A changing of the guard in San Francisco
The RSA Conference in San Francisco has long served as a global nexus for the cybersecurity community, a place where industry titans, practitioners, and government leaders converge to define the future of digital defense. For years, the main stage has been a reliable platform for senior US officials to articulate national strategy and rally public-private partnerships. But RSAC 2024 felt different. While the Moscone Center was as crowded as ever, a conspicuous void was felt on the keynote stage. High-profile US government leaders were largely absent from public view, ceding the spotlight to their European counterparts who arrived with a clear and assertive message: the European Union is ready to set the global cybersecurity agenda.
This was not a subtle shift. Thierry Breton, the EU Commissioner for the Internal Market, delivered a powerful keynote address, positioning Europe as a leader in digital regulation. He was joined by Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity (ENISA), who also featured prominently. In stark contrast, familiar faces like CISA Director Jen Easterly and National Cyber Director Harry Coker, who were major figures in previous years, were not on the major speaking circuits. This change did not go unnoticed by attendees, sparking conversations about a potential realignment in global cybersecurity influence.
The technical foundation of the EU’s regulatory push
The EU’s newfound prominence is not accidental; it is the culmination of a multi-year effort to build a comprehensive, legally-binding digital rulebook. Unlike the US approach, which has often relied on voluntary frameworks and sector-specific mandates, the EU has gone all-in on broad, horizontal legislation. This regulatory architecture has deep technical implications for any organization that develops or sells digital products.
At the center of this push is the Cyber Resilience Act (CRA). As Breton highlighted in his address, the CRA aims to enforce security by design and by default across the board. The act will require manufacturers of hardware and software—from smart toasters to industrial control systems—to meet a baseline of cybersecurity requirements throughout their product’s lifecycle. This includes conducting risk assessments, providing security updates for a reasonable period, and transparently reporting actively exploited vulnerabilities. For developers, this means the end of treating security as an afterthought. Secure Software Development Lifecycles (SSDLC) will become a legal necessity, not just a best practice.
Complementing the CRA is the NIS2 Directive, which significantly broadens the scope of entities deemed critical to the economy and society. It imposes stricter security measures, risk management obligations, and tight incident reporting timelines—requiring initial notification to authorities within 24 hours of becoming aware of a significant incident. This forces organizations to maintain a high degree of operational readiness and sophisticated monitoring capabilities.
Further extending the EU’s reach is the AI Act, the world’s first comprehensive law on artificial intelligence. While its focus is broad, it contains specific provisions for the security and resilience of high-risk AI systems, demanding accuracy, oversight, and protection against manipulation. Together, these regulations create a powerful, interlocking framework that makes the EU a de facto global standard-setter by leveraging access to its massive single market.
Impact assessment: A ripple effect across the globe
The implications of this shift extend far beyond the conference halls of San Francisco. The most immediate impact is on global technology companies, many of which are headquartered in the United States. They now face the challenge of aligning their product development, vulnerability management, and incident response processes with stringent EU laws. Failure to comply will not just be a competitive disadvantage; it will be a barrier to market entry.
The perceived leadership vacuum from the US side also affects international diplomacy. Cybersecurity is a team sport, requiring close collaboration between allied nations to counter shared adversaries. When one of the key players is less visible at the premier global forum, it can slow the momentum for harmonizing international standards and joint initiatives. While collaboration undoubtedly continues behind the scenes, public diplomacy is a powerful tool for projecting influence and building consensus. The EU has seized this opportunity, using the RSAC platform to evangelize its model of digital governance.
This could ultimately diminish US soft power in the digital domain. For decades, US innovation and market leadership have driven global technology standards. Now, the EU is demonstrating that regulatory power can be just as influential. If the world’s companies are re-engineering their products to meet EU law, the EU’s vision for privacy protection and security effectively becomes the global baseline.
How to prepare your organization
The developments at RSAC 2024 are a clear signal that organizations can no longer afford to treat EU regulations as a regional compliance issue. The bloc's rules are setting a global high-water mark for cybersecurity. Businesses should take immediate steps to prepare for this new reality.
- Perform a regulatory gap analysis: Proactively assess your products, services, and internal processes against the requirements of the Cyber Resilience Act and NIS2. Identify where your current security measures fall short and develop a roadmap to bridge the gap. Do not wait for the enforcement deadlines to arrive.
- Embed security into development: The “security by design” principle is the core of the CRA. Organizations must invest in maturing their Secure Software Development Lifecycle (SSDLC). This includes threat modeling in the design phase, using code scanning tools, and creating robust vulnerability management and patching processes for the entire product lifecycle.
- Re-evaluate supply chain and third-party risk: The CRA and NIS2 both place a heavy emphasis on supply chain security. You are responsible for the security of the components you use. This requires a complete software bill of materials (SBOM) for your products and a rigorous vetting process for your suppliers to ensure they meet the same high security standards.
- Appoint global policy watchers: The regulatory environment is dynamic. Designate individuals or teams within your governance, risk, and compliance (GRC) or legal departments to actively monitor the implementation of these EU laws and track corresponding policy developments in the US and other key markets.
The message from RSAC 2024 is clear: a new chapter in global cybersecurity governance is being written, and the authors are sitting in Brussels. While the US remains a powerhouse of technological innovation and threat intelligence, the EU is leveraging its regulatory might to shape the digital world. For businesses everywhere, adapting to this EU-led framework is no longer optional; it is essential for survival and success in the global market.
