As cyberattacks become more sophisticated, cybersecurity remains a top concern for regulators, consumers, business partners, and investors. Weak security can cause substantial harm to a company and lead to litigation, reputational damage, and hefty fines. Against that background, the EU is introducing stricter regulations that require robust cyber resilience, mandate board oversight on cybersecurity strategy, and hold board members personally liable for weak security practices.
As many of these regulations will take effect in the coming months, companies should consider conducting compliance audits and providing comprehensive training to staff and management regarding their new responsibilities.
Below we outline the key reasons why cybersecurity should be a top priority in boardroom discussions and company forecasts for 2025:
- Upcoming Sector-Specific Legislation for Businesses Operating in the EU
- Critical Services and Infrastructure. The NIS2 Directive is designed to strengthen cybersecurity across critical sectors, including health, ICT services, online marketplaces, search engines, social media, and manufacturing. NIS2 expands the scope of its predecessor by including more sectors and introducing higher security standards. Among other obligations, organizations must tailor their security measures to today’s threat landscape, conduct risk assessments both internally and on service providers, and ensure a swifter incident response. The directive also requires senior management to sign off on cybersecurity strategy and holds them accountable for compliance. Since NIS2 must be transposed into national law by the Member States, businesses may also face divergent obligations across countries.
These new obligations will take full effect on October 17, 2024.
- Financial Services. The Digital Operational Resilience Act (DORA) creates a comprehensive ICT risk management framework for financial institutions such as banks, insurers, trading platforms, and their critical ICT service providers. DORA imposes heavy obligations regarding risk assessments, technical standards, mandatory penetration testing, staff training, and incident notification within 24 hours. It also mandates detailed due diligence on third-party ICT service providers and requires the inclusion of specific provisions in any ICT service agreements. Additionally, DORA requires financial entities to review their cybersecurity practices, and their ICT service providers should consider developing their own DORA terms for use with customers. DORA is supplemented by implementing technical standards, such as the recently issued incident reporting requirements.
These new obligations will take full effect on January 17, 2025.
- Hardware and Software Manufacturers. The proposed Cyber Resilience Act (CRA) aims to enhance the cybersecurity of "products with digital elements" in the EU, including toys, smart devices, and games. Once adopted, the CRA will require manufacturers to ensure cybersecurity throughout a product's lifecycle. Products will also need CE marking to demonstrate compliance, and manufacturers will need to provide security updates after purchase. The CRA will significantly affect connected device manufacturers, importers, and distributors operating in the EU.
It is expected to be adopted in the coming months, after which its obligations will become applicable in phases.
- Cybersecurity Becomes a Boardroom Responsibility. NIS2 and DORA make cybersecurity a core boardroom responsibility. Management will need to be involved in designing and implementing the company’s cybersecurity strategy. Management can be held accountable for non-compliance, including facing penalties such as a temporary suspension from holding management positions in the most severe cases.
- Data Security Remains High on EU Privacy Authorities’ Enforcement Agenda. Recent sanctions by the Italian, French, and Irish data protection authorities underscore the importance of data security and proper breach management. The Italian authority fined an energy company €79.1 million for GDPR violations, including for failing to properly assess the risks associated with its CRM interface and secure access credentials. The French authority, in turn, fined an online marketplace €32 million for GDPR violations, including weak password and access controls for video surveillance systems. Lastly, the Irish authority issued a €91 million fine for lax user password security. These cases serve as a reminder that data security remains high on EU data protection authorities’ agenda, and data breaches can lead to costly regulatory investigations and reputational damage.
- Security Obligations for High-Risk AI under the AI Act. The AI Act entered into force on August 1, 2024. Among other features, it introduces strict compliance and security obligations for high-risk AI systems before they can enter the EU market. In particular, developers must conduct comprehensive risk assessments and ensure robust security measures for high-risk AI. While there is no clear guidance yet, such measures will likely cover the detection and prevention of data breaches (e.g., against model inversion attacks, membership inference attacks) and algorithm tampering or hacking.
More information about the AI Act and its key obligations can be found here.
- Investor Questions on Cyber Resilience Posture. Cybersecurity is increasingly under investor scrutiny as regulations tighten and the sophistication of cyber threats increases (e.g., ransomware attacks and AI-generated deep fakes). Common questions include those regarding a company’s history of cybersecurity incidents, details about data security management systems, leadership responsibilities in cybersecurity, and the implementation of security procedures.
More information about related developments, such as the SEC Cybersecurity Disclosure Rules for Public Companies, can be found here.
Sonia Mjati and Hattie Watson contributed to the preparation of this Wilson Sonsini Alert.
