The EU, UK Digital Compliance Guide for Mobile Apps in 2023

An overwhelming 86% of people say they’re either very or somewhat concerned about the misuse of their personal data by businesses while 58% of adults are more worried than ever of being a victim of cybercrime.

Having that in mind, as well as the ever-evolving digital landscape, governments are increasingly implementing and updating legislation to protect users’ data and privacy.

The European Union and the UK have been especially strict with these laws. Remember when the GDPR was first announced? It was a state of frenzy in the business world!

That being said, I’m sure we can now agree that this was actually a great step forward. The users have become safer, while companies have improved their services. And with smart implementations, this didn’t even have to mean any revenue losses.

So, what’s new in this world?

Last year, the EU introduced the EU NIS2 Directive, and the UK introduced the UK Cybersecurity and the Product Security and Telecommunications Infrastructure Act 2022. We’ll be focusing on these two in this article and cover what they entail and what mobile app developers can do to ensure compliance and protect their users.

Enhancing cybersecurity to stay compliant with the EU NIS2 Directive

In late 2022, the EU introduced the NIS2 Directive, which replaced the existing NIS1 Directive.

NIS2 imposes stricter cybersecurity requirements on more organizations and introduces tougher enforcement measures. What it does is it sets a baseline for cybersecurity risk management measures and reporting obligations across covered sectors, including energy, transport, manufacturing, postal and courier services, healthcare, and digital infrastructure.

Of course, this also includes aspects of cybersecurity risk management requirements such as authentication. NIS2 requires organizations to implement multi-factor authentication and strong passwords to prevent unauthorized access and protect against cyber threats. Moreover, organizations must ensure the secure and reliable management of digital identities and access rights, including the use of appropriate access controls.

So — multi-factor authentication and zero trust, we meet again, you may say. And you’d be right, but it’s a fact of the matter they simply work.

Now, while the majority of organizations understand this, what frequently gets lost in the story is the importance of mobile devices in the context of cybersecurity infrastructure, even though employees increasingly use them to access business services.

As such, it’s imperative that any cybersecurity infrastructure also includes ways of managing the mobile identities of their employees. More on that later in the text!

Ensuring IOT and telecommunications security through the UK Cybersecurity and the Product Security and Telecommunications Infrastructure Act 2022

In the UK, we have the UK Cybersecurity and Product Security and Telecommunications Infrastructure Act 2022 aiming to enhance security and resilience of the UK’s telecommunications infrastructure, as well as the security of IoT devices.

It imposes a certain set of cybersecurity requirements on mobile network operators to improve their security and protect against cyber threats and introduces a new regulatory regime to ensure IoT devices sold in the UK meet certain minimum security standards, including requirements around password security, software updates, and vulnerability reporting.

While the Act does not specifically mention authentication or mobile identity, it does require the Secretary of State to create regulations that establish requirements for the security of telecommunications services and networks, including measures for verifying the identity of users and devices.

It’s highly likely that these regulations will touch on aspects of authentication and mobile identity, and if that happens, it’s even more likely that these will include, again, multi-factor authentication and a zero trust environment.

So, what should I do to stay compliant with this one — or both of these?

On staying compliant with legislation — and future-proofing said compliance

You’ve probably guessed it already, but I’ll reiterate. The best way to ensure compliance (as well as future-proof your cybersecurity system, but more on this later) is to implement multi-factor authentication in a zero trust environment.

Buzzwords up until recently, these two concepts are finally getting a wider implementation making them one of the biggest cybersecurity trends of 2023.

Multi-factor authentication (MFA) adds at least one extra layer of security to the authentication process by requiring users to provide more than one piece of evidence to confirm their identity. This makes it harder for attackers to gain unauthorized access to a user’s accounts or devices, as they would need to obtain multiple pieces of information rather than just a single password. According to Microsoft, MFA has a 99.9% success rate in preventing cyberattacks.

On the other hand, the Zero Trust security approach assumes that all users and devices, both within and outside of a company’s network, could pose a potential threat. As a result, every access request is treated with suspicion and subject to stringent identity verification and device security measures before access is granted.

It is worth noting that these two concepts do not conflict with each other. In fact, they can work in tandem to create a robust and effective cybersecurity system.

However, it’s important that you really think your system through instead of implementing MFA just for the sake of MFA.

As an example, an SMS OTP second layer may actually be introducing additional vulnerability and much better options exist. On the other hand, you could implement a solution that’s phishing-resistant such as IPification or biometrics.

As phishing attacks continue to rise, this should be one of the main criteria that you use to determine the options to opt for, along with data privacy and user experience. After all, security, user experience and data privacy are the three main pillars that support your cybersecurity strategy and help you stay compliant with the legislation.

Implementing these two strategies may seem like a huge investment, but it will more than pay off in the long run. To start with, you’ll be protecting yourself from cyber attack incurred costs. By emphasizing your cybersecurity, you could increase user trust and thus your revenue. Finally, you’d also be future-proofing your cybersecurity strategy and your compliance.

Remember that MFA and zero trust are both concepts so when an authentication solution becomes obsolete, or you are required to integrate a new one, or you are required to add an additional verification step, you will be able to do it with ease and without overturning everything you’ve got.

That being said, the exact implementation of the system in each app will differ based on the specific use case.

But we can help with this — as well as any other preparations for 2023 from this list. Contact us and schedule a free consultation with our cybersecurity experts. Let’s sort this out together!

More on our blog