European Agencies are Taking Cybersecurity Seriously and Your Business Should, Too It's time businesses meet government expectations to put more effort into protecting their digital assets.

Cybersecurity has taken hits left, right, and center in the past year. Europe hasn't been spared, with high-profile breaches like the UK Ministry payroll hack exposing the personal information of members serving in the armed forces in May 2024. While numbers are looking more encouraging for the continent compared to global breach reports (more than 24 million reported breaches against more than 5 billion respectively in April 2024), Europe isn't quite out of the woods yet.

Government agencies are aware of the issue and are showing concern. As ransomware cases rise, Juhan Lepassaar, head of the European Union Agency for Cybersecurity (ENISA), recently argued that cybersecurity will inevitably need to become second nature to designers and consumers. He also expressed that AI is increasingly becoming a threat.

However, cybersecurity shouldn't just remain a government issue. European companies are shelling out billions to recover from severe cyber attacks, confirming that they must do more to protect their data and keep business operations running. As cybersecurity policies multiply in the region as a response to malicious actors being more active than ever, it's time businesses meet government expectations to put more effort into protecting their digital assets.

Let's explore the current state of cybersecurity policies in Europe, where companies are getting it wrong, and ways to improve their cyber posture in today's aggressive landscape.

The current state of cybersecurity policies in Europe.

Some of the most noteworthy cybersecurity policies in the region have been released or updated in the past year as a response to heightened attacks. From product compliance to holding vendors and consumers accountable, let's review what government players have been doing to keep threats at bay.

The Cyber Resilience Act (CRA), approved in March 2024, is the latest compliance measure the European Union established to protect the public and private sectors and ensure tech companies are doing their part to shield their products accordingly. It aims for wired and wireless products (connected to the internet or software) to be secured, for manufacturers to increase their data security levels, and for businesses to vet these vendors well. It leaves no party unscathed to bear cybersecurity responsibilities.

In the case of non-compliance, authorities can seize products, take corrective action, and even fine companies from €5 million to €15 million, or even face penalties up to 2.5% of global annual turnover.

The ENISA recently released the European Cybersecurity Certification Scheme on Common Criteria (EUCC), a security framework to certify the cybersecurity posture of information and communications technology (ICT) products. This certification further enforces the EU Cybersecurity Act, released in 2019, which companies in the market must already adhere to.

Finally, the EU introduced the Network and Information Security Directive (NIS2) in 2023 as an update of the EU cybersecurity rules presented in 2016. This directive provides firm legislation on cybersecurity to foster a threat awareness culture, member state cooperation, and certain internal IT requirements.

These are just some of the prominent European policies that private companies must comply with. While it's no easy task to keep up with all of them, it's crucial to implement them internally to secure business continuity, client satisfaction, and legal compliance.

Where companies are getting cybersecurity wrong.

Despite the government agencies' best efforts to deter cyber threats with new legislation and compliance requirements, real change can only happen if companies truly adopt the advice and comply with new frameworks to secure their data.

Cyber attacking isn't just about small groups of hackers motivated by financial gain. Cyber warfare is a powerful tool that won't go away any time soon, especially as geopolitical tensions continue in the region. Even if a business isn't the intended target, an attack on critical infrastructure can catch them in the crossfire. Organizational practices are even more concerning when a recent report shows that almost one-fifth of businesses still deploy security controls after an incident rather than from the beginning.

So, what are they getting wrong? One of the most pressing issues facing companies right now is ransomware attacks, which still happen partly due to a general lack of awareness and training. Poor awareness leads to even poorer attack responses, which makes coming back from these incidents even harder and costlier.

Secondly, large companies often need help understanding their own tech infrastructure. Not knowing your assets well and whether they're vulnerable makes it nearly impossible to defend against external attacks — even more so when AI is being used to build smarter cyber attacks that will spot even the smallest of flaws.

Finally, but most importantly for Europe, companies must be wary of the ever-increasing supply chain attacks. Recent data shows that 74% of supply chain companies suffered from cyber attacks in the past year, with these incidents also having higher financial effects. These kinds of attacks are becoming more commonplace as hackers manage to gain access to larger companies through smaller, third-party vendors in the supply chain.

Meeting cybersecurity demands without breaking the bank.

Talking about cybersecurity incidents and the need to mitigate them is easier said than done, especially when protection services can be costly. Just hiring cybersecurity staff is already an expense many founders can't fathom taking on.

AI, however, poses a potential solution. Automation can help save expenses without sacrificing good data security. The cybersecurity sector has been developing cutting-edge AI tools that run in the background to monitor and patch vulnerabilities in company systems. These tools have allowed organizations to prevent attacks rather than plan for the aftermath.

One successful automation technique is early security checks. When companies update their software or release new features, they also introduce new attack surfaces for malicious actors to exploit. By running early security checks, companies ensure that every new change is secure for their clients. This inspection addresses ransomware attacks from weak infrastructure spots that serve as gateways for data breaches.

Companies can also automate the discovery process in offensive security. This technique continuously scans software to secure it from the inside out — from their domain to their internal tools connected to the cloud. This way, companies recognize and secure their assets 24/7 without requiring intensive in-house IT services. To infuse even more offensive strategies, they can automate penetration tests to discover overlooked attack surfaces.

As cybersecurity becomes primordial, these protection mechanisms are becoming more accessible and easy to manage, so companies won't have excuses to operate on weak data security measures. With threats looming large and European government agencies getting even more serious about cyber posture, it's not a matter of if but when to implement security automation and other tools to keep your product, clients, and business safe.