Preparing for the CRA, DORA, and other regulatory earthquakes
Recently, news about emerging cybersecurity regulation has become as routine as the weather report.
In the past year, the UK and EU governments have become increasingly aggressive about mandating specific investments in security posture and reporting due to the number, scale, and seriousness of security incidents and their impact on consumers. The adoption of AI is a regulation driver in itself, as covered here.
It’s important that organizations everywhere understand the potential impact of these new regulations on security investments across the supply chain – not just because of their potential GDPR-scale impact, but because failing to comply will lead to heavy fines, in some cases for entities outside the EU.
Overview of recent regulation
Presented in order of implementation date, the following regulations are expected to make significant impacts:
Product Security and Telecoms Infrastructure (PSTI) Act—UK and beyond
Effective: April 29, 2024
Impact: High for manufacturers
The UK’s PSTI Act, which recently came into effect, was designed to increase the adoption of pre-existing standards for two related issues in the UK’s telecommunications industry: product security and infrastructure resilience. Importantly, the act assigns equal responsibility to importers and distributors for any “compliance failures” in a manufacturer’s products. Among other things, the PSTI Act requires manufacturers to self-attest that a public-facing, clear and transparent security vulnerability reporting mechanism is in place, that receipts of reports are acknowledged, and that status updates are provided free of charge. Penalties can reach £20,000 per day of noncompliance.
Network and Information Security 2 (NIS2) Directive—EU
Effective: October 17, 2024
Impact: High
An expansion of the original NIS1 Directive, NIS2 will strengthen and streamline security and reporting requirements by mandating a checklist of basic security capabilities, including incident handling, supply chain security, and vulnerability handling and disclosure. Effectively all medium and large-sized companies in critical infrastructure sectors (e.g., banking, transportation, cloud computing, tech, and telecommunications) will be required to assess their adoption of capabilities on the checklist and take appropriate actions. An additional twist is that NIS2 will require individual companies to assess cybersecurity risks across their supply chains, not just inside their own walls. Noncompliance will result in fines of at least €7,000,000 or 1.4% of the total revenue of the preceding fiscal year, whichever is higher—and the fines will be significantly more severe for companies categorized as “essential” providers.
Digital Operational Resilience Act (DORA)—EU
Effective: January 17, 2025
Impact: High for financial services organizations
DORA (for which Bugcrowd was an advisor) seeks to rationalize the patchwork of cybersecurity risk regulations governing the use of information and communication technology (ICT) by financial services entities across EU member countries. DORA was proposed in recognition of the shared risk created by the interconnectedness of companies, markets, and infrastructure in this industry. Notably, DORA will also apply to third-party ICT service providers (e.g., cloud computing platforms, data brokers, and data centers) in the financial services information supply chain and not just to the companies themselves. Among other things, regulated entities are expected to conduct continuous vulnerability assessments of their ICT systems and to document and classify “cyber threats and ICT vulnerabilities relevant to their ICT-supported business functions, information assets, and ICT assets.” Penalties may reach up to 1% of average daily revenue in the preceding fiscal year for each day of noncompliance.
Cyber Resilience Act (CRA)—EU and beyond
Effective: November 2025 for vulnerability handling and incident reporting
Impact: Very high
Perhaps the most ambitious of them all, the CRA (for which Bugcrowd was an advisor) seeks to ensure that “hardware and software products (have) fewer vulnerabilities, and manufacturers take security seriously throughout a product’s life cycle.” Specifically, the CRA will regulate all products that depend on remote data processing (which is nearly everything, these days). Under the CRA, manufacturers of “critical” products will be required to carry out security assessments across the product life cycle and implement various vulnerability handling procedures, including adopting a policy for coordinated vulnerability disclosure, creating a software bill of materials (SBOM), and remediating flaws without delay. Importantly, the CRA will apply to non-EU entities to the extent that they import, distribute, or sell in-scope products in the EU market. This means that the CRA could have an impact on product and organizational security on the same level as GDPR. Penalties for noncompliance may reach €15 million or 2.5% of annual revenue, whichever is higher.
What to do now?
These regulations may have a massive impact on how cybersecurity is executed. In line with CISA’s “Secure By Design” initiative in the US (Bugcrowd has taken the pledge!), these regulations reflect a tectonic shift in security responsibility from users to manufacturers and providers, including their supply chains.
So what to do now, as a start?
- Review which of your products and supply chain (or other) partners could fall within the scope of these regulations. Remember, the PSTI Act affects distributors, and the CRA will apply to US-based entities that distribute or sell products in the EU.
- Review your attack surface. Do you have a complete, up-to-date inventory of assets? Can you score each of them for risk exposure?
- Review your current incident response plans and vulnerability management processes. For example, traditional vulnerability management practices alone are likely too passive to meet the new requirements, and if you don’t have one, the CRA specifically calls for the adoption of a coordinated disclosure policy.
- Review your testing approach. For example, is your current security testing done only at specific points in time (e.g., via traditional pen testing)? In most cases, these regulations call for continuous risk assessment and reduction, not just timeboxed testing.
How can Bugcrowd help?
Bugcrowd can help you achieve compliance with these regulations in numerous ways, and with all the benefits of doing so on a flexible, multi-purpose platform for scale. Consider the following advantages Bugcrowd offers:
- Transparent vulnerability handling and disclosure: The Bugcrowd Platform provides an engineered, fully managed way to transparently intake, responsibly disclose, and help rapidly remediate vulnerabilities reported by consumers and security researchers (Bugcrowd VDPs). Several plans are available to address your specific needs, including a free-to-use offering, VDP Compliance, to help meet requirements in a rudimentary way.
- Continuous risk assessment and reduction: Although regular penetration tests are required by DORA and other regulations (and Bugcrowd can fulfill them at scale via PTaaS), organizations will need to go beyond them to meet the requirements for continuous risk assessment and management. The Bugcrowd Platform provides several solutions to help you achieve that goal, including asset discovery and risk profiling (Bugcrowd ASM), continuous hacker-powered vulnerability discovery (Bugcrowd Managed Bug Bounty), and Bugcrowd VDPs. In all cases, our platform’s built-in engineered triage service rapidly validates and prioritizes vulnerability reports from all sources, provides remediation advice, and flows findings directly into existing DevSec processes.
- Compliance and risk reporting: For all these types of engagements, rich reporting and analytics are required to generate on-demand reports, attestations, and executive summaries needed to document activity and progress when auditors need them. Furthermore, with Bugcrowd, reports can be run across multiple solutions so that vulnerability intelligence can be produced at an organizational level.
Wherever you are in your compliance journey, we’re here to help, whether you’re taking your first step or going beyond. Bugcrowd is sure to elevate your cybersecurity posture every step of the way.
