Skip to main content
Stay Informed: latest EU & UK security updates
Share on socials

Stay Informed: latest EU & UK security updates

Jody Cox
Jody Cox
26 September 2024
11 min read
People monitoring a board looking for security updates around a globe.
Jody Cox
Jody Cox
26 September 2024
11 min read

This blog covers new EU and UK laws to improve cybersecurity and operational resilience in software development and IT, stressing compliance to protect systems, data, and customers.

Find out how new EU and UK legislation aims to enhance cybersecurity and operational resilience for software development and IT operations—and what steps you need to take to ensure you're compliant.

What are the new regulations?

Ensuring compliance with the latest legislation is not just a legal requirement—it guarantees your system meets high performance and security standards, keeping your organisation, your data, and your customers' data safe from cybercrime.
Here, we're taking a closer look at three new pieces of legislation: the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the EU's Cyber Resilience Act, and the Digital Operational Resilience Act (DORA). Let's find out a bit more about each and how it impacts your organisation.
Product Security and Telecommunications Infrastructure (PSTI) Act
What does it cover?
Enforced by the Office for Product Safety & Standards, this law applies to UK manufacturers, importers, and distributors of 'relevant connectable products', including those that use TCP/IP to send and receive data over the internet, for example, smartphones, smart TVs, connected alarm systems, etc.
What's required?
As of 29 April 2024, those businesses will be legally required to comply with minimum product security requirements to prevent security breaches, including those related to security design, e.g. passwords, security updates, and compliance documentation.
Cyber Resilience Act
What does it cover?
Essentially, this is the EU's equivalent of the PSTI Act but with a much broader reach. It establishes a common high level of cybersecurity across the EU for consumers and businesses using products and software. It imposes mandatory cybersecurity requirements for manufacturers, their authorised representatives, importers, and distributors of 'smart' products, including household devices, wearables, toys, and software products.
What's required?
Though not currently law, once it's formally adopted by the EU Council (probably late in 2024), most manufacturers, importers, and distributors will have 36 months to adapt to the new requirements. These include putting in place standardised cybersecurity practices, robust risk management, and incident response plans.
Digital Operational Resilience Act (DORA)
What does it cover?
Another EU law, DORA is focused on digital operational resilience and IT security across financial services. It aims to cover the wide-reaching industry, including payment institutions, account information service providers, insurers, investment firms, electronic money organisations, and more – impacting their businesses and their IT providers' performance too.
What's required?
Set to take effect in January 2025, the specific obligations DORA will bring in haven't been fully defined yet. However, some of the draft regulatory technical standards include the use of third-party ICT risk management tools, how to classify incidents, operational resilience planning, and continuous monitoring and testing.

What do these new regulations mean for you?

With so much new information to absorb, we’ve stripped the legislation back to focus on the key considerations for your DevOps and development teams.
PSTI Act
  • Security by design: the implementation of the PSTI Act requires development teams to incorporate security practices and features into their products right at the beginning of the development process. These include threat modelling, secure coding practices, and completing regular security reviews.
  • Compliance and documentation: they’ll need to ensure that their products meet the security standards outlined in the law, providing easily accessible information about these security measures. This could involve more rigorous documentation, record-keeping, and compliance checks than what they’re used to.
  • Regular updates: there may be requirements for regular security updates and patches, which means that DevOps teams will need to streamline their CI/CD pipelines to handle frequent releases. They’ll need to publish clear information to users about how long security updates will be provided for.
  • Testing and validation: teams will need an enhanced focus on security testing, including penetration testing, as well as a mechanism for assessing, reporting, and addressing security vulnerabilities.
CRA
  • Standardisation: the CRA requires development teams to adhere to standardised cybersecurity practices and frameworks around risk and vulnerability management and record-keeping. This might require your organisation to adopt new tools and get to grips with new methodologies.
  • Documentation: developers need to establish an effective process for documenting security measures, addressing vulnerabilities, security breaches, and major incidents – how they were identified and remediated. This will be essential in demonstrating compliance and a diligent approach.
  • Risk management: before a ‘product with digital elements’ is placed on the market, the CRA requires that a thorough cyber risk assessment be carried out. Teams will need to implement robust risk management processes to identify, assess, and mitigate cybersecurity risks throughout the software development lifecycle. It also imposes due diligence requirements on third-party suppliers too.
  • Incident response: as well as managing product vulnerabilities through regular testing, path management, and clear documentation, DevOps teams will need to have well-defined incident response plans and be prepared to act quickly in the event of a security breach.
  • Training and awareness: continuous training and awareness programs will be necessary to ensure that all team members are up-to-date with the latest cybersecurity practices and regulatory requirements, including their responsibility regarding frameworks, tools, and record-keeping.
DORA
  • Operational resilience: teams must ensure that their systems are designed to withstand and recover from various types of disruptions, including cyberattacks and technical failures. That means ensuring appropriate physical protection of networks, data, etc. as well as implementing resilience testing, including vulnerability assessments, penetration testing, and simulations of potential incidents.
  • Third-party risk management: in addition to adhering to their own comprehensive ICT risk management frameworks with risk assessments, detailed incident response, and stricter governance, development teams will need a stringent process for selecting and monitoring any third-party service and software providers, including more detailed contract arrangements.
  • Continuous monitoring: continuous monitoring of systems and services for potential vulnerabilities and threats will be crucial. This may involve using advanced monitoring tools and techniques.
  • Regulatory reporting: as with the regulations above, teams will need to establish suitable mechanisms for reporting and compliance, ensuring that any incidents or breaches are reported in a timely manner and that appropriate actions are taken to resolve them.

How will these changes impact your teams?

To comply with all relevant legislation, it's clear that your DevOps and development teams are going to have to make some key changes. For starters, if you’re not already taking a shift-left approach to security, embedding it right from the start of your software development lifecycle, then this will be a crucial adjustment for your people. This will help everyone take responsibility for their role in ensuring robust security practices as well as ensuring vulnerabilities are caught and fixed much earlier.
Best practice DevSecOps requires development, operations, and security teams to work closely together, fostering a collaborative culture that benefits all. Teams might want to engage external security experts who can help them implement the correct practices, tooling, and training to ensure compliance. Those tools should put an even greater emphasis on automation to help teams meet security standards, conduct audits, and manage compliance and documentation.
To achieve all this, they'll need to consider how the work will be done. At the very least, an initial reallocation of resources will be required to get everyone up to speed and ensure your software meets the necessary regulations.
People looking at DevOps documents

Shift left and put security first

Visit our DevSecOps resource to learn how to integrate security into your DevOps processes and make it a continuous part of your software development life cycle.

What steps do you need to take next?

While there's lots to consider, don't let inertia set in – the PSTI Act is already law, and the CRA and DORA aren't far behind. You need to be proactive about planning for these legal changes. Here are a few things you, as a key leader in your organisation, can start doing today to get ready.
Integrate security from the start
If this hasn't happened already, put practices in place to make sure security is thought about from the earliest stages of development. And support this thinking by integrating security testing early and throughout the development lifecycle.
Enhance compliance and documentation
Security audits should be a regular occurrence, backed up by detailed documentation to demonstrate compliance and any actions taken. This can be made easier with the help of automated tools that take the manual toll out of delivering compliance checks and reporting.
Implement robust risk management
Risk assessment is vital to ensuring security standards are met. It helps identify and mitigate potential vulnerabilities before they become big risks. But incidents can occur, so you'll need to put effective response plans in place to ensure you can recover with minimal impact to your organisation.
Strengthen operational resilience
The more resilient your operations overall, the better prepared you'll be to face any breaches and bounce back from attacks. Identify all points of failure, focusing on those with the highest risk value. These will span hardware failures, unintentional human errors, and malicious errors (both from internal and external actors).
Resilient systems should tolerate and recover from hardware failures and network issues, be self-healing, and be continuously tested and monitored (see below). Implement resilience testing, including running simulations, to prepare your people and test your practices. That goes for your third-party vendors and services, too. You'll need to evaluate and monitor their security practices to ensure you're not breaking the law by association.
Monitor and update your product
As we mentioned, monitoring is vital, and not just from a vulnerability perspective. You should also deploy advanced monitoring tools to keep track of and analyse your system's performance alongside security. Not to mention ensuring reliability by regularly updating all your applications with all the latest security patches.
Get your people ready
Ultimately, adjusting to these new regulations requires a cultural shift, so you must arm your people with all the information and tools they need to ensure compliance. That means implementing ongoing training programmes to keep them updated about what's expected and fostering a security-first culture where everyone takes their responsibility seriously.

Lost in the jargon?

If you're struggling to see the wood through the red tape, you don't need to go and get a law degree to understand what's changing. We can help. Get in touch to find out how our experts can ensure your people are up to speed and your processes are compliant with all the latest legislation.
Written by
Jody Cox
Jody Cox
Principal Sales Executive
Jody leverages over 19 year's agile expertise and nearly a decade in cloud and DevOps to design comprehensive agile delivery approaches and guide clients through digital transformation.