Vive la France and Cyberscore Law is rallying cry for Europe

France is leading the way in ensuring cyber risk ratings are respected, and EU should follow to improve cyber reliance and support its digital ambitions

The EU should look to France and consider mandating a cyber risk rating system similar to the French model across all member states, a cybersecurity leader has suggested to the union of European nations via the World Economic Forum.

Dan Morgan, Senior Government Affairs Director for Europe & APAC, SecurityScorecard, says a Europe-wide take on the French model would create a level playing field for organisations across the EU and ensure cybersecurity is taken seriously by everyone.

“This may come in different forms across the various cyber-focused regulatory requirements and may not always be in law, it could come through guidance, regulatory interpretation or, indeed, certification,” says Morgan. “DORA [Digital Operational Resilience Act] regulators are developing common draft regulatory technical standards for ICT risk management tools that could include cyber risk ratings.”

French policymakers have taken the lead globally in mandating cyber risk ratings to enhance cybersecurity posture in the country. The Cyberscore Law, which comes into force on October 1, 2023, mandates cyber scores on the 500 largest merchants' websites operating in France, with plans to extend this to 10,000 strategic companies such as the electric power grid and healthcare. 

The groundbreaking act, which creates an obligation for cybersecurity certification for digital platforms intended for the public, is designed to proactively manage how cyber risk is understood and promote greater digital resilience throughout the supply chain.

Policymakers across the globe are looking at how regulation can strengthen an economy's cyber posture, says Morgan. For instance, DORA, recently adopted by the European Parliament, makes financial groups accountable for the security of tech vendors they use. The Network and Information Security Directive (NIS2) provides legal measures to boost the overall level of cybersecurity in the EU.

Cyber risk ratings provide objective measure

Many leading organisations have also turned to cyber risk ratings to help them understand and mitigate their cyber risk exposure and better comply with regulations, says Morgan. Cyber risk ratings objectively measure an organisation's cybersecurity posture based on various factors, including network security, data protection, and incident response capabilities. These ratings help organisations identify areas of weakness in their supply chains and cybersecurity defences and prioritise remediation efforts.

“This law should serve as a call to action for policymakers across the EU and globally to consider similar measures to improve cybersecurity and digital resilience,” says Morgan.

Lenders, such as banks and credit card companies, use credit scores to evaluate the potential risk of lending money to consumers and mitigate losses due to bad debt, says Morgan. Similarly, cyber risk ratings can provide regulators and the market with an objective measure of an organisation's cybersecurity posture, helping to inform regulatory decisions, reduce the risk of cyber incidents and effectively comply with regulations, such as DORA in the EU.

“This is not a one size fits all, but moving towards ensuring cyber risk ratings are a must-have, not a nice to have, will improve cyber reliance and support the EU’s digital ambitions,” says Morgan.


Featured Articles

Gartner unveils top cybersecurity predictions for 2023-2024

Half of CISOs will formally adopt human-centric design practices into their cybersecurity programmes, while adoption of zero trust architecture will rise

DDoS protection market to grow amid increase in attacks

According to research by Cloudflare, DDoS attacks increased by 109% last year, with the last 12 months seeing some of the largest attacks the world

The impact data poisoning has on cyber and AI

We take a look at why the risks of data and AI poisoning is continuing to wreak havoc on the cybersecurity industry

Five innovative ways AI can help prevent cyber attacks

Cyber Security

SailPoint delivers new non-employee risk management solution

Cyber Security

Akamai shares details of Asia’s record-breaking DDoS attack

Network Security