First GDPR. Now A New EU Cyber Regulation

May 25th is GDPR’s deadline, but May 9, 2018 was the deadline for the new Network and Information Security (NIS) Directive to be transposed into EU member states’ national legislation. 
 
This new regulation is aimed at creating a base level of security for organisations that are operating essential services within the EU. 
 
The primary sectors covered by this regulation are:
 
  • energy providers,
  • transport, banking,
  • financial services infrastructure,
  • health, water and digital infrastructure providers. 
Organisations in this scope are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.
 
This EU directive was passed on July 6, 2016, and member states were given 21 months to transpose the directive into their national legislation, which is due today.  While much of the preparation over the past two years was concerned with the building of capabilities at a member-state level, it is only now that the directive is going to start impacting your company directly.
 
You will start to find out over the next six months whether you are in scope of the directive (by November 9, 2018 at the latest).  Here are some of the key ways in which you will be impacted:
 
• Financial penalties for breaches of the directive. There are penalties for breaches impacting essential services. The UK’s £17 million maximum penalty has already made headlines for its size and scale. The size of the fine is not consistent across the EU, as each member state determines the maximum level of fine it will levy.
• Mandatory security breach notification. Organisations will need to notify their designated competent authority of any breach that impacts the services they operate, not just those impacting personal data. Timeframes have not been specified, but some are suggesting mirroring the GDPR 72-hour breach notification requirement.
• Some of your breach data will be shared to help inform others. The breach data received by operators may be distributed to other EU member states through threat intelligence sharing channels. This sharing of information to help other, similar operators is a new and potentially interesting expansion that could take cross-EU cyber cooperation up a level.
• You may need to adjust or implement new security controls. The directive calls for a base level of security controls to be implemented, dependent on the assessment of the key risks facing an organization’s services.
• You will need to take steps to manage your supply chain. While not directly in the scope of the NIS Directive, operators of essential services are expected to assure themselves that their supply chain abides by the same standards that they do.
• Digital service providers are particularly impacted. 
 
For the first time, there is an explicit recognition in cyber regulation that many companies and citizens are highly reliant on cloud computing services and digital search facilities. 
This obliges some of the largest American-based organisations providing software-as-a-service (SaaS) to comply with the NIS Directive.
 
Here are 3 important points:
 
1. As NIS is a directive rather than a regulation, it is up to member states to determine how they apply it. This means that different EU member states will have different implementations of required security controls. If your organisation operates in multiple jurisdictions, you will need to manage a complex set of potentially competing requirements for demonstrating NIS compliance.
 
2. For fines involving personal data, the GDPR will also apply. A significant concern for your organisation would be whether so-called NIS Directive/GDPR “double jeopardy” is an issue. 
While it is expected that both the applicable NIS competent authority and the relevant GDPR data protection regulator would both wish to investigate, I believe that in these cases one regulator should be designated as the primary authority for the purposes of levying a penalty to ensure that the organisation is not punished twice for the same breach.
 
3. Finally, while it allows maximum choice to member states, the ability of each to either select a single centralised authority or adopt a sectoral approach involving multiple regulators will only create confusion for organisations with operations in multiple jurisdictions as to how and whom they report to in which country. 
 
A centralised approach to management of competent authorities would have been a simpler approach.
 
Information- Management:            
 
You Might Also Read: 
 
10 Things About The Network and Information Security Directive (NIS):
 
European Privacy Directive: Encryption Without Backdoors:
 
 
 
« Real-Time AI Gets Close To A Brainwave
Seminar: Next Steps For Cyber Security In The UK »

Directory of Suppliers

Darktrace

Darktrace

Darktrace’s Enterprise Immune System is capable of detecting and responding to emerging cyber-threats, from within the network.

Compagnie Européenne d'Intelligence Stratégique (CEIS)

Compagnie Européenne d'Intelligence Stratégique (CEIS)

CEIS is a strategic consulting firm specialising in defence & security, energy, finance, cybersecurity, digital transformation and emerging markets.

Mako Group

Mako Group

The Mako Group specializes in protection - providing security through auditing, testing, and assessments. And, we do it all with the highest quality standards possible.

Aspera

Aspera

Aspera is a pioneer in the enablement of high-speed, data-intensive workflows with it's FASP secure high-speed file transfer technology.

StorageCraft

StorageCraft

StorageCraft provides best-in-class backup, disaster recovery, system migration and data protection solutions for virtual and physical environments.

SWAMP

SWAMP

SWAMP offers a suite of secure and dependable analysis services, to help reduce the number of security vulnerabilities deployed in software.

Green Hills Software

Green Hills Software

Green Hills Software is the largest independent vendor of embedded secure software solutions for applications including the Internet of Things.

Leidos Cyber

Leidos Cyber

Leidos Cyber Inc. is a leading provider of cyber security products and services.

CERT.RO

CERT.RO

CERT.RO is the national Computer Emergency Response Team of Romania

CONCERT

CONCERT

CONCERT is a Computer Emergency Response Team and cyber security information sharing network for companies, institutes and government in Korea.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

Thomas Miller Specialty

Thomas Miller Specialty

Thomas Miller Specialty is a commercial Managing General Agency providing specialty risks insurance including Cyber & e-crime insurance.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

Medigate

Medigate

Medigate is a dedicated medical device security platform protecting all of the connected medical devices on health care provider networks.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.