Helping you prepare for CRA and NIS2

Why choosing a manufacturer that takes cybersecurity seriously is business-critical.

Cybersecurity remains a pertinent issue for business leaders, so it’s little surprise that the European Union is working to reduce the risk of cyber-attacks to organisations. Its latest efforts centre on two directives, the Cyber Resilience Act (CRA) and the Network and Information Security Directive 2nd edition (NIS2). Business leaders reviewing their compliance now, would do well to partner with manufacturers, such as Hanwha Vision, that are committed to cybersecurity and ahead of the curve in complying with NIS2 and CRA.

For context, the European Parliament and European Council have long been vigilant around the use and protection of data, particularly personal data. However, with cybercrime on the rise and with more and more opportunities for malicious actors to exploit networks and connected devices as technology platforms increase exponentially, legislators are shoring up the cyber defences of EU member states and the organisations operating within them.

The European Union Agency for Cybersecurity, ENISA, reveals that new threats to cybersecurity are emerging because of the wealth of data that devices can now collect; advances in AI, which make cyber-attacks more complex and scalable; supply-chain targeting (with third-party incidents accounting for 17% of intrusions in 2021 compared to less than 1% in 2020); and Internet of Things (IoT) devices being used as gateways to larger attacks. Amid this landscape comes the new CRA, and a replacement for the original NIS Directive that directly addresses the new threats.

About NIS2

The NIS2 Directive was adopted by the European Parliament and Council in December 2020. It gives member states until October 2024 to transpose the requirements of NIS2 into their national laws. Ultimately, the Directive aims to improve the cybersecurity of network and information systems across the EU.

It applies to both Operators of Essential Services (OES) and Digital Service Providers (DSPs) –  identifying where an organisation fits into this is key to understanding its obligations. OES provide critical services to the economy or society and include energy firms, transport, banking, and healthcare. DSPs provide online services to a large number of users, and include search engines, social media platforms, and online marketplaces. As a manufacturer of video technology, Hanwha Vision is defined as a DSP.

The first NIS focused solely on OES, however, given the increasing prevalence of digital services that can be a weak link exploited by malicious actors, NIS2 expands requirements to DSPs. It ensures that DSPs take appropriate measures to manage the risk posed to their networks and information systems.

DSPs will be required to:

• Be fully compliant with the Cyber Resilience Act.
• Conduct regular risk assessments to identify and assess the risks to their networks and information systems.
• Implement appropriate security measures to mitigate the risks identified in their risk assessments.
• Report cybersecurity incidents to the competent national authorities.
• Cooperate with the competent national authorities in the event of a cybersecurity incident.

NIS2 is a positive step for the video sector; it ensures any manufacturer wishing to do business in EU member states is compliant. Securing a network, with its various devices and different services, requires active participation by the entire vendor supply chain. NIS2 makes this much easier to organise. Moreover, cameras can be a risk if they aren’t chosen from reputable manufacturers, not just for the data they collect (that can be sensitive and personal) but also as a gateway to a larger cyber-attack. As networks become larger and more complex, particularly as more smart cities are built, having robust cybersecurity across supply chains becomes critical.

Preparing for NIS2

The best way to futureproof your organisation right now is to work exclusively with manufacturers that can prove their readiness for NIS2 compliance, with a strong track record of cybersecurity best practices. Although the exact requirements are yet to be legislated by the EU, a safe bet for now is to look for CRA compliance as there is every chance that a CRA-compliant manufacturer will also be NIS2 compliant.

CRA compliance

With more smart devices in businesses and homes, the European Commission is looking to ensure an adequate level of cybersecurity in every product used within member states, with regular security updates throughout the product lifecycle. To help business leaders and consumers identify compliant products, the CE marking will appear on any product or software that meets the requirements. The CRA applies to products that connect to the internet, for example smart TVs, WiFi routers, smart fridges and video cameras.

Although the Act is being deliberated by the European Parliament and Council, and likely won’t come into force until 2024 at the earliest, Hanwha Vision is already following the guidelines with the CRA owing to the comprehensive cybersecurity processes it has implemented.

Vendors must also show that they are conducting regular risk assessments to identify, assess, and mitigate any risks to their network. This is something that Hanwha Vision’s Security-Computer Emergency Response Team (S-CERT) regularly carries out, including penetration testing and security checks.

Hanwha Vision’s products are all designed and developed with security in mind, with UL CAP Certification in the Wisenet 7, Advanced System On Chip (SoC). To further improve security for all of its users, Hanwha Vision regularly publishes potential threats and vulnerabilities as part of an open disclosure policy, and provides users with information about their products’ security features and how to use these.

The tip of the cybersecurity iceberg

The latest legislative moves by the EU are part of wider efforts to promote cyber resilience through policymaking, innovation grants, and more. It shows a clear focus by the European Commission on securing products and services against cyber-attacks; partnering with manufacturers that place cybersecurity at the core of their product design will help organisations future proof their operations in Europe.

It’s vital, therefore, that users choose a video manufacturer that goes above and beyond in securing its products and software – cybersecurity is not an area where ‘good enough’ is sufficient. The risks and costs of a data breach are simply too great to justify choosing cameras with substandard cybersecurity. Partnering with a manufacturer that constantly scans the landscape for new threats and vulnerabilities ensures your video system remains ahead of the game in maintaining compliance.

The importance of credentials and policies

To obtain peace of mind that your video network is as cyber-secure as possible, looking for a few ‘trust marks’ in your manufacturer should be part of every selection process. You need to see clear evidence of their commitment to cybersecurity, not just in product design but across all operations, culture, and even thought leadership. Security policies, including vulnerability responses and incident handling/reporting, are basic requirements.

Certifications including UL CAP (UL Cybersecurity Assurance Program) and NDAA (National Defense Authorization Act) compliance, or accreditations such as the UK’s Cyber Essentials scheme can provide further confidence. In particular, since NDAA compliance requires manufacturing companies to avoid manufacturing in, and using silicon chips and other components from blacklisted countries, it can be an important indicator of the cyber-resilience of a manufacturer’s supply chain.

Finally, knowledge and resource sharing, as well as contributing to the CVE vulnerability library (Hanwha Vision is a CVE Partner), can show a long-term commitment to improving cybersecurity. Hanwha Vision is proud to have been hardening its security measures and contributing to cybersecurity best practices across the UK and Europe for many years.

A future trust mark?

Similarly to NDAA compliance, the CRA and NIS2 are becoming another point that decision-makers can use to determine a manufacturer’s cybersecurity commitment. Seeking out vendors that are proactive in their approach and that take a multi-faceted strategy in securing products, will serve you well long-term as cyber-attacks become more commonplace, complex, and costly. Giving you the freedom and flexibility to invest in the best CCTV solutions for your organisation without introducing a weak link into your network.