“30% of CISOs of CAC 40 companies are already convinced of the risks posed by foreign solution providers”, according to the Institut Choiseul*.
Security breaches caused by non-European cybersecurity solutions are becoming a reality for many companies. Europe is stepping up its response to this threat. One new European regulation follows another, making European sovereignty in cybersecurity a priority. The aim is clear: to strengthen European resilience, particularly of critical infrastructures, and protect the data of European citizens.
At first glance, European sovereignty aspirations may seem far away from your company’s day-to-day concerns. However, they impact you on a daily basis, and mitigating the risks associated with foreign cybersecurity solutions is already a real challenge for your company.
*Cybersecurity, a prerequisite for economic sovereignty, June 2022
GDPR, NIS2… How companies are faced with European compliance requirements
Meeting legal obligations and ensuring that all compliance requirements are met has become a major challenge for every company and organization. And to strengthen European sovereignty in cybersecurity matters, the European Union is bringing out numerous new regulations: NIS2, DORA, the Cyber Solidarity Act, the Cyber Resilience Act… The General Data Protection Regulation (GDPR) remains the text that currently impacts your business the most. But the arrival of the NIS2 directive at national level (by September 2024 at the latest) will bring new and even heavier obligations. There is, however, a way to alleviate the compliance constraints weighing on companies.
The European Union’s General Data Protection Regulation (GDPR) applies directly to cybersecurity. All companies that process the personal data of EU citizens are subjected to it. It specifically requires companies to protect personal data against possible data breaches and cyberattacks by adopting appropriate security measures. If a business doesn’t comply with the requirements of the GDPR financial, penalties of up to 4% of the company’s worldwide annual sales or 20 million euros are planned.
In addition, the cyber world and companies based in Europe must prepare to comply with the NIS2 directive. Transposable into every national legislation by September 2024, NIS2 aims to guarantee the security of networks and information systems. Stricter than the 2016 NIS Directive, its predecessor, it applies to a wider range of sectors and businesses. Complying with it has become a matter of urgency for most companies. NIS2 imposes high security requirements, notably calling for the creation of a list of risk management measures and introducing an obligation for companies to report significant incidents within 24 hours.
With NIS2, companies will be forced to take their cybersecurity to the next level to meet compliance requirements. But there are ways to avoid being overwhelmed by European standards. Most European cybersecurity solutions allow you to comply with ISO/IEC 27001, GDPR and NIS2 requirements, which isn’t always the case of cybersecurity solutions outside of Europe. And the most advanced solutions are already NIS2-compliant.
Data protection: the real challenge for your company
GDPR compliance and the protection of user data can be seen as just an additional obligation for your company. Yet the issue of data protection goes further. Data collection, without prior consent, also directly affects companies and is an issue that often goes unnoticed.
Data sovereignty is closely linked to the issue of European cybersecurity sovereignty. Its aim is to ensure that your data and its use are not subjected to a foreign law. When it comes to your data, different laws apply depending on your location, where your data is stored and where it is transferred. The laws of several countries may therefore apply to your data. And unfortunately, not all legislations are in favor of data protection…
The best-known extraterritorial cybersecurity law is the controversial Cloud Act (Clarifying Lawful Overseas Use of Data Act) passed in 2018. With the Cloud Act, US authorities can access data stored abroad by US companies, without authorization by the country where the data is stored. Thanks to the Cloud Act, US authorities have legal access to all data harvested by US companies, as long as that data is stored in a US company’s cloud. As a result, even if your company is located in Europe, where your data is legally protected, an American cybersecurity solution can give access to your data to the American authorities, if this data is stored in their cloud.
Industrial espionage via foreign security solutions is becoming a real risk for businesses. This risk also applies if your solution has chosen a US host: the most common hosts, such as AWS or Azure, are therefore concerned. This is where European sovereignty will also directly protect your company. Choosing cybersecurity solutions that are subjected to a legislation that is not in your favor will put your company at risk. Thanks to European sovereignty and European cybersecurity solutions hosted outside the US, your data stays in Europe and your business is protected.