Blog

Software Compliance with EU Cyber Resilience Act

Recent cyberattacks targeting check-in and baggage systems at European airports have highlighted the urgent need for compliance with the EUā€™s Network and Information Security Directive 2 (NIS2) and the forthcoming Cyber Resilience Act (CRA). These regulations significantly expand the responsibilities of companies to secure their systems and ensure operational resilience in the face of cyber threats.

Under NIS2, telecom networks are now officially designated as critical infrastructure. Meanwhile, the CRA introduces strict requirements for monetized open-source software, mandating that it be secure by design, with effective vulnerability management and timely updates throughout its lifecycle.

A crucial component of these regulationsā€”though not yet fully enacted in some member states such as France, Germany, and Irelandā€”is the shift in liability. Enterprises will no longer be able to shift blame to smaller third-party vendors in the event of a security breach. This marks a significant change: major organizations will be expected to enforce high security standards across their entire supply chain, and only vendors and partners that demonstrate full compliance will be considered.

The potential consequences for non-compliance are substantial: companies may face fines of up to ā‚¬10 million or 2% of their global annual turnover, whichever is higher.

This issue has been brought into sharp focus by the recent cyberattack on vMUSE, the airport check-in and boarding software developed by Collins Aerospace. Under the proposed Cyber Resilience Act, organizations that use such software will be required to ensure ongoing compliance with cybersecurity requirementsā€”not just at the point of delivery, but continuously throughout its operational use. In this scenario, responsibility and liability would fall to airport management once the Act is transposed into national legislation.

As we mark Cybersecurity Awareness Month, this serves as a powerful reminder: cybersecurity is not a one-time checkbox exercise. Both vendors and enterprises must uphold rigorous standards throughout the entire software lifecycle.

Eneaā€™s software and solutions are telco grade and deployed in over 100 countries worldwide. https://www.enea.com/business/service-providers-csp/

References:

Cyber Resilience Act @ Link

NIS2 https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Collins Aerospace Cyber Attack https://en.wikipedia.org/wiki/Collins_Aerospace_cyberattack

Flight status board displays delayed and cancelled flights at an airport terminal

Related Insights