- Chief Compliance Officer and VP of Legal Affairs, Arrow Electronics
By 
Neil Hodge2025-01-02T18:37:00
New rules on cyber risk management across the European Union put executives firmly in the crosshairs for noncompliance and are likely to apply to a wider range of organizations than many business leaders may initially think. However, there are also concerns that the rules may become muddled as different countries interpret them and enforce them in different ways.
The EU’s Network and Information Security Directive (NIS2) requires operators of critical infrastructure and essential services–including those in energy and water, transport, banking and financial market infrastructures, healthcare, and digital infrastructure–to implement appropriate cybersecurity measures and report any incidents to the relevant authorities. The directive is not just about organizations ensuring their own security and resilience are adequate–but also those of suppliers.
Experts believe the new rules will become the de facto standard for flagging cyber threats in much the same way as the EU’s General Data Protection Regulation (GDPR) are the benchmark for data privacy around the world.
THIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.
News and analysis for the well-informed compliance or audit exec. Select an option and click continue.
Annual Membership $499 Value offer
Full price one year membership with auto-renewal.
Membership $599
One-year only, no auto-renewal.
New rules that push IT firms providing “critical” services to the U.K.’s financial sector to share more data about cyberattacks and resiliency measures have been welcomed by industry experts. However, concerns remain over how suppliers will be classified and how key data might be gathered and shared.
The European Union’s Digital Operational Resilience Act, which is set to take effect next year, will require financial services firms to implement stronger measures to protect not only themselves from disruption caused by cyberattacks but also the sector as a whole.
The U.S. Department of Energy released supply chain cybersecurity principles meant to help strengthen key technologies used to manage and operate electricity, oil, and natural gas systems.
As Donald Trump begins his transition to become president, there are questions about the fate of tech companies, as well as regulators from multiple administrations. Google in particular is fighting a high-profile antitrust ruling after an investigation started by Trump in 2020 could be resolved in his next administration.
Breaches of the EU’s GDPR can cost companies substantial sums and huge reputational damage. Now some are warning that the implementation of the EU’s AI Act will be just as far-reaching, and could potentially lead to similar numbers of cases.
Any product that uses AI needs to be safety assessed for its entire lifespan under new rules that went into effect recently across the EU. Experts warned companies using AI to tailor products could be classed as “manufacturers” and face the same duty of care as developed.
