< ciso
brief />
Tag Banner

All news with #cyber resilience act tag

19 articles

Cloudflare joins UK cyber resilience pledge

🔐 Cloudflare announced it has joined the UK government's Cyber Resilience Pledge as a founding signatory, aligning with the pledge’s pillars of democratized security, leadership accountability, and radical transparency. The post highlights rising cyber threats — including massive DDoS volumes and AI-driven attack vectors — and describes how Cloudflare's global network, zero trust controls, and free protections support resilience across the UK economy. Cloudflare emphasizes supply-chain assurance, board-level governance, and international certifications to meet the pledge's aims.
read more →

UK launches Cyber Resilience Pledge for businesses

🛡️ The UK government announced the Cyber Resilience Pledge, with over 60 businesses signing up after its unveiling at CYBERUK in April alongside a £90m support package. Signatories such as Microsoft UK, Marks & Spencer and Vodafone commit to board-level cyber accountability, NCSC training, Early Warning registration and risk-based Cyber Essentials adoption across supply chains. The scheme targets medium and large firms with the aim of driving baseline security improvements across suppliers.
read more →

The modern CISO is becoming the next CFO

🛡️ The role of the CISO is evolving from a technical operator into a broad, enterprise-level executive responsible for cyber resilience, regulatory compliance, AI governance and business risk. As cyber risk becomes business risk, organizations are expanding security leadership—adding deputy CISOs and specialized teams—while keeping centralized accountability. The author argues the CISO should report independently (e.g., to the CEO, COO or CRO) and that AI increases the need for clear human accountability.
read more →

Seven common cyber risk assessment mistakes to avoid

🔍 A cyber risk assessment should be a decision tool that ties technical findings to business impact, yet many organizations fall into common pitfalls. Experts warn against rote, checklist-driven assessments, sugarcoating results, narrow scoping, and overreliance on risk registers that mask assumptions. Other frequent missteps include failing to link risks to business outcomes, confusing compliance with true security, and neglecting the implications of new technologies like AI. The article outlines seven practical gotchas and recommends context-driven, continuous risk assessment involving business stakeholders to produce actionable, defensible insights.
read more →

Five Eyes Urges Urgent AI-Driven Cyber Resilience

🛡️ The Five Eyes cybersecurity agencies warned on June 22 that frontier AI is already reshaping offensive and defensive cyber capabilities and urged businesses to prioritize cyber resilience. They cautioned that AI accelerates attacks by lowering barriers and shrinking the window between discovery and exploitation, while also offering defensive benefits. The group recommended a whole-of-organization response focused on basics, secure-by-design, defence in depth, and integrating AI into security operations. Practical steps included reducing attack surfaces, accelerating patching, addressing legacy systems, strengthening access controls, and preparing incident response.
read more →

OpenSSF Warns of Poor CRA Readiness in Open Source

🔒 The Open Source Security Foundation (OpenSSF) warns of broad unfamiliarity and structural unreadiness for the EU Cyber Resilience Act (CRA), with 66% of surveyed manufacturers and developers reporting limited awareness. The report highlights confusion over applicability, deadlines, penalties and roles like manufacturers versus stewards, and notes low adoption of full Software Bills of Materials (SBOMs). OpenSSF also flags risky reliance on private forks and passive upstream dependence as potential compliance failures.
read more →

Resilience and Self-Reliance in Cyber Conflict

🛡️ Dmytro Kuleba, Ukraine’s former foreign minister, told Infosecurity Europe that preparation, resilience and self-reliance are crucial for cybersecurity professionals facing wartime threats. He cited KyivStar’s rapid recovery from a December 2023 hack and stressed the value of wargaming and muscle-memory incident response. Kuleba warned that innocuous services such as CRMs can be weaponized and urged businesses to distrust products from potential adversaries.
read more →

AI-Driven Scanning Raises Vulnerability Expectations

🔍 ENISA chief Hans de Vries told ESET World that AI-powered vulnerability scanners mean firms can no longer claim ignorance of software bugs. He warned that the Cyber Resilience Act and emerging AI tools require security by design and that failure to use AI coherently risks exploitation and litigation. The NCSC also expects AI to expose poorly coded systems while vendors adopt AI to remove flaws.
read more →

Europe's Push for Tech Sovereignty and Security Agenda

🔒 European policymakers are accelerating a push for greater tech sovereignty in response to shifting geopolitical trust and concerns over dependence on US and other foreign technologies. The debate spans legal, operational and supply-chain dimensions, with proposals under the EU’s Tech Sovereignty Package and revisions to procurement and the Cybersecurity Act. Achieving autonomy will require investment in local R&D, talent, interoperable systems and realistic timelines, while avoiding protectionist measures that stifle competition. The private sector must factor geopolitical risk into procurement to scale credible European alternatives.
read more →

What Boards Must Demand in the Age of AI Exploitation

⚠️ Boards and executive teams can no longer treat large vulnerability backlogs as a tolerable nuisance: agentic AI has collapsed attackers’ cost and speed of exploitation. Security leaders must present operational truth — not just compliance metrics — about current High and Critical findings, remediation timelines, and exposure costs. Boards should demand measurable remediation programs and a plan to reduce vulnerability accrual at the source. Regulation such as CRA and DORA raise legal and financial stakes, and 'patch faster' is not a complete answer when emergency fixes risk production outages.
read more →

Navigating Fragmented Cybersecurity Regulation in Europe

🔎 This Fortinet podcast episode examines the evolving EU-centric cybersecurity regulatory landscape and its implications for global businesses. Host Joe Robertson speaks with Dr. Tommaso De Zan of Access Partnership about layered rules such as NIS2, the Cyber Resilience Act, DORA, and emerging cloud sovereignty initiatives. They contrast horizontal and vertical regulations, highlight differences between regulations and directives, and emphasize that industry accepts rules but resents uncertainty. Practical advice includes early policy monitoring, engagement in consultations, and embedding security into products and operations.
read more →

Germany to Authorize Cross-Border Cyber Counterstrikes

🛡️ Germany plans to adopt a more offensive cyber posture, saying it will "strike back, also abroad," and aim to disrupt attackers and destroy their infrastructure. The Interior Ministry proposes joint operational responsibility for the Federal Criminal Police Office (BKA) and intelligence services and is creating a new defense center against hybrid threats. Minister Alexander Dobrindt said he will introduce laws in the first half of the year to expand intelligence powers for information gathering and operational action.
read more →

World Economic Forum: AI, Geopolitics and Rising Cyber Risk

🔍 The World Economic Forum’s Global Cybersecurity Outlook warns cybersecurity risk will accelerate in 2026, driven primarily by advances in AI, deepening geopolitical fragmentation and supply‑chain complexity. Based on survey responses from 804 leaders (including 316 CISOs) across 92 countries, the report finds eroding confidence in national preparedness and divergent priorities between CEOs and CISOs. It highlights both the risk and defensive potential of AI and calls for strengthening collective cyber resilience through collaboration, governance and balanced adoption with robust safeguards.
read more →

Parliament Seeks Industry Input on Cyber Security Bill

🏛️ The Parliamentary Public Bill Committee is inviting industry submissions to inform scrutiny of the Cyber Security and Resilience Bill (CSRB), the planned successor to the NIS Regulations 2018. Now at committee stage after its second reading, the bill proposes expanded scope, tighter incident-reporting, mandatory supply‑chain risk management and alignment with the NCSC Cyber Assessment Framework. The committee will hear oral evidence from 3 February and has urged prompt written responses as it may conclude early.
read more →

Vaillant CISO: From Technology to Strategic Cyber Leadership

🔒 Raphael Reiß, CISO at Vaillant Group, warns that rising geopolitical tensions and increasingly professional cybercriminals — now aided by AI — have lowered the barrier to complex attacks. Vaillant applies a holistic, multilayered security approach that spans IT, global production and customer-facing products, combining preventive and reactive controls. Reiß emphasises people-first awareness training and pragmatic compliance with standards such as NIS2, DORA and the Cyber Resilience Act. His advice is direct: analyse your starting point and start rather than wait.
read more →

Key Provisions of the UK Cyber Security and Resilience Bill

🛡️ The Cyber Security and Resilience Bill — introduced to the House of Commons on 12 November and outlined by Shona Lester (DSIT) on 24 November — aims to strengthen protection for essential services by expanding regulatory scope and accelerating incident reporting. It brings data centres, large load controllers, managed service providers and designated critical suppliers into an Operators of Essential Services regime and requires 24‑hour notification of incidents with fuller reporting to follow. The bill also increases regulators’ enforcement powers and penalty regimes.
read more →

UK introduces Cyber Security and Resilience Bill to Parliament

🔒 The UK government today introduced the Cyber Security and Resilience Bill, proposing a major overhaul of the NIS Regulations to align with updated EU standards. The draft would regulate managed service providers, expand scope to data centres and smart-appliance electricity flows, and mandate supply-chain risk management and NCSC Cyber Assessment Framework-based controls. Incident reporting windows would tighten to an initial 24 hours and full report within 72 hours, while the ICO and regulators gain stronger enforcement and fee powers.
read more →

How evolving regulations are redefining CISO responsibility

⚖️ CISOs are increasingly exposed to personal and even criminal liability as regulators such as the SEC, DOJ and international authorities press executives to disclose accurate cyber risk and incident information. Rising IoT/OT device vulnerabilities — with vulnerability-based breaches up 34% year over year and accounting for roughly 20% of breaches — are driving mandates like Executive Order 14028, NIS2 and the Cyber Resilience Act. Organizations are updating governance, improving asset inventories and adopting device intelligence tools like SomosID to correlate inventories, SBOM data and vulnerabilities, helping to support compliance and reduce executive exposure.
read more →

it-sa 2025: Nearly 1,000 Security Vendors at Nuremberg

🔒 it-sa 2025 opened in Nuremberg on October 7, with organizers reporting 990 exhibitors — a 15% increase over last year — and an expected attendance record to be announced at the close. At the opening press conference, BSI President Claudia Plattner said the agency will implement the Cyber Resilience Act in Germany and exercise market surveillance powers. Industry leaders highlighted strong market growth, rising cybercrime losses, and calls to increase corporate security budgets while supporting European security startups.
read more →