The Cybersecurity Act – from regulatory burden to competitive advantage

From voluntary to mandatory

The law enforces what has long been considered “best practice” but has not always been a reality: systematic risk analyses, documented procedures, incident reporting, and clear division of responsibilities.

It is true that this may be perceived as bureaucratic and inconvenient. But at the same time, it is difficult to see an alternative. In a situation where cyber threats are becoming increasingly sophisticated – from state actors to organized crime – it is no longer enough to hope that voluntary initiatives will carry the day.

Boards held accountable

One of the most controversial parts of the law is the requirement for management accountability. Cybersecurity is now being lifted from the IT department's server room to the boardroom agenda.

This not only puts increased pressure on business leaders, but also presents an opportunity: companies that succeed in integrating cybersecurity into their business strategy can create a long-term competitive advantage. Management teams that choose to view cybersecurity as a costly obligation, on the other hand, will fall behind.

The question thus becomes bigger than legal issues: how can we develop a new form of digital leadership, where security and business development go hand in hand?

The supply chain becomes transparent

Another change is that the requirements no longer stop at the company itself – they cover the entire supply chain. No player can hide behind the fine print in contracts anymore.

This may feel like yet another problem to deal with. But it also presents an opportunity to differentiate yourself. Companies that can demonstrate robustness and transparency throughout the chain will become more attractive to customers, partners, and investors. Cybersecurity is becoming a mark of quality – much like sustainability and ESG already have.

From silence to transparency

Incident reporting is one of the biggest cultural changes. Serious incidents must be reported within 24 hours.

Yes, it can feel scary to expose your weaknesses. But it can also contribute to a shift: from seeing cyber attacks as something shameful to viewing them as part of reality – something we must deal with openly, systematically, and collectively.

We are used to talking about safety culture in the work environment and physical safety. Perhaps it is time to build the same culture in the digital world? A culture where learning, sharing, and openness are central.

Strict sanctions

To ensure that the law has an impact, there are also sanctions: fines of up to 2% of global annual turnover. These are levels that can be significant even for large corporations. This sends a clear signal: cybersecurity is not a technical detail, it is a matter of social function and trust. If organizations do not take it seriously voluntarily, financial incentives will force change.

Conclusion: Cybersecurity as a strategic asset

I choose to see the new Cybersecurity Act as more than just a regulatory burden. It is an opportunity to build a digital society characterized by trust, robustness, innovation, and strategic assets.

But laws can never in themselves create culture or strategic value. It is up to us—boards, management, employees, and partners—to choose whether we see cybersecurity as a necessary expense or as an investment in the future.

👉 Do we dare to see cybersecurity as a strategic opportunity rather than a necessary evil?
👉 Do we dare to place the same demands on ourselves as we do on our partners?
👉 Do we dare to share our mistakes so that everyone can become stronger?

The debate about innovation versus regulatory burden will continue. But one thing is certain: the future of cybersecurity will not be decided in the text of the law – but in how we choose to live it.