How EU Regulations Are Reshaping Cybersecurity Standards

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group and a key U.S. medical claims processor, experienced a major ransomware attack. According to media reports, this breach allegedly led to the theft of sensitive data and severely disrupted healthcare operations across the country. 

It was one of the most significant cyberattacks of the year, halting electronic payments and claims processing. This forced patients to cover costs out-of-pocket and caused severe financial strain on healthcare providers. The data of approximately 190 million people was compromised, exposing weaknesses in healthcare cybersecurity. 

The incident highlighted the necessity of stronger security measures, such as multi-factor authentication, to protect interconnected systems and patient information. The consequences of the attack extended beyond financial losses, affecting overall healthcare service delivery.

The current state of cybersecurity threats

Cybersecurity threats are becoming more advanced and more frequent. Attackers are leveraging ransomware, supply chain attacks, and AI-driven vulnerabilities. Critical infrastructure remains a prime target, with malware-free attacks making detection harder. The evolving nature of these threats demands continuous vigilance and the implementation of strong security defenses to safeguard data and ensure business continuity.

• Malware: Any software code or computer program, including ransomware, intentionally written to harm computer systems or their users.
• Ransomware: A type of malware that holds a victim’s sensitive data or device hostage, threatening to keep it locked. 
• Supply chain attacks: When someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure. 
• AI-driven vulnerabilities: Refers to weakness or flaws in systems, software, or processes that are either caused by using AI or can be exploited more effectively because of AI.

Cybersecurity regulatory approaches: EU vs. US 

The European Union has a unified regulatory approach using frameworks such as the Network and Information Security Directive 2 (NIS2) and General Data Protection Regulation (GDPR), which apply consistently across member countries.

In contrast, the US follows a decentralized approach, relying on sector-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), and voluntary guidelines like the National Institute of Standards and Technology (NIST) Cybersecurity Framework. As a result, companies that only operate in the US have more regulatory flexibility but less consistency.

Current EU cybersecurity regulations, including NIS2, GDPR, and the Cyber Resilience Act (CRA), address evolving threats like ransomware, supply chain attacks, and AI-driven vulnerabilities. These regulations require organizations to report incidents, implement risk management measures, and enhance product security. These laws help businesses prepare for and mitigate cyber risks more effectively.

The importance of cybersecurity regulation

With cybersecurity threats rising, regulatory measures play a crucial role in protecting sensitive data, ensuring business continuity, and strengthening security frameworks. These regulations build trust, enforce compliance, and safeguard critical infrastructure. The EU can support businesses by providing clear guidance, standardizing regulations across nations, and offering financial or training resources. A centralized compliance resource simplifies regulatory adherence and encourages innovation.

Strengths and weaknesses of current cybersecurity regulations

While the EU’s cybersecurity framework provides strong protections, it also presents challenges. Inconsistent enforcement, lengthy legislative processes, and limited support and alignment for non-EU businesses create compliance difficulties. The primary concern lies in the complexity and overlap of these regulations, which can lead to confusion and increased costs for businesses, especially those not based in the EU. Given the numerous requirements that all companies selling products in the EU must meet, the regulatory framework can strain resources.

Challenges businesses face in implementing EU cybersecurity regulations

Companies struggle to navigate the intricate regulatory environment, which includes multiple directives like GDPR and CRA. Many businesses lack the budget and expertise for compliance. Ensuring supply chain compliance poses another problem, given the need to manage international suppliers unfamiliar with EU standards. Keeping up with evolving requirements adds to the operational burden, making compliance a perpetual obstacle. Despite the comprehensive nature of the EU cybersecurity framework, its effectiveness depends on consistent implementation, and its adaptability to new threats remains a challenge. Consistent enforcement is essential for ensuring the effectiveness of EU cybersecurity polices.

ASUS’s perspective on cybersecurity regulations 

From ASUS’s perspective, EU cybersecurity regulations offer opportunities like enhanced customer trust and market competitiveness, as consumers value data protection and security. However, challenges such as high compliance costs and the need for continuous adaptation to new threats present difficulties. Engaging with EU regulators allows ASUS to help shape practical rules that balance security with innovation, ensuring compliance while maintaining a competitive edge.

Long-term impact of cybersecurity regulations

The EU is developing rules and regulations specifically for AI and IoT, including the AI Act, which classifies AI systems by risk level, and the CRA, focusing on secure-by-design digital products, where security is a core principle integrated throughout the entire lifecycle, from its initial conception and design to development, deployment, and maintenance. These risk-based approaches and certifications are likely to align with global standards, but businesses will need to adapt to new compliance demands, potentially affecting product development and market strategies.

For product security, companies should incorporate security into product design, conduct regular risk assessments, and maintain incident response plans. Documentation and transparency are crucial, especially under the CRA, which mandates updates throughout a product’s lifecycle. This ensures products are secure by default, reducing vulnerabilities and meeting EU requirements effectively.

Adapting to the future of cybersecurity regulation

Robust cybersecurity measures and regulations are indispensable. As cyber threats become more sophisticated, the importance of comprehensive regulatory frameworks like those in the EU becomes evident. While the EU's framework offers strong protection, businesses face challenges in compliance. Future AI and IoT regulations will further shape the landscape, demanding ongoing adaptation and collaboration to ensure a secure digital environment. For companies like ASUS, navigating these regulations presents both challenges and opportunities, ultimately contributing to a safer and more secure digital environment.