The recent adoption of DORA (Digital Operational Resilience Act) by the EU Council is only one of the cybersecurity compliance regulations to emerge or undergo a thorough update in 2022. The accelerated regulators’ activity in matters related to cybersecurity is a direct answer to the combination of cyberattacks’ rising frequency and escalating complexity. The resulting threat to the continued operation of critical services and the potential for major disruption of civilian lives are contributing factors to this flurry of activity.
As 2022 is ending, it is appropriate to review the year’s compliance landscape evolution and prepare for planned regulation updates for 2023.
New and Updated Cybersecurity Compliance Regulations in 2022
The most heavily impacted sector in terms of cybersecurity compliance regulations updates this year was the financial sector, with the creation of the EU-wide new regulatory framework DORA and the revision or updates of PCI DSS and Swift requirements.
DORA Requirements (EU)
Adopted by the EU Council on November 28th, DORA is the latest regulatory framework. It homogenizes requirements for the financial sectors and critical ICT (Information Communication Technologies) third parties across all EU Member States.
Digital Operational Resilience Testing
- Elements within the ICT risk management framework should be periodically tested for preparedness.
- Any weaknesses, deficiencies, or gaps must be identified and promptly eliminated or mitigated with the implementation of counteractive measures.
- Digital operational resilience testing requirements must be proportionate to the entities’ size, business, and risk profiles.
- Conduct Threat Led Penetration Testing (TLTP), also known as a Red / Purple Team Assessment, to address higher levels of risk exposure.
ICT Risk Management
- Set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
- All sources of ICT risks should be continuously identified in order to set up protection and prevention measures.
- Prompt detection of anomalous activities should be established.
- Dedicated and comprehensive business continuity policies and disaster and recovery plans should be in place, ensuring a prompt recovery after an ICT-related incident.
- Establish mechanisms to learn and evolve from external events and the entity’s own ICT incidents.
Additional requirements related to ICTs include setting up and maintaining consistent incident reporting mechanisms and cyber threat information and intelligence information sharing provisions.
The UK, separated from the EU since Brexit’s implementation, has indicated its intentions to adopt similar laws by the end of 2023.
PCI DSS v4.0 (Worldwide)
May 2022 saw the publication of PCI DSS v4.0. The current version 3.2.1 will be retired in March 2025, leaving some time to implement the modifications required for compliance. Those numerous modifications aim at:
- Adapting security methods to the evolving threats
- Promoting security as a continuous process
- Enabling additional support to payment technology innovation
- Improving verification methods and procedures
Cymulate’s in-depth overview of PCI DSS v4.0 requirements is available for more information.
SWIFT CSCF v2022 (Worldwide)
Required for compliance since December 2022, CSCF v2022 provides information on changes to controls, additional guidance, and many clarifications to existing controls and the associated implementation guidelines. This year added one mandatory control to the existing 32.
The main changes from v2021 to v2022 are:
- Promotion of Control 2.9A (Transaction Business Controls) to ‘mandatory’ after significant scope and implementation guidelines clarifications.
- New Advisory Control 1.5A (Customer Environment Protection) to align requirements, of Architecture A4 with the other type ‘A’ Architectures
- Scope modifications of many controls:
- Extension of all Architecture A4 controls’ scope to include ‘Customer Connector’ as an ‘in scope’ component
- Extension of existing Control 1.2 (Operating System Privileged Account Control) scope to include ‘General Purpose Operator PCs’ as ‘advisory’, to ensure basic security hygiene on employee computers
- Extension of existing Control 6.2 (Software Integrity) for Architecture A4’s scope to include ‘customer connectors’ components as ‘advisory.’
In addition, there are numerous minor guidance clarifications or modifications.
In Europe, November 2022 also saw the adoption of the NIS2, which defines a more robust common level of cybersecurity across the EU and replaces the current Network and Information Systems Directive (NIS Directive). EU member states have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
The main changes between the NIS Directive and NIS2 include:
- Scope expansion:
- Sectors: in addition to the initial sectors covered by the NIS Directive – energy, transport, health, banking, and digital infrastructure – NIS2 includes postal and courier services, medical devices, food distribution, public electronic communications networks, and publicly available electronic communications services, and digital providers.
- Size: a new size-cap rule includes all medium-size and large entities operating within the sectors or providing services covered by the directive. The wide-ranging scope of NIS2 is to be more granularly defined as stated by the EU Council. “Its text includes additional provisions to ensure proportionality, a higher level of risk management, and clear-cut criticality criteria for allowing national authorities to determine further entities covered.”
- Minimum Obligations: all entities covered by the scope are required to:
- Adopt policies covering:
- Risk analysis and information system security
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Adopt policies and procedures covering:
- Periodically assess cybersecurity management measures’ effectiveness.
- Communicate security incidents: a newly defined obligation to submit an early warning to the appropriate authority within 24 hours of becoming aware of a significant incident. That authority might be the newly created cyber crisis liaison organization network (EU-CyCLONe) that supports the coordinated management of large-scale cybersecurity incidents.
The main additional regulatory change in 2022 is the updated version of the international standard to manage information security ISO/IEC 27001, published in October 2022.
The controls included in ISO 27001:2022 Annex A underwent a major rehaul, merging 57 controls into 24, renaming 23 controls, and adding 11 new ones. The resulting 93 controls (down from the previous 114) have been reorganized into four control groups:
- Organizational (37 controls) including three new controls:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- People (8 controls)
- Physical (14 controls) including one new control:
- Physical security monitoring
- Technological (34 controls) including seven new controls:
- User endpoint devices
- Configuration management
- Information deletion
- Data masking
- Monitoring activities
- Web filtering
- Secure coding
Of those eleven new controls, even if filed under ‘Organizational’, ten are of technological nature, clearly pointing at the increased importance of technological factors in security.
Up and Coming Cybersecurity Compliance Regulations in 2023
In the USA
Initiated in 2018 with GDPR, the data privacy laws with cybersecurity elements keep burgeoning and, after the 2020 California CCPA, four other states passed similar data privacy legislation that will be enacted in 2023:
- Virginia: Consumer Data Protection Act, January 1st, 2023
- Colorado: Privacy Act, July 1st, 2023
- Utah: Consumer Protection Act, December 31st, 2023
- Connecticut: Data Protection Act, July 1st, 2023
The financial sector will also have to keep an eye on the upcoming update of the 23 NYCRR 500 that include:
- An extension of penetration testing scope to include testing the security of information systems
- An extension of the definition of “risk assessment“ to the “process of identifying cybersecurity risks to organizational operations, organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system.
- New requirements to:
- Develop and implement written policies and procedures for vulnerability management designed to assess the effectiveness of the covered entity’s cybersecurity program. Those include continuous monitoring or periodic penetration testing, and vulnerability assessments.
- Establish plans that contain proactive measures to investigate and mitigate disruptive events and ensure operational resilience, including incident response, business continuity, and disaster recovery plans.
- Establish and implement policies and procedures designed to ensure the security of information accessible to, or held by, third-party service providers.
In Europe, the most impactful upcoming regulatory newcomer is the announced Cyber Resilience Act (CRA). The CRA will apply to all products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network not covered by exceptions.
Such products will require the application of a standard form or a third party-assessment.
Manufacturers aiming at selling their products to an EU country will have to design their products in line with CRA-defined “essential cybersecurity requirements.” To date, those include secure-by-default configurations, maintenance of confidentiality and data integrity mechanisms, and undertaking cybersecurity risk assessments throughout the product’s lifecycle.
In addition, mandatory recalls will be mandated upon detection of certain vulnerabilities.
Virtually all compliance and standard bodies are increasing assessment requirements and adding some level of continuous assessment or resilience validation. As the 2022 Frost and Radar innovation leader for Breach and Attack simulation, Cymulate keeps ahead of compliance regulators’ evolving requirements with automated security assessment and validation catering to all company exigencies, regardless of their size or cybersecurity maturity level.