The Paradigm Shift in Patching Regulation – Upcoming EU Rules for Cybersecurity Patching (B22c)
Patching ten years ago was regulated exclusively through international standards frameworks (ISO) but is now becoming a legal obligation under the vulnerability management frameworks of the upcoming NIS2 and CRA. Organizations are not only required to patch but also to establish top-down processes for patching at all levels. The evolution towards this obligation, including in DORA, shows an evolution in the EU’s approach to regulating patching, but not without fragmentation challenges between the legislations.