The EU’s regulatory framework for secure data handling is certainly well-intentioned. But for the majority of market participants, small and medium-sized enterprises (SMEs), the road to implementation in applicable national law is rocky. A new benefit perspective could offer help here. For SMEs, security is undoubtedly important, but for them to really implement the NIS2 directive or the Cyber Resiliance Act (CRA), the whole thing lacks product character. And all that goes with it, but especially purchase incentive and price.
The CRA is a necessary correction to existing regulation, but it adds no value to SMEs. Unless citizens are willing to pay more for cybersecurity. Here’s how that might work. asvin was a participant in the EU’s online workshop in early June 2023, where market participants can submit their objections to the proposed legislation and initiate a corrective process. Forty SMEs and their associations met with experts from the European Commission.
The list of upcoming legislation that SMEs should actively deal with, presented by the BDI (Federation of German Industries), showed how multi-layered and complex the overall situation regarding EU regulation is: Data Act, AI Act, European Chips Act, NIS 2 Directive, Cyber Resilience Act, Cloud Computing Activities, Digital Markets Act, Digital Service Act, Data Governance Act and Industrial Metaverse. – Each in itself a challenge. Taken together, this is an impossible task for a single SME addressed by the laws. That’s because there is not only a lack of time and expertise to tackle it. There is also a lack of understanding as to why an SME should cooperate at all in creating the digitally sovereign Europe desired by the EU.
The consensus at the meeting was that the Commission is asking a lot from industry and the SME ecosystem without any clear business benefit being immediately apparent. In addition, disruptive and incremental innovations certainly originate from SMEs, but these are then mostly taken up and monetized by larger companies. And this is not only due to classic predatory and market laws, but also because of powerless interest representation. Says Henk Koopmans, President of the Advisory Board of CROSS-SILO B.V.: “SMEs lose out because their political lobby does not have the financial power of the market leaders to influence politicians worldwide, in the EU and its member states.”
So what is missing is an inspiring story about why Europe needs this plethora of laws. How could we manage to make SMEs feel like they are at the forefront of European sovereignty? My answer: by creating a new label for fundamentally secure products and services, such as “Trust made in Europe.” If we achieve this, consumers will also follow suit. Then the new security awareness will also reach the citizens of Europe, who already recognize the need for cyber security in their homes.
With general cyber laws that apply equally to everyone, we can lay the foundation for a human-centric approach to digital products and services from the Internet of Things (IoT), AI or distributed ledger technology. Security in IoT has always been a business trade-off, now we can make European devices and services more secure, less hackable and less vulnerable to phishing attacks by embedding cybersecurity in consumer awareness.
In addition to awareness, this can be done primarily through price, and reciprocally. It is no longer the cheapest that is desirable, but the most secure. One starting point for this is the CE marking for electrical products, with which a manufacturer expresses that he is aware of the special requirements for the product he sells and that it meets these requirements. This has also been discussed for a long time and has now become reality.
Desirable and already partially realized by asvin is therefore an SME community for EU cybersecurity. SMEs should leave their silos and talk to SMEs. Instead of only notifying ENISA or BSI in case of security breaches, we recommend organizing them through peer-to-peer protocols that selectively share security information. Just hoarding critical vulnerabilities is in itself a security risk. That said, the process is also one-way and not dynamic. You want to share breaches and solutions as early as possible with peers, in this case European cybersecurity SMEs, so they can immediately inform their customers and their customers’ supply chain peers. At asvin io, we are working on this new openness, on making relationships visible, and with the goal that a price is not hot until it prices security. Info on our research projects, event participation and solutions here: https://asvin.io/
As always, I wish you an inspiring day! And looking forward to suggestions here on LinkedIn.
