The cybersecurity landscape is evolving with rising cyber threats and a growing regulatory landscape with new EU regulations like NIS2, DORA and CRA taking effect. Today cyber threats pose one of the greatest business risks. Cyber resilience is therefore no longer optional. Are you prepared?
October marked Cybersecurity Awareness Month. A reminder of how far we have come and new challenges we face. From Bell’s telephone to generative AI, digital transformation has changed the way we work and live. Companies have become fully dependent on connected systems, with data as their greatest asset fueling their decisions, efficiency and growth.
While this presents many opportunities, it also bears great risks. What is of value to your company may be even more valuable to others. Cyberattacks, impersonation, deepfakes and phishing are no longer distant threats but have become part of our daily reality.
In its threat landscape 2025, ENISA found that 60 per cent of incidents originate from successful phishing. Successful phishing goes hand in hand with impersonation. Thus it makes sense that the consequences of cyber incidents are often linked to privacy infringements of individuals, defamation, and IP infringements and reputational damages of companies. Apart from damages suffered on personal levels – cyber incidents may also disrupt business continuity on a very serious level. Your company may just be one click away from being ransomed or hacked. Another concerning development is the increase of successful CEO and CFO fraud: cases where successful impersonation of C-suite executives results in employees being tricked in paying false invoice payments and granting document access to unauthorized (malicious) third parties. Depending on your company’s level of cyber hygiene, awareness and data governance, one successful attempt may encrypt all your data, disrupt all your systems and terminate all your operations.
Experts agree that for businesses today an incident is no longer a hypothetical risk but has shifted from if to when.
The European Union has responded to these threats by introducing various new laws. While the GDPR already entered the stage back in 2018 and introduced security requirements for companies processing personal data, new laws aim to further regulate the cybersecurity landscape.
The NIS2 Directive (effective since October 2024) imposes cybersecurity regulations to companies operating in critical and important sectors (like healthcare, energy, waste, food, manufacturing) and has made their management bodies liable for cybersecurity compliance. It also introduces unforgiving incident reporting obligations which apply on top of similar requirements under existing laws, such as the personal data breach notification requirement under the GDPR. Similarly, DORA (effective since January 2025) has been introduced to regulate the financial sector with similar effect.
Both NIS2 and DORA have a spill-over effect as they cascade through supply chains, making suppliers to regulated entities face secondary application of cybersecurity requirements through mandatory outsourcing requirements that must be reflected in their contracts. Compliance is therefore no longer optional as the responsibility for cybersecurity governance is being pushed through the ranks to board-levels and suppliers. Notably, non-compliance with such laws may result in hefty fines, administrative enforcement measures and civil liability.
Apart from regulating companies, cybersecurity standards are also introduced to connected products. The Cyber Resilience Act (partially effective since December 2024, full effect in 2027) introduces cybersecurity requirements to all products with digital elements placed on the EU market, ranging from smart devices to software, to secure any smart or connected devices in the EU. Again, the requirements under the CRA may apply on top of existing product regulation and non-compliance may be punished.
Despite critique that such laws are confronting companies with even more regulation, are complicating innovation and will expose companies to increasing liabilities, they underline the fact that digital disruption is no longer hypothetical. Instead, it is perceived as a serious risk, that should be answered with proper risk mitigative measures.
These developments are unsurprising. Physical and technical interference to networks and systems is attempted on a daily basis posing threats to business continuity or worse. A single click can trigger ransomware, theft and abuse of data and disrupt daily operations and life. Good governance requires more than prevention – it is about being prepared.
Does your company have an incident protocol? A multidisciplinary response team? Reliable back-ups? Clear agreements with vendors who are ready to act? In case of an incident – can your company proceed independent of access to your systems? In other words, is your company prepared?
Best piece of advice: get the conversation started and keep it going. Cyber resilience is not about absolute prevention, it is about responsiveness. Assess your security. Strengthen your systems. Create protocols. Train your staff. Test your response. In today’s digital age, dealing with cyber is no longer a question of if. It’s when.
