What do software subscriptions have to do with NIS2 or the Cyber Resilience Act?

To avoid any misunderstandings: This is not an article that presumes to explain the aforementioned guidelines – more than enough people are already trying to do that. This is about subscription services and the reasons why there will soon be no way around them. But why? What has changed since Windows 2.0 was bought, used for decades and put on the first PC of the next generation?

The greed of the manufacturers?

It was a long time ago when the necessary software for computers was still supplied on floppy discs (remember those?) or CDs. Even back then, a series of updates were usually necessary before the system could be put into operation, because all kinds of fixes were released much more frequently than data cans could be produced and distributed to the trade. Even back then, customers sometimes complained about what felt like hours of updates before they could finally get started with the new programme. Improved software transfer options solved this problem to some extent, but new major versions were often only available for a fee, and so there was still the occasional uproar from consumers about the so-called forced update.

Subscription services have long since become a common business model. Apple has been demonstrating this to consumers for many years: ‘The Apple bundle for you and your family.’ It also works in a similar way for streaming services. Other industries have been much more timid. In the automotive sector, for example, experiments with functions on demand only began in the early 2020s. At the time, BMW attracted a lot of – not only wanted – attention with its subscription for the warm bum (2022, for 17 euros a month), whereby the Tesla Group had already been a pioneer earlier and offered acceleration boosters via in-app purchase – for an additional 1800 euros from 0 to 100 km/h in 4.4 instead of 5 seconds! In this way, the manufacturer can install functions as standard that the consumer can only use with a corresponding special payment.

What was initially unfamiliar and sometimes viewed critically as a rip-off actually has its advantages, and not just for the manufacturer. For example, the customer does not have to worry too much about optional extras when buying the car, just as they do with modular software. Features required at a later date can be added if necessary. The younger generation of consumers has long been using subscriptions as a matter of course, and this triumphant advance is continuing with even greater momentum in the corporate environment. Here, the aim is often to outsource as much non-core work as possible – and in addition to software and/or computer services, this increasingly involves security and liability issues.

The digital transformation of crime

What is happening in cybercrime today could be called the other side of the digital coin. How euphoric we were in the late 90s: no more phone books, no more thick folders with lots of paper, fast and increasingly limitless communication with colleagues, friends and family. Working wherever you want, and wirelessly if possible – that’s how we imagined the brave new world.

And today? By and large, this has all come to pass, but the cyber villains have benefited at least as much as the average consumer. Exploits are the malicious attack codes that criminals use as a tool to exploit vulnerabilities in operating systems, apps and browsers. Anyone who is familiar with them knows that such exploits circulate freely on the darknet, including as complete kits, as a service and for little money.

Depending on the distribution of the affected software, the attack surface and damage potential are considerable, with the attackers’ targets covering the entire spectrum from spam to data or identity theft, ransomware attacks, espionage, fraud or blackmail. In 2022, Microsoft, for example, recorded around 24 trillion threats per day in its systems worldwide, and the German BSI (Federal Office for Information Security) registered an increase of around 25% compared to the previous year, with around 70 new vulnerabilities in software products every day. And it gets worse: the potential damaging effect of the vulnerabilities is also clearly on the rise.

The politicisation of entrepreneurial diligence

Sooner or later, this development had to bring legislation onto the scene. There are now definitions of cybercrime offences under criminal law, teams of investigators specialising in cybercrime, competence centres, reporting offices and regular reports. Public relations work to educate the public is just as much a part of this as the involvement of providers of digital services or products.

And who should be liable for these risks? After all, your insurance company also requires you to lock your car to prevent theft. In cyber security, this is regulated by EU directives such as NIS (Network and Information Security, 2016) and then NIS-2 (2022). They apply to companies above a certain size that offer essential or important services. They are constantly being expanded and improved.

The CRA (Cyber Resilience Act, 2023) imposes obligations on manufacturers of digital products, including all SMEs. For the actual goal of better withstanding the general threat situation in the economy and society, it is only logical if as many players as possible, including users, work together on this. Complaints about regulation frenzy will not protect us from cyber criminals, and even the strictest due diligence on the part of manufacturers will come to nothing as long as we do not all consistently use trustworthy, constantly maintained software and update it regularly.

Accordingly, manufacturers must maintain teams of experts for the long-term maintenance and support of their products: Employees for whom they also assume social responsibility and are obliged to provide care and protection. One-off payments that include the cost of these resources are almost impossible to calculate. They would have to be very high or at least price the updates separately. Users would have to shoulder this expense: Who wants to become a victim of hackers and be liable for damages caused by third parties due to neglected corporate due diligence?

Subscription solves this problem much more elegantly, especially in conjunction with modular software. The pricing can be set up in such a way that it covers no more, but also no less than the required expenditure.

This ultimately benefits everyone: the manufacturer can fulfil his duty of care and maintain his product properly. The employed software developer can further develop his expertise thanks to a secure and meaningful job. Customers and users can count on receiving prompt fixes for any security vulnerabilities that arise. In addition, subscriptions for complex software products often also offer the advantage of continuously updated security, but also all available improvements and innovations.

For two decades, it has been part of IACBOX’s corporate philosophy to provide all users with the latest product with all enhancements and new features. The subscription model ensures that this service can be maintained in the future and in compliance with all new guidelines.