In order to increase the security of software supply chains, a wave of regulation will roll in on the German economy. In an interview, Attorney-at-law Stefan Hessel, Head of Digital Business at Reusch Rechtsanwaltsgesellschaft mbH, talks about the legal implications for SMEs.
Mr Hessel, why is supply chain security becoming increasingly relevant from a legal perspective?
From a legal perspective, we are currently facing an epochal shift in cybersecurity legislation. The EU’s new Cybersecurity Act and related pieces of legislation such as the NIS2 Directive and the Cyber Resilience Act make law the driver of cybersecurity. The previous static legal situation, which tended to focus on highly regulated areas, is being broken up and replaced by comprehensive cybersecurity obligations for large parts of the industry. A key goal of the new regulations is also to increase the security of supply chains. In this respect, a lot of changes will happen.
What is in store for the German industry with the EU’s new Cybersecurity Act?
A major wave of regulation is currently sweeping toward the German economy, bringing many challenges.. In practice, it is already a challenge for many companies to clarify whether they are affected by the new legal requirements and which specific requirements have to be met. Even if the high pace of regulation is understandable in view of the current threat situation, in my view there are frictional losses. Some projects at the European level should be better coordinated. Some planned cybersecurity regulations are in danger of being overtaken by new plans from the EU Commission, even before they are implemented. That cannot be the goal. At the same time, companies are faced with the challenge of finding suitable staff to implement the new requirements and to accordingly train and develop their employees internally. It doesn’t happen overnight. Finally, the new Cybersecurity Act will also influence the hurdles for obtaining cyber insurance. Those who do not meet the legal requirements will probably not be able to secure themselves sufficiently.
What advice do you give companies today with regard to the NIS2 Directive and the CRA?
In discussions, I repeatedly find that many companies have not yet grasped the dimension of the legal changes brought about by the NIS2 Directive and the Cyber Resilience Act. It is quite clear that cybersecurity in the company, in the product, and in the supply chain will soon become a tough legal requirement. Instead of getting lost in individual regulations, companies should understand cybersecurity as a fundamental requirement and try to use synergies between individual regulations. It is also important that the areas of data protection, cybersecurity, compliance and law, as well as strategic communication, grow much closer together in companies. What also makes sense is to enter into an open exchange with the responsible supervisory authorities today and to work out the interpretation of the legal requirements on a joint basis. After all, it can’t hurt to get to know the referee and his or her idea of the rules of the game before the game starts.
Mr Hessel, thank you very much for the interview!
