Increasing connectivity and wider technology adoption, including cloud and AI, are creating numerous benefits for society but also come with new risks. Cyberthreats are affecting an increasingly large number of businesses, public administrations and governments in Europe. One in eight European businesses have been affected by cyberattacks. Two in five European internet users have experienced security-related problems. Last year, the EU cybersecurity agency ENISA reported 10 terabytes of stolen data each month by ransomware threat actors. Public sector attacks are on the rise and accounted for 24% of reported attacks, partly because of their greater reliance on outdated legacy systems.
This shows why making digital products and services safer and more secure for consumers and businesses is vital. It is something the proposed EU Cyber Resilience Act (CRA) is seeking to address, which Microsoft, as a first in class security company, fully supports. The CRA requires network-connected hardware, software and services to meet essential cybersecurity requirements before they can be sold on the European market and places obligations on manufacturers to maintain their security throughout the product lifecycle.
It is ambitious albeit important legislation that fully aligns with Microsoft’s approach of reducing cybersecurity risk for our customers and the broader digital ecosystem and developing and promoting the adoption of robust cybersecurity standards and technologies.
Its successful application will require a gradual and well-defined approach that takes into account the realities of constantly evolving security threats and the interconnectedness of global ICT supply chains and systems.
We have offered a number of detailed recommendations in our formal response to the European Commission’s CRA proposal that would help provide more clarity and predictability for stakeholders, ensure readiness and capacity to implement the regulation while aligning with existing international security standards and best practices to avoid fragmentation and weakening security for users globally.
Cybersecurity threats are global and continually evolving. They are targeting complex, interdependent systems that are hard to secure as threats can come from many places. A product that had strong security yesterday can have weak security tomorrow as new vulnerabilities and attack tactics are discovered. Even with a manufacturer appropriately mitigating risks, a product can still be compromised through supply chain attacks, the underlying digital infrastructure, an employee or many other ways. Microsoft alone analyzes 43 trillion security signals daily to better understand and protect against cyberthreats. Staying one step ahead requires speed and agility.
Moreover, addressing digital threats requires a skilled cybersecurity workforce that helps organizations prepare and helps authorities ensure adequate enforcement. However, in Europe and across the world there is a shortage of skilled staff. Over 70% of businesses cannot find staff with the required digital skills. Recent LinkedIn data has shown that demand for cybersecurity skills in Europe has grown by an average of 22%, but the gap is getting wider year on year. Worldwide, there is a lack of 3.4 million cybersecurity workers, and the EMEA region has a shortage of 317,050 skilled cybersecurity professionals – an increase of almost 60% compared to last year. We all need to contribute to bridge the cyber-skills gap and Microsoft and others have launched initiatives to do so.
With all of this in mind, here are some key suggestions in response to the CRA proposal:
- Progress in phases based on stakeholder readiness with initial enforcement based on self-assessments: A clear roadmap is needed that creates predictability for stakeholders on how to fulfil their obligations, allowing sufficient lead time to incorporate requirements into the design and development of products. For example, when will planning information become available, what steps are needed to comply and how much time will there be to complete the tasks. For the moment, scope and compliance details are based on yet-to-be developed cybersecurity standards, certification schemes, conformity assessment criteria or delegated acts, effectively not allowing manufacturers to start planning at this stage. A phased approach would create a predictable and iterative process, allowing policymakers to monitor the market impact and improve the framework in each new phase.
- Leverage existing international cybersecurity standards that are the result of broad stakeholder consensus, reflect the best practices of the industry and are constantly updated to keep pace with the ever-evolving threat landscape: Maintaining a harmonized approach to cybersecurity regulation helps improve security for all by reducing the risk of cyberattacks and ensuring that all stakeholders are held to the same high standards. It also facilitates trade and cooperation among countries, reducing the potential for a fragmented and ineffective approach to cybersecurity. Since many organizations already comply with one or more of these standards, their use would facilitate both standards development and compliance.
- Prioritize cybersecurity workforce development: Europe’s cyber-skilling efforts have not been keeping pace with the growing demand for cybersecurity professionals in both the public and the private sector. This not only jeopardizes industry compliance efforts but also adequate enforcement of the proposed cybersecurity regulation. A detailed implementation roadmap should account for these challenges, include efforts to increase readiness and ensure that ENISA, conformity assessment bodies and market surveillance authorities have the ability to fulfil their responsibilities.
We are grateful for the opportunity to provide these recommendations and look forward to the continuing dialogue.