Vive la France and Cyberscore Law is rallying cry for Europe

Share
Credit: F.J. Jimenez/Getty
France is leading the way in ensuring cyber risk ratings are respected, and EU should follow to improve cyber reliance and support its digital ambitions

The EU should look to France and consider mandating a cyber risk rating system similar to the French model across all member states, a cybersecurity leader has suggested to the union of European nations via the World Economic Forum.

Dan Morgan, Senior Government Affairs Director for Europe & APAC, SecurityScorecard, says a Europe-wide take on the French model would create a level playing field for organisations across the EU and ensure cybersecurity is taken seriously by everyone.

“This may come in different forms across the various cyber-focused regulatory requirements and may not always be in law, it could come through guidance, regulatory interpretation or, indeed, certification,” says Morgan. “DORA [Digital Operational Resilience Act] regulators are developing common draft regulatory technical standards for ICT risk management tools that could include cyber risk ratings.”

French policymakers have taken the lead globally in mandating cyber risk ratings to enhance cybersecurity posture in the country. The Cyberscore Law, which comes into force on October 1, 2023, mandates cyber scores on the 500 largest merchants' websites operating in France, with plans to extend this to 10,000 strategic companies such as the electric power grid and healthcare. 

The groundbreaking act, which creates an obligation for cybersecurity certification for digital platforms intended for the public, is designed to proactively manage how cyber risk is understood and promote greater digital resilience throughout the supply chain.

Policymakers across the globe are looking at how regulation can strengthen an economy's cyber posture, says Morgan. For instance, DORA, recently adopted by the European Parliament, makes financial groups accountable for the security of tech vendors they use. The Network and Information Security Directive (NIS2) provides legal measures to boost the overall level of cybersecurity in the EU.

Cyber risk ratings provide objective measure

Many leading organisations have also turned to cyber risk ratings to help them understand and mitigate their cyber risk exposure and better comply with regulations, says Morgan. Cyber risk ratings objectively measure an organisation's cybersecurity posture based on various factors, including network security, data protection, and incident response capabilities. These ratings help organisations identify areas of weakness in their supply chains and cybersecurity defences and prioritise remediation efforts.

“This law should serve as a call to action for policymakers across the EU and globally to consider similar measures to improve cybersecurity and digital resilience,” says Morgan.

Lenders, such as banks and credit card companies, use credit scores to evaluate the potential risk of lending money to consumers and mitigate losses due to bad debt, says Morgan. Similarly, cyber risk ratings can provide regulators and the market with an objective measure of an organisation's cybersecurity posture, helping to inform regulatory decisions, reduce the risk of cyber incidents and effectively comply with regulations, such as DORA in the EU.

“This is not a one size fits all, but moving towards ensuring cyber risk ratings are a must-have, not a nice to have, will improve cyber reliance and support the EU’s digital ambitions,” says Morgan.

Share

Featured Articles

BT's Security Chief: Why AI Poses Such a Risk to Security

BT’s security chief Tris Morgan says the telecommunications group logs 200 million potential cyber attacks daily as AI drives new security challenges

How Supply Chain Cyber Threats Cost The Global Economy

Interos.ai reports physical infrastructure attacks and AI system vulnerabilities emerging as primary concerns for security leaders

How Kroll and DORA Tackle Supply Chain Cybersecurity Risks

Kroll experts highlight critical measures IT providers must adopt to protect supply chains from cyber attacks and mitigate risks from AI-enabled threats

VCARB & Dynatrace Accelerate AI For F1 Racing Performance

Technology & AI

Apple's Siri: How The Most Private AI Assistant Works

Operational Security

How The UK’s AI Plan Will Impact The Cybersecurity Sector

Technology & AI