Regulations are constantly evolving, becoming more punitive with larger fines and penalties. Businesses must stay responsive to the changes around us and part of this means taking into consideration how upcoming legislation will affect your organization and how you should prepare. This includes understanding what policies and processes must be implemented to remain compliant. But it is not just about ticking a compliance box, it is also about ensuring you have safeguards in place to protect the business and that your organization remains competitive. As new regulations come into force, you are likely to find that many of your partner organizations will require proof of compliance before doing business with you.
In particular, the regulations that will impact cyber and application security teams in 2024 are the EU Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the Network and Information Security Directive (NIS2).
Like any new legislation, understanding the precise language used can be daunting. Here I examine what NIS2, the most imminent new regulation, means for application security teams.
NIS2 Explained
The NIS2 Directive is an updated EU cybersecurity law that builds on the original NIS Directive (NISD). The goals of NIS2 are to boost cybersecurity, simplify reporting, and create consistent rules and penalties across the EU. By expanding its scope, NIS2 requires more businesses and sectors to take cybersecurity measures, with the goal of raising the standard of Europe’s cybersecurity performance in the long run. With stricter rules to overcome previous limitations, NIS2 impacts a wider range of industries. Entities under NIS2 are classified as essential or important, and the directive outlines security requirements as well as a process for incident reporting. It is estimated that 160K+ companies will be affected by NIS2, with a €10 million maximum fine for non-compliance.
There were several factors that necessitated the replacement of the previous NISD. These factors primarily revolved around the consensus that the legislation needed to be more stringent, and that its implementation required a greater level of uniformity across the EU. This was based on evidence in a 2020 study by ENISA which found that EU organizations allocated 41% fewer resources to information security than their US counterparts, despite NISD being in place for four years. The report also highlighted that there was unclear guidance around how to apply the Directive. Layer onto this a significant rise in cyberattacks, with organizations across Europe increasingly affected by ransomware and other types of cyberattacks. Additionally, there was a perceived lack of transparency in the reporting of cyberattacks.
Reporting Obligations and Risk Management
To this point, the NIS2 Directive mandates the reporting of “significant incidents” within 24 hours and less significant incidents within 72 hours. Effectively, if you are hacked and the impact will affect your customers and partners, disrupting the products or services you deliver, you must tell the relevant authorities through prescribed channels. If you fail to do this correctly, your organization and its directors can be publicly named as being non-compliant, and fines or other sanctions may be issued.
The directive requires organizations to take a risk management approach to cyber security. Organizations must identify and reduce risk as far as possible, then implement robust procedures to manage incidents. AppSec plays a critical role in risk reduction by providing visibility over vulnerabilities so they can be remediated before they are exploited. An effective AppSec program will contribute significantly to minimizing the number of incidents that have to be reported. In contrast, if you are regularly reporting incidents, you can expect to find your AppSec program under investigation by authorities.
Therefore, AppSec managers must take appropriate technical, operational, and organizational measures to manage the risks posed to the security of their systems, and to prevent or minimize the impact of incidents on recipients of their services. Additionally, AppSec managers are responsible for making sure their developers are properly trained and that the quality of software development is being maintained. AppSec managers must be able to prove to authorities that they have robust processes for software development and that they deploy secure applications into production.
Every company is part of someone’s supply chain
Today the regulatory environment is increasingly focused on supply chains, with Biden’s Executive Order 14028 introduced in 2021 now joined by NIS2. Even organizations that aren’t directly in the scope of these regulations will find they are affected if they want to sell to companies that are. Every company is part of someone’s supply chain.
In part, that’s because open source software (OSS) has become integral to software development. Its use is widespread, making up on average 80% of a typical code base. However, open source packages bring inherent risks such as vulnerabilities and license non-compliance. So, having clear visibility over your open source libraries as well as knowing how your suppliers are protected will be paramount. A sobering thought: the US Securities and Exchange Commission (SEC) recently charged SolarWinds and its CISO with fraudulent internal controls for failing to disclose known material cybersecurity risks and vulnerabilities. While these were risks that were known but not disclosed, organizations are also liable for risks that they fail to identify due to monitoring and due diligence failures.
NIS2 addresses supply chains in Article 22 and AppSec managers will need to pay close attention to this. Here at Checkmarx our Checkmarx One platform enables AppSec teams to better manage open source and software supply chain risk. It integrates a comprehensive suite of AppSec solutions including SAST, SCA, SCS, API Security, DAST, Container and IaC Security. We believe it’s not just about complying with this new Directive and finding risk but remediating it across the entire application footprint and software supply chain with one seamless process that simplifies compliance for everyone.
So, what steps should AppSec managers take to get ready for NIS2 compliance? If you want to learn more, register for our NIS2 webinar here.
For AppSec managers and CISOs it’s important to take reasonable action so that they and their board of directors can sleep well at night without having to worry about cyber incidents. Incidents will continue to happen – we all know that, and it’s part of the reason why regulations like NIS2 exist. The focus should be on doing what you can to prevent them, and preparing our environment so we can follow the rules if an incident happens.
Carsten has specialized on application security for over 12 years. He joined Checkmarx in 2016, initially as the first Technical Account Manager (TAM) supporting Checkmarx’s strategic and large accounts. With growing demand Carsten built and managed the TAM team in EMEA over the following years. Furthermore, in 2019, Carsten started building the AppSec advisory practice at Checkmarx, at the beginning in parallel to his responsibility as TAM team leader. He is now fully focussed on AppSec advisory and is managing the practice globally as the head of AppSec Advisory. Prior to joining Checkmarx Carsten was the EMEA practice principal for professional services at HP/Fortify and prior to that worked for several years as a software security consultant implementing AppSec solutions in EMEA and beyond. In the AppSec community, Carsten has co-authored the OWASP SAMM/OpenSAMM standard and presented at various application security conferences. Carsten is certified as CSSLP, CISSP (ISC2) and CISM (ISACA) and holds a doctorate in computer science and business administration from the University of Paderborn, Germany. Before changing to the private sector in 2006, Carsten held the position of a senior research officer at the University of Essex, UK.
Carsten has specialized on application security for over 12 years. He joined Checkmarx in 2016, initially as the first Technical Account Manager (TAM) supporting Checkmarx’s strategic and large accounts. With growing demand Carsten built and managed the TAM team in EMEA over the following years. Furthermore, in 2019, Carsten started building the AppSec advisory practice at Checkmarx, at the beginning in parallel to his responsibility as TAM team leader. He is now fully focussed on AppSec advisory and is managing the practice globally as the head of AppSec Advisory. Prior to joining Checkmarx Carsten was the EMEA practice principal for professional services at HP/Fortify and prior to that worked for several years as a software security consultant implementing AppSec solutions in EMEA and beyond. In the AppSec community, Carsten has co-authored the OWASP SAMM/OpenSAMM standard and presented at various application security conferences. Carsten is certified as CSSLP, CISSP (ISC2) and CISM (ISACA) and holds a doctorate in computer science and business administration from the University of Paderborn, Germany. Before changing to the private sector in 2006, Carsten held the position of a senior research officer at the University of Essex, UK.
By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.