‘Cyber resilience isn’t about ticking boxes’: Malta and EU cybersecurity leaders convene in Brussels

Picture this: you buy a baby monitor. It connects to your phone, streams video, works as advertised. Months later, you discover the feed has been accessed by someone else, and your senstive data is comprimised. What does a baby monitor have to do with cyber risk? Quite a lot.

From baby monitors to smart watches, apps, and enterprise software, connected products are now part of everyday life. What remains less visible – and often misunderstood – is the security risk these products can carry if they are poorly designed or rarely updated.

This is the gap the EU’s Cyber Resilience Act (CRA,), with emcompassing security standards, is meant to close. The challenge is timing. Cybersecurity moves fast; many businesses need to not only understand how these rules will apply in practice, but whether regulation can keep pace with technological change.

This reality was at the heart of a recent conference convened by Comply.Land at the European Parliament yesterday, where policymakers, industry leaders, standards bodies, and cybersecurity experts met to explore how businesses can navigate the evolving regulatory landscape.

Cybersecurity as responsibility, not bureaucracy

Opening the conference, Maltese MEP Peter Agius reframed cybersecurity regulation as a matter of leadership and accountability rather than administrative burden.

“The end goal is the protection of consumers – that’s where we start,” he said.
“Europe has led before in sectors like telecoms, pharmaceuticals, and automotive. We are in a transition, but we must approach the future with responsibility and opportunity, not fear.”

Mr Agius emphasised the importance of ongoing dialogue between legislators, businesses, and technical experts, committing to keep channels open as cyber resilience legislation continues to evolve.

Compliance is no longer a one-off exercise

In his keynote, Daniel Thompson-Yvetot, CEO of CrabNebula and co-founder of Comply.Land, warned against viewing the Cyber Resilience Act (CRA) as a box-ticking exercise.

“Cyber resilience doesn’t mean checkmarks only. It means keeping those boxes checked,” he said, likening compliance to “a long walk on the beach – appealing at first, but demanding constant attention if you don’t want to get burned.”

He highlighted the growing complexity of Europe’s regulatory landscape – spanning the CRA, the AI Act, revised product liability rules, and digital identity frameworks – and cautioned that SMEs and open-source developers risk being overwhelmed without clearer guidance and practical tools.

“This is why dialogue matters,” he said. “From engineers to regulators, we can only solve this together.”

Compliance as a competitive advantage

Amy Mallia, Co-founder and COO of AMS Consultants, brought the discussion back to product reality – and risk.

“When I see a sticker with ‘admin/admin’ or ‘password 12345’, I see a design failure. You cannot impose cybersecurity responsibility on the user anymore.” she said, because the users shouldn’t face the burden of compliance.

Ms Mallia argued that as connected products increasingly interact with physical and industrial environments, security failures become safety failures.

“We have to ask not only if a product works, but how it fails. These rules aren’t here to stop innovation, they’re here to make it stronger,” she said.

“Cyber resilience should be treated as a design philosophy, not a paperwork exercise.”

Europe as a global standards leader

Representing ETSI, The European Telecommunications Standards Institute, Martin Chatel, Chief Policy Officer, pushed back against the idea that Europe is over-regulating.

“We don’t need standards just because they are standards,” he said. “We need standards because they meet real market needs – and because they are actually used.”

Mr Chatel highlighted Europe’s growing influence in global digital standards, from IoT security and digital identity to mobile communications and quantum technologies — with European frameworks increasingly shaping approaches in markets such as Japan, Korea, and India.

“Europe already has trusted digital standards,” he said. “The challenge is to leverage them properly.”

Liability, trust, and the new default

Closing the keynote sessions, Molly Butler, Legal and Policy Analyst at CrabNebula, positioned EU digital regulation as a coherent system rather than isolated laws.

“The Cyber Resilience Act is the shield –  preventing harm before it reaches consumers,” she explained.

“The revised Product Liability Directive is the sword, ensuring accountability when things go wrong. Secure-by-design is no longer going above and beyond. It is the default.”

For European and indeed Maltese businesses, one thing is clear: cybersecurity has moved decisively out of the IT department and into the boardroom.