In the dynamic business landscape, regulatory legislation changes are constant. These alterations in laws often feel like an unrelenting force impacting senior leadership, compelling them to reassess and adjust existing programs, policies and procedures.
While these changes are often overwhelming, they also offer a valuable opportunity for organizations to elevate and refine their operations, positioning themselves for long-term success in an increasingly intricate world.
This is perhaps most evident in Europe, where new regulations have emerged, reshaping how businesses function and interact with the world. Examples include the German Supply Chain Act, the EU Whistleblower Protection Directive, the NIS2 Directive, and the Corporate Sustainability Due Diligence Directive (CSDDD), all contributing to the regulatory transformation sweeping across the continent.
This article, based on the 2023 NAVEX Next session, “ Key Regulatory Risks for Business to Navigate in 2024,” delves into the significance of maintaining compliance with global legal regulations and explores the current and future landscape of supply chain due diligence, cybersecurity threats, risks, and third-party management, as well as upcoming anti-corruption laws and regulations.
EU supply chain due diligence
Companies conduct supply chain due diligence by researching and investigating potential suppliers to identify any risks associated with those businesses – ranging from legislative and governance issues to ethical and environmental concerns, and more.
The European Union (EU) is a global leader in advancing supply chain due diligence, signaling a wave of changes and new regulations anticipated in 2024. Human trafficking and modern slavery are expected to be pivotal areas of focus in these initiatives.
Additionally, sanctions enforcement is transforming, recently described as the “new FCPA” by regulators. This includes implementing deferred prosecution agreements, higher penalties, individual prosecutions, the assignment of corporate monitors, and elevated expectations for navigating complex regulatory landscapes. The evolving landscape underscores a commitment to addressing ethical concerns and promoting responsible business practices within the EU’s supply chains.
Cybersecurity threats: an evolving set of risks
In today’s cybersecurity landscape, organizations face an array of formidable threats. Ransomware is a primary menace, exploiting vulnerabilities through sophisticated phishing campaigns and bypassing encryption measures. Cloud security is another critical concern, with the increasing reliance on cloud services making businesses susceptible to data breaches. The persistent threat of phishing and malware attacks also remains, posing risks to both individuals and corporations.
Distributed denial-of-service (DDoS) attacks have evolved, targeting high-profile companies by exploiting Internet of Things (IoT) devices, leading to service disruptions as witnessed with platforms like X (formerly known as Twitter), Airbnb, and Android devices. While point-of-sale attacks have decreased due to EMV chip technology, encrypted near-field communication (NFC) payments, and third-party payment processors, cybercriminals now focus on infiltrating corporate databases, emphasizing the compromise of financial and personal data. As the digital landscape evolves, a proactive and multi-layered approach to cybersecurity becomes imperative to effectively mitigate these dynamic threats.
Regarding cybersecurity laws, legal requirements vary among U.S. states and other countries, with an increasing global trend toward adopting the European Union’s General Data Protection Regulation (GDPR). The GDPR introduced stringent 72-hour reporting and documentation mandates, encompassing a broad definition of a “breach.” Emphasizing the importance of third-party cyber risks, due diligence screenings should incorporate supply chain vulnerabilities, considering incidents like the infamous Target breach where hackers gained access through a third party.
Challenges in implementing proper cybersecurity measures include obstacles such as a shortage of qualified staff, inadequate budgets, and a need for automated third-party technology solutions. To address these concerns, a risk-ranking process based on access to critical data becomes essential for comprehensive cybersecurity measures.
In addition, as the landscape of artificial intelligence (AI) evolves, so do the associated risks, prompting regulatory responses. The EU AI Act marks a significant milestone as the inaugural regulation addressing artificial intelligence in the European Union and the United Kingdom. Considering this, organizations need to prioritize legal and compliance measures. This includes establishing a robust information governance framework, carefully classifying data, implementing comprehensive training and awareness programs, and close coordination with the IT department. These proactive steps aim to navigate AI technologies’ complex challenges and align with regulatory requirements, fostering responsible and secure AI development and deployment.
Anti-Corruption
On May 3, 2023, the European Commission (EC) proposed an anti-corruption package and announced they would step up their action by introducing vital rules to fight corruption across the EU and worldwide. The EC wants to build on measures already in place to strengthen their efforts to integrate crime prevention into the design of EU policies and programs. It also actively supports Member States’ efforts to implement solid anti-corruption policies and legislation.
The proposed measures include:
- More robust rules to fight corruption across the EU
- Setting up an EU network against corruption and working on developing the first EU anti-corruption strategy
- A new framework of Common Foreign and Security Policy (CFSP) sanctions targeting corruption.
- Companies are urged to take proactive measures by ensuring the adaptation of their corporate compliance programs, compliance compensations, and robust consequence management systems to align with the impending changes
Recommended reading: Whistleblower Hotline Success, in the EU and Beyond
Furthermore, another primary EU-wide anti-corruption law is the EU Whistleblower Protection Directive, introduced in December 2021. The primary objective of the Directive is to enhance safeguarding measures throughout EU nations for individuals who wish to disclose violations of EU regulations or unethical workplace misconduct. Those opting to make reports must now have accessible reporting avenues and be shielded from reprisals, among other stipulations outlined in the Directive.
To access all NAVEX Next sessions on demand, including “Key Regulatory Risks for Businesses to Navigate in 2024,”