Data Analytics Market to Reach $190 Billion in 2028
The exponential growth of data, driven by IoT, cloud computing, and AI advancements, is transforming how businesses operate and make decisions, according to GlobalData.
The role of boards of directors in cybersecurity has never been more critical. With the advancement of cyber threats and the introduction of stricter regulatory requirements such as the NIS2 Directive and the Cyber Resilience Act (CRA), committees must take a more active and strategic approach. While they do not manage operational aspects, their oversight, strategic direction, and prioritization are essential to ensure the resilience of organizations. Every new technology comes with new vulnerabilities. The NIS2 Directive, i.e. the Cybersecurity Act with the accompanying Cybersecurity Regulation in force from November 30, 2024, and the CRA set additional requirements, including risk assessment, documentation of security practices, and compliance with new resilience standards. Companies and responsible persons now have a regulatory responsibility to ensure that adequate protection and business continuity measures are applied.
What do NIS2 and CRA bring?
The NIS2 Directive expands the scope of sectors and entities subject to regulation, from energy and health to digital services. It also highlights the Board's obligations to manage risk, develop incident response plans, and ensure a safety culture.
The Cyber Resilience Act focuses on the security of products with digital components, requiring manufacturers to ensure robust security features throughout the product lifecycle. This imposes new responsibilities on boards of directors in sectors that use or produce digital products.
Unfortunately, according to some recent research, only 68% of committees consider cybersecurity issues, while 23% do not have clearly defined plans or strategies. In addition to the new obligations brought by NIS2, such inadequate involvement can lead to regulatory penalties and reputational losses. In a situation where the frequency of attacks this year is at the level of every 11 seconds, with a tendency that this interval will decrease to every two seconds in 2030, and where almost 10TB of data is leaked from companies in the EU monthly (10 TB of data is equivalent to the amount of approximately 50 million Word documents)
There are five key steps for companies and responsible persons:
Cybersecurity goes beyond data protection. Digitalization extends the scope of threats to operations, supply chains, and industrial systems. NIS2, more precisely the Act, requires an assessment of these risks at the strategic level and the development of integrated security plans, which goes beyond the scope of IT responsibility and is directly under the obligation of the management structure.
Companies
and responsible persons should ensure compliance with, for example, the NIST Cybersecurity Framework or similar frameworks, as emphasized in the NIS2 Directive, i.e. the Act and the accompanying Cybersecurity Regulation. CRA additionally requires processes that cover the safety of products during their use, requiring the attention of responsible persons to the safety processes in product development.
Focus on Risk, Reputation, and Business ContinuityWhile security professionals manage technical risks, management structures must ensure that business risks, such as reputational and business continuity impacts, are properly assessed and mitigated. NIS2 requires the integration of these elements into strategic plans and continuous redefinition.
In-Depth Defense as a Standard of ResilienceMulti-layered security approaches, from technologies and policies to security culture, are essential for CRA compliance and threat resilience. Active practice of plans under NIST or similar frameworks is part of these requirements.
Cybersecurity as an organizational priority Cybersecurity is an organizational, not just a technical challenge. The NIS2 directive emphasizes strengthening the safety culture within the organization, while the CRA ensures that responsibility for security extends to all levels, including management.
NIS2 and CRA are not just obligations; They are an opportunity for those responsible to reshape their approaches and make their organizations more resilient. Actively participating in the development of strategies, asking smart questions, and ensuring compliance with the regulatory framework is essential not only to avoid penalties but also to strengthen shareholder and market confidence.
Organizations that invest in compliance and resilience today will be leaders in the security-conscious business environment of tomorrow.