Today’s Topics:

• Taiwan NSB Warns of Security Risks from China-Developed Apps
• Understanding the Relationship Between NIS2 and the EU Cyber Resilience Act
• How can Netizen help?

Taiwan NSB Warns of Security Risks from China-Developed Apps

Taiwan’s National Security Bureau (NSB) has issued a public warning about the security risks posed by China-developed apps such as RedNote (Xiaohongshu), Weibo, TikTok, WeChat, and Baidu Cloud, citing concerns over excessive data collection and the transfer of personal data to China.

This alert follows a comprehensive inspection of these apps, conducted in collaboration with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB). The NSB identified significant security issues across the apps, including the collection of sensitive personal data such as facial recognition, clipboard content, contact lists, location data, and more. Additionally, all the apps were found to transmit data back to servers in China, raising concerns about the potential misuse of this information.

According to the NSB’s analysis, RedNote violated all 15 security indicators evaluated, followed by Weibo and TikTok with breaches in 13 categories, and WeChat and Baidu Cloud with violations in 10 and 9 areas, respectively. The warning highlights that companies operating in China are required by law to hand over user data for national security and intelligence purposes, further amplifying the privacy risks for Taiwanese users.

This move follows similar actions in other countries like India, which banned Chinese apps over security concerns, and Canada, which recently ordered TikTok to cease operations. The U.S. has also extended its ban on TikTok, leaving its future uncertain. As global concerns over data privacy grow, the NSB urges the public to exercise caution when using China-made apps, stressing the importance of protecting personal and business data.

Understanding the Relationship Between NIS2 and the EU Cyber Resilience Act

The European Union has introduced two significant regulations aimed at strengthening cybersecurity: the NIS2 Directive and the Cyber Resilience Act (CRA). Both are designed to address vulnerabilities in essential services and digital products within the EU, with an emphasis on secure-by-design principles and comprehensive cybersecurity practices.

The NIS2 Directive, effective from January 2023, mandates that essential service providers in sectors like energy, transport, healthcare, and finance implement strong risk management practices, report incidents promptly, and collaborate across EU member states. This regulation is crucial for maintaining the security and reliability of critical infrastructure, especially as cyber threats continue to evolve. NIS2 requires that organizations designated as “essential” or “important” within the EU ensure robust cybersecurity controls are in place. Member states have until October 2024 to integrate this directive into their national laws, with full compliance required within 21 months.

On the other hand, the Cyber Resilience Act (CRA) focuses on the security of digital products. Effective from December 2024, the CRA mandates that manufacturers incorporate cybersecurity features into their products before they can be marketed within the EU. This “secure-by-design” approach ensures that digital products, whether hardware or software, undergo rigorous security assessments, are regularly updated throughout their lifecycle, and meet established EU cybersecurity standards. The CRA applies to all products with digital components, aiming to reduce vulnerabilities and safeguard users from potential cyber threats.

While NIS2 focuses on securing essential services, the CRA addresses the security of products entering the EU market. These two regulations complement each other and aim to establish a consistent and strong cybersecurity framework across the EU. However, organizations must navigate the distinct requirements of each regulation to ensure full compliance.

For many companies, aligning with both NIS2 and CRA requirements may appear daunting, but the regulations share common principles with existing frameworks like NIST CSF and ISO 27001. Companies with mature security practices will likely find that enhancing their existing frameworks will enable them to meet EU-specific requirements more efficiently. For smaller enterprises, particularly those in the product development space, the transition may involve substantial investments in technology, training, and new processes to meet these security standards.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.