First GDPR. Now A New EU Cyber Regulation

May 25th is GDPR’s deadline, but May 9, 2018 was the deadline for the new Network and Information Security (NIS) Directive to be transposed into EU member states’ national legislation. 
 
This new regulation is aimed at creating a base level of security for organisations that are operating essential services within the EU. 
 
The primary sectors covered by this regulation are:
 
  • energy providers,
  • transport, banking,
  • financial services infrastructure,
  • health, water and digital infrastructure providers. 
Organisations in this scope are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.
 
This EU directive was passed on July 6, 2016, and member states were given 21 months to transpose the directive into their national legislation, which is due today.  While much of the preparation over the past two years was concerned with the building of capabilities at a member-state level, it is only now that the directive is going to start impacting your company directly.
 
You will start to find out over the next six months whether you are in scope of the directive (by November 9, 2018 at the latest).  Here are some of the key ways in which you will be impacted:
 
• Financial penalties for breaches of the directive. There are penalties for breaches impacting essential services. The UK’s £17 million maximum penalty has already made headlines for its size and scale. The size of the fine is not consistent across the EU, as each member state determines the maximum level of fine it will levy.
• Mandatory security breach notification. Organisations will need to notify their designated competent authority of any breach that impacts the services they operate, not just those impacting personal data. Timeframes have not been specified, but some are suggesting mirroring the GDPR 72-hour breach notification requirement.
• Some of your breach data will be shared to help inform others. The breach data received by operators may be distributed to other EU member states through threat intelligence sharing channels. This sharing of information to help other, similar operators is a new and potentially interesting expansion that could take cross-EU cyber cooperation up a level.
• You may need to adjust or implement new security controls. The directive calls for a base level of security controls to be implemented, dependent on the assessment of the key risks facing an organization’s services.
• You will need to take steps to manage your supply chain. While not directly in the scope of the NIS Directive, operators of essential services are expected to assure themselves that their supply chain abides by the same standards that they do.
• Digital service providers are particularly impacted. 
 
For the first time, there is an explicit recognition in cyber regulation that many companies and citizens are highly reliant on cloud computing services and digital search facilities. 
This obliges some of the largest American-based organisations providing software-as-a-service (SaaS) to comply with the NIS Directive.
 
Here are 3 important points:
 
1. As NIS is a directive rather than a regulation, it is up to member states to determine how they apply it. This means that different EU member states will have different implementations of required security controls. If your organisation operates in multiple jurisdictions, you will need to manage a complex set of potentially competing requirements for demonstrating NIS compliance.
 
2. For fines involving personal data, the GDPR will also apply. A significant concern for your organisation would be whether so-called NIS Directive/GDPR “double jeopardy” is an issue. 
While it is expected that both the applicable NIS competent authority and the relevant GDPR data protection regulator would both wish to investigate, I believe that in these cases one regulator should be designated as the primary authority for the purposes of levying a penalty to ensure that the organisation is not punished twice for the same breach.
 
3. Finally, while it allows maximum choice to member states, the ability of each to either select a single centralised authority or adopt a sectoral approach involving multiple regulators will only create confusion for organisations with operations in multiple jurisdictions as to how and whom they report to in which country. 
 
A centralised approach to management of competent authorities would have been a simpler approach.
 
Information- Management:            
 
You Might Also Read: 
 
10 Things About The Network and Information Security Directive (NIS):
 
European Privacy Directive: Encryption Without Backdoors:
 
 
 
« Real-Time AI Gets Close To A Brainwave
Seminar: Next Steps For Cyber Security In The UK »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Blueliv

Blueliv

Blueliv is a leading provider of targeted cyber threat information and intelligence. We deliver automated and actionable threat intelligence to protect the enterprise and manage your digital risk.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

Charlton Networks

Charlton Networks

Charlton Networks provide a complete range of IT infrastructure, network and security solutions aimed at SME companies.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

ESTsecurity

ESTsecurity

ESTsecurity is a leading company in cyber security providing intelligent security solutions to make world more secure.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Corsa Security

Corsa Security

Corsa Security is leading the transformation of network security with a private cloud approach that helps scale network security services with unwavering performance and flexibility.

Data Eliminate

Data Eliminate

Data Eliminate provide data destruction, secure end-of-life IT asset disposal, and data protection consultancy services.

Techleap.nl

Techleap.nl

Techleap.nl is a non-profit publicly funded organisation helping to quantify and accelerate the tech ecosystem of the Netherlands.

NSR

NSR

NSR provide trusted solutions that deliver positive business outcomes for our clients in cybersecurity and data protection challenges.

Orbus Software

Orbus Software

Orbus develops, markets and sells enterprise software which helps large, blue chip and government organisations across the globe to achieve digital transformation outcomes.

IntegraONE

IntegraONE

IntegraONE is a IT solutions provider offering a full range of networking and technology solutions.

Klaatu IT Security (KITS)

Klaatu IT Security (KITS)

Klaatu IT Security is a boutique provider of cyber security services, empowering our clients to prioritise and reduce their cyber risk.

OSP Cyber Academy

OSP Cyber Academy

OSP Cyber Academy are a managed service provider of cyber, information security and data protection training.

Hakai Security

Hakai Security

Hakai is a consulting firm specializing in information security that offers customized services and products to meet the needs and goals of each business.

PrimeSSL

PrimeSSL

PrimeSSL, a leading Certificate Authority (CA) backed by the trusted Sectigo Root, delivers affordable and user-friendly SSL/TLS certificate solutions.