital environment by clarifying who can create value from data and under what conditions. The data law will come into force in over a year, on 12 September 2025.

At a European level and cascading across member states, it is important to remember the adoption in November 2022 of the NIS II Directive (EU Directive 2022/2055) which updated and revised the NIS (EU Directive 2016/1148) with clearer and more stringent obligations on cyber security, as well as the provision of greater burdens and responsibilities in relation to this issue.

The NIS 2 Directive integrates with the various European regulations and guidelines on data protection and privacy, first of all the EU General Data Protection Regulation 2016/679 (GDPR) but also the DORA Regulation (Digital Operational Resilience Act, EU Regulation 2022/2554), the CER (Critical Entity Resilience) Directive, the Cyber Resilience Act and at the national level, the National Cyber Security Perimeter, established by Decree-Law No. 105 of 2019. This ensures that organisations implement measures deemed appropriate to mitigate risks and ensures that digital products and services are developed with a minimum level of cybersecurity.

The obligations of NIS 2

Article 21 of the NIS 2 Directive defines in paragraph 1 that obliged entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the information systems and networks that they use in their activities or in the provision of their services, as well as to prevent or minimise the impact of incidents on the recipients of their services and other services.

If you are one of the obliged entities, it is necessary to define, through a gap analysis, what will be the “adequate” technical, operational and organisational measures, with direct reference to the principle of “Accountability” of the GDPR, to protect IT systems and networks by adopting a type of multi-risk approach. Compared to the GDPR, the NIS 2 Directive makes it clearer what these measures may be. The list also includes policies and procedures related to the use of encryption and, if necessary, anonymization or pseudonymization.

Based on the Directive, it will be essential to be able to constantly monitor one’s IT security levels and update the measures taken accordingly according to the vulnerabilities and actual threats, both internal and external, that may affect security. Therefore, the NIS 2 Directive requires a continuous approach to the management of Cybersecurity, through the definition of clear goals and the constant monitoring of the results obtained.

Complying with NIS2 is not only an opportunity to comply with regulations, but also an opportunity to introduce a culture of security as well as technical and organisational best practices that can increase the level of IT security.

Certifications and Safety Standards

At the same time, certification systems and information security standards, such as ISO 27001:2022 and the NIST cybersecurity framework, have also been updated, in relation to which Version 2.0 has been announced for release in February 2024. It is one of the most practical and effective tools for cyber risk analysis, which organisations can use to examine their infrastructure and take proactive measures to identify and address vulnerabilities. 

Recently, in December 2023, an amendment to the 2022 EU bill on the cyber security of connected products, the Cyber Resilience Act (or CRA), was published to strenghten cybersecurity regulations and ensure more secure hardware and software products.

Concerning the Italian regulatory framework, among the initiatives to counter the phenomenon of cyber-attacks, it is also worth mentioning the adoption, by decree of the President of the Council of Ministers of 17 May 2022, of the National Cybersecurity Strategy 2022-2026 with an annexed Implementation Plan, and the start of operations by the National Assessment and Certification Centre (CVCN). The strategy, defined by the National Cybersecurity Agency (ACN), is aimed at achieving 82 measures by 2026 to make the country more cyber-resilient on several fronts.

SECO: guaranteed hardware and software protection

The purpose of this complex and articulated regulatory scenario is, on the one hand, to create the conditions for the development of secure digital products, reducing their vulnerabilities, and on the other hand, to lead those who develop solutions and technologies for the new generation of digital devices to pay greater attention to security throughout the entire product life cycle, considering that the choices made by users are increasingly focused on safe products.

SECO is committed to ensuring the security of its products, both in terms of hardware and software, ensuring a proactive response to cybersecurity challenges. Through security-oriented design, SECO’s hardware devices and Clea software suite are developed to facilitate customers’ compliance with industry regulations, such as the Cyber Resilience Act, CRA, improving the security of IoT devices and strengthening digital resilience.

SECO hardware devices integrate dedicated security components, such as the Trusted Platform Module (TPM), a cryptographic processor designed to implement advanced security measures such as data encryption, and the watchdog timer, a component that ensures a device’s stability and security. By constantly monitoring the operation of the system, the watchdog detects malfunctions or blockages and can trigger automatic corrective actions, minimizing downtime and maintaining operational safety.

These advanced technologies complement software security measures, including the Secure Boot function, which prevents malicious software from booting by only allowing previously authorised and secure Unified Extensible Firmware Interface (UEFI) drivers to run. Furthermore, each device comes with a robust operating system that supports secure remote updates and tolerance to malfunctions in critical systems thanks to the use of dual partitioning, optimised for integration with the Clea software suite. This integrated approach ensures the highest level of security in the construction of data pipelines, and that the OS of devices connected to Clea can be safely updated remotely.

Through the implementation of advanced technologies and safety-oriented design, SECO facilitates the journey of companies towards compliance with European and national directives. This integrated and proactive approach to cybersecurity is reinforced by the collaboration with Exein, whose advanced cybersecurity technology is seamlessly woven into every SECO product, elevating them to be among the most secure IoT offerings in the market. The integration of SECO’s products with Exein’s cutting-edge embedded security solutions is ideal for organisations that wish to not only comply with current regulations but also effectively protect their digital assets in an increasingly connected and vulnerable world.

Need a helping hand to navigate the complexities of the EU Cyber Resilience Act? Get in touch with us: our experts will be delighted to support you in finding the optimal solution customized to fulfill your unique needs.