Borenius’ Tech Blog: From IT to the Boardroom – The Importance of Cybersecurity Compliance

Have you ever asked yourself, “Do we really need this two-factor authentication everywhere?"

The good news is that the EU has already decided the matter for you. New legislation sets binding cybersecurity rules that reach beyond large companies and extends the management’s personal liability.

Cybersecurity should be considered as a modern standard, not a corrective measure. Retrofitting cybersecurity into a product or organisation not originally designed with it in mind is significantly more costly and disruptive than integrating it from the outset. EU law requires cybersecurity measures to be appropriate and proportionate to the risks. NIS 2, i.e. the “Cybersecurity Directive”, translates this into concrete expectations such as access control policies, multi-factor authentication, and a clear incident handling process, all of which are part of the required risk management framework. Another piece of EU legislation, the Cyber Resilience Act (“CRA”) reinforces this by making security-by-design a binding legal obligation as of 11 December 2027, for all manufacturers of products with digital elements.

Security-by-design means that products with digital elements must be secure at the time of their placing on the market and throughout their expected lifecycle. To this end, the CRA sets obligations for manufacturers to conduct a cybersecurity risk assessment and to ensure that products are designed, developed and produced in line with its requirements. Products must be made available without known exploitable vulnerabilities and with secure default configurations. This will require a shift in how security is approached during the development process. In emerging companies, it must be considered from day one of product development.

While the obligations under the CRA apply very broadly to all manufacturers of products with digital elements, the scope of NIS 2 is more limited. NIS 2 primarily applies to entities in sectors listed in the annexes to the directive (e.g. digital infrastructure and sectors critical to security of supply) that exceed the medium-sized enterprise threshold (50 or more employees and turnover or balance sheet exceeding EUR 10 million). Pursuant to the directive, in-scope organisations must have a documented cybersecurity risk management framework that ensures appropriate risk management measures are in place. Ultimately, the management of a company bears personal responsibility (and liability) for ensuring that those measures are complied with. The mandatory risk management measures include, among other things, obligations to ensure that all direct suppliers have adequate cybersecurity practices and cyber resilience.

Due to this obligation related to supply chains, the requirements of NIS 2 may, e.g. through agreements, also extend to companies that would not otherwise fall within the scope of the directive. Therefore, if a company wants to avoid putting itself at a competitive disadvantage with regard to customers covered by NIS 2, it must take cybersecurity seriously, even if legislation does not directly require it. In addition to the access control and incident handling processes already mentioned, raising employees’ cybersecurity awareness is one of the most important measures. Depending on the source, it is estimated that up to 95% of cyber incidents are caused by human error.

In conclusion, enterprise customers and investors increasingly incorporate security reviews as part of their due diligence. A demonstrated commitment to cybersecurity, reflected in your processes, documentation and certifications, actively opens doors. It signals maturity, builds trust and can be a genuine differentiator when competing for B2B contracts. If your product falls under the CRA, you cannot even place it on the market in the EU if the cyber resilience requirements have not already been taken into account in the design and development.

If you have any questions regarding this blog post, don't hesitate to contact our Tech team.