2023 for Cybersecurity in the EU

After a very successful 2022 for the EU cybersecurity policy field, which we have analysed in this blog, we looked at 2023 with some predictions of how the threat landscape will evolve. If we have to give an informed guess, here is what we can expect in 2023 for cybersecurity:

Threats

• Supply chain attacks will continue to grow, but the discovery will probably improve. Currently, breach identification takes more than 212 days (IBM), with supply chain attacks taking longer due to complexity and lack of transparency.
• Ransomware slowed down its exponential growth, with a drop (23%) in ransomware attacks in 2022, following 2021 law enforcement (FBI, Europol, EU national authorities) campaigns and arrests. Yet, the ransomware pandemic persists as no significant policy action was taken (e.g. cryptocurrency tracing, making paying ransomware illegal or cyber insurance coverage limitation). With EU cybersecurity legislation (NIS & NIS2) (further) implementation, forcing critical and government organisations to invest in cyber resilience, the number of successful ransomware attacks (aka losses) may slightly decrease. But if we manage to stop ransomware entirely in 2023, we can save the $14 billion needed to End Hunger, Double Incomes for Poorest Farmers, and Meet Climate Goals.
• ENISA reported that around 60% of organisations victims of ransomware may have paid the ransom demands. Whilst experts advise not to pay as there is no guarantee of full data recovery, the trend of paying, rather than investing in cybersecurity in the first place, will likely remain in 2023.
• Data breaches will become a common issue (Avast). This is a worrying trend as the GDPR has been in force in the EU for almost 5 years and organisations ought to have taken the necessary measures.
• With digital identities gaining traction and accessing more services, we expect the identity theft trend to grow. While the Revised European digital identity Regulation (eIDAS) introduces a secure EU digital wallet, attackers moved faster and already gained access to identity data they can later explore for economic gain or employ in spy or cyberbullying activities. Personal data of a large number of the EU population is already breached (see large-scale data breaches in Bulgaria, Austria, France, Germany). For most types of personal data, such as personal identity/tax/social security numbers, biometrics, health and address, there is no immediate option to change or prevent the use of the breached data for future identity theft attacks.

Industry trends

• Cybersecurity M&A is on the rise; the market is consolidating with retail/telco/tech companies acquiring cybersecurity solutions and startups (mostly cloud security, identity management, consulting services) to improve their offerings and expand in the fast growing cybersecurity market.
• Working-from-home cybersecurity will become a priority for businesses (Forbes). This raises another alert of personal IT devices not having the necessary level of security as office-based ones. Businesses will have to invest more on this in 2023 if they continue to pursue the working-from-home business model.
• AI will play an increasingly important role in cybersecurity, and its use is sometimes referred to as an arms race, as malicious actors and security agents race to ensure the most sophisticated algorithms are working on their side (Forbes). 2023 will see the continued work on the EU AI Act, with negotiators trying to meet the challenging task of getting the scope right.

Investment

• EU and national governments budgets will start fuelling cybersecurity investments through the Recovery and Resilience Facility. The focus areas are on state capacity, incident management and crisis reaction and coordination. However, administrative fees and complex project management procedures may shrink real cybersecurity investments.

Critical infrastructure (CI)

• The CI sector will continue to be targeted in 2023, with health, energy, manufacturing and financial services being the sectors hit the hardest. Already by mid January, there have been attacks on the banking sector in Denmark. In late January, DDOS attacks targeted the websites of some European hospitals, and, on a different occasion, some German airports and banks’ websites.

Policy

• An extensive debate is expected on the EU Cyber Resilience Act (CRA) as more companies become aware of the broad scope and reach of the draft proposal. The proposal also requires a significant investment in EU government sector capacities to enforce and certify compliance with EU cybersecurity rules and traditional safety rules such as CE marking.
• NIS2 Directive and DORA entered into force on 16 January 2023. We expect fast NIS2 transposition in the MS, given the existing legal grounds provided by NIS transposition laws. DORA is directly applicable to financial services, and the cybersecurity maturity of the sector is already high. We expect no big bang there.
• The Digital Decade Policy Programme 2030was published in December 2022, and one of its general objectives is to improve resilience to cyberattacks, contribute to an increased risk awareness and knowledge of cybersecurity processes, and increase the efforts of public and private organisations to achieve at least some basic level of cybersecurity.
• Cloud security policy measures, including the draft EU Cybersecurity Certification Framework, will be high on the agenda. ‘Cloud computing is a key objective to increase Europe’s data sovereignty as outlined in the European Commission’s Data Strategy, Digital Strategy, Industrial Strategy and the EU recovery plan’. But only 41% of EU SMEs adopted the cloud in 2021. This is partially because of the need for more trust in the cloud, and, more generally, existing unclear cybersecurity assurance and knowledge gaps. A secure cloud is also key to a supply chain security, hence its uptake will be crucial for EU businesses in 2023.
• The European Commission is to mandate ENISA to certify compliance of e-wallets with the relevant cybersecurity requirements, in view of the proposal for a Regulation on a European Digital Identity (European eID), amending the 2014 eIDAS Regulation.

In conclusion, our analysis shows that some trends of 2022 such as the supply chain attacks’ increase will continue throughout 2023, moving to the cloud and impacting everyone – from the smallest to the largest companies, from low to high security maturity organisations. NIS2 has taken measures on the supply chain security: it is now up to the MS to correctly transpose and implement the Directive into national law to contribute to the increase of the common level of security in the EU. Attacks on the CI sectors will likely continue, but, once again, any major successful attacks would exploit incorrect / lack of implementation of 2016 NIS Directive measures such as security policy and risk management. The same goes for any data breaches: organisations handling large amounts of personal data will continue to be targets of malicious cyberattacks. Lack of GDPR security measures implementation (encryption, adequate security for personal data, data anonymisation) will be exploited.

Overall, in the EU we have a robust legislative framework and investment that sets significant cybersecurity requirements for both MS and organisations. Malicious actors will always try to reinvent themselves and target the weakest link – and this trend will carry on in 2023. But organisations can adopt minimum security measures and protect themselves.