As surges in cyber-related attacks and rapid digital transformation have accelerated, global regulatory forces are standing up legislative requirements to push compliance and proactive attack defense across industries. As the month of May concludes, we’ve noticed four key updates across US and EU regulatory bodies: 

• NIST Supply Chain Risk Management Cybersecurity Guidance Updates (US) 
• Provisional EU NIS2 Agreement (EU)
• DORA Provisional Agreement (EU) 
• Better Cybercrime Metrics Act (US)

The four regulations span across general cybersecurity guidance, supply chain, and the financial services industries – increasingly targeted sectors that influence internal and external business processes around the globe. Let’s dive into each regulation: 

Check out OneTrust DataGuidance to stay up to date with regulatory updates from around the globe.

NIST supply chain risk management cybersecurity guidance updates

Implementing and understanding the benefits of a preemptive attack defense as concerns of cyberwarfare arise throughout key global regions is imperative in maintaining a strong defense strategy. To provide guidance to businesses as their tech stacks grow, NIST has released a revised publication of its Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. 

The revised publication focuses on helping businesses understand ways to identify, assess and respond to cybersecurity risks throughout the supply chain across their organization. NIST also states that its revision is part of its response to Executive Order 14028: Improving the Nation’s Cybersecurity. If considered, the revision will enable organizations to proactively address supply chain risk considerations from acquisition through the entirety of the risk monitoring process with ease. 

NIST states that the update includes: 

• “User profile” groups to help users navigate to the most relevant sections of the guidance (section 1.4) 
• New controls (Appendix A) 
• Specifics on integration with other NIST publications and tailored guidance for C-SCRM (section 1.6, 1.7)

Read the original update on NIST’s site for more information on protecting your business as it takes on new technology.

Provisional EU NIS2 agreement

In December 2021, the Council of the European Union (EU) announced that it had agreed on its general approach to the text of the NIS2 Directive. On May 13, the Council and the European Parliament reviewed and updated the directive, which sets a baseline for cybersecurity risk management and reporting obligations across critical sectors. Key updates include: 

• Expanded the list of covered entities 
• Removed regional variations of implementation 
• Senior management is accountable for ensuring security standards 
• Expanded definition of reportable incidents 
• Reduced notification timeframe to 24 hours

Once adopted NIS2 will replace the current NIS directive on security of network and information systems. The agreement will be recognized across all covered regions in hopes of establishing proactive threat mitigation across industries.

Read more about NIS2 and its origins in our recent news coverage. 

DORA provisional agreement

As cyberattacks rise, the EU is prioritizing the security of the financial services industry through reaching a provisional agreement aimed at establishing resiliency across EU. The agreement focuses on enhancing the security of financial entities such as banks, insurance companies and investment firms. The provisional agreement, reached on May 10 and born out of a proposal made in late 2020, sets expectations around network security and IT operations for organizations and related third parties in the financial services sector. 

The European Council states that the agreement focuses on Information Communication Technologies (ICTs) and related services such as cloud platforms and data analytics. The agreement creates a framework for resilience that establishes an expectation for organizations to “…withstand, respond to, and recover from all types of ICT-related disruptions and threats.”

The agreement will be recognized across all EU member states and hopes to establish proactive threat mitigation across industries. 

Read the original update on the European Council’s website to learn more information. 

Better Cybercrime Metrics Act

US President Joe Biden signed a bill into law (public law 117–116) that prioritizes updating the way that the US government tracks, measures, analyzes and prosecutes cybercrime. The law, known as the Better Cybercrime Metrics Act, establishes requirements meant to improve cyber reporting and tracking for increased visibility around attack vectors and attack evolution.  

Major updates from the law include:

• Creation of a system to track cybercriminal incidents 
• Updated taxonomy to categorize various cybercrimes 
• Establishment of a category in the National Incident-Based Reporting System for the collection of cybercrime reports from federal, state, and local officials 
• Required Government Accountability Office (GAO) reports on current state and potential gaps 
• Incorporation of cybercrime-related questions in the National Crime Victimization Survey

Read more about the impact of the Better Cybercrime Metrics Act for more information. 

How OneTrust can help

The OneTrust platform leverages expertise in Vendor Risk Management, Privacy, GRC, and many other categories to deliver an immersive cybersecurity management experience. We enable you to gain visibility into all aspects of your organization’s security structure, allowing you to holistically protect both your customers and your data. Explore OneTrust today by requesting a demo.

Check out OneTrust DataGuidance to stay up to date with regulatory updates from around the globe.