Vive la France and Cyberscore Law is rallying cry for Europe

The EU should look to France and consider mandating a cyber risk rating system similar to the French model across all member states, a cybersecurity leader has suggested to the union of European nations via the World Economic Forum.

Dan Morgan, Senior Government Affairs Director for Europe & APAC, SecurityScorecard, says a Europe-wide take on the French model would create a level playing field for organisations across the EU and ensure cybersecurity is taken seriously by everyone.

“This may come in different forms across the various cyber-focused regulatory requirements and may not always be in law, it could come through guidance, regulatory interpretation or, indeed, certification,” says Morgan. “DORA [Digital Operational Resilience Act] regulators are developing common draft regulatory technical standards for ICT risk management tools that could include cyber risk ratings.”

French policymakers have taken the lead globally in mandating cyber risk ratings to enhance cybersecurity posture in the country. The Cyberscore Law, which comes into force on October 1, 2023, mandates cyber scores on the 500 largest merchants' websites operating in France, with plans to extend this to 10,000 strategic companies such as the electric power grid and healthcare. 

The groundbreaking act, which creates an obligation for cybersecurity certification for digital platforms intended for the public, is designed to proactively manage how cyber risk is understood and promote greater digital resilience throughout the supply chain.

Policymakers across the globe are looking at how regulation can strengthen an economy's cyber posture, says Morgan. For instance, DORA, recently adopted by the European Parliament, makes financial groups accountable for the security of tech vendors they use. The Network and Information Security Directive (NIS2) provides legal measures to boost the overall level of cybersecurity in the EU.

Cyber risk ratings provide objective measure

Many leading organisations have also turned to cyber risk ratings to help them understand and mitigate their cyber risk exposure and better comply with regulations, says Morgan. Cyber risk ratings objectively measure an organisation's cybersecurity posture based on various factors, including network security, data protection, and incident response capabilities. These ratings help organisations identify areas of weakness in their supply chains and cybersecurity defences and prioritise remediation efforts.

“This law should serve as a call to action for policymakers across the EU and globally to consider similar measures to improve cybersecurity and digital resilience,” says Morgan.

Lenders, such as banks and credit card companies, use credit scores to evaluate the potential risk of lending money to consumers and mitigate losses due to bad debt, says Morgan. Similarly, cyber risk ratings can provide regulators and the market with an objective measure of an organisation's cybersecurity posture, helping to inform regulatory decisions, reduce the risk of cyber incidents and effectively comply with regulations, such as DORA in the EU.

“This is not a one size fits all, but moving towards ensuring cyber risk ratings are a must-have, not a nice to have, will improve cyber reliance and support the EU’s digital ambitions,” says Morgan.