Negotiators of the European Parliament, the Council and the Commission have agreed on the first EU-wide legislation on cybersecurity. The agreement, announced in early December, was reached in response to increasing concerns about cyberattacks. The proposed law would regulate essential services as well as network companies (from Internet providers to online marketplaces and cloud services providers) to ensure their infrastructure is secure and to report major security breaches.
The proposed “Network and Information Security Directive” (NIS Directive) law sets out security and reporting obligations for organizations in critical sectors: transport, energy, banking, water, digital infrastructure, health and finance. In 2013, a proposal for this Directive was put forth to create a common level of network and information security across the EU. The agreement this December is a big step toward enacting this law. Following this political agreement, the text will need to be formally approved by the European Parliament and the Council, then published into the EU Official Journal; it is likely this will happen quickly in the New Year. Once it is entered into force, Member States will have 21 months to implement the Directive into national laws and 6 months to identify operators of essential services.
The Directive aims to improve national cybersecurity capabilities in EU Member States, as well as cooperation between them on cybersecurity. From an organizational level, businesses will need to have more measures in place to prevent and respond to security incidents, and report those incidents to national authorities. Security procedures from risk assessment, response management, and “state of the art” network and information security systems appropriate to each organization’s risks.
Between the NIS Directive and the EU GDPR, organizations in the EU and abroad now face a new regime of data protection requirements. There is, as one would expect, overlap between the GDPR and the NIS Directive, both of which include risk-based security measures and notification requirements. Despite this overlap, the Directive and GDPR protect distinct interests and apply to different types of incidents.
The GDPR is much more broad-reaching, affecting any entity that processes personal data of EU residents, which makes it relevant for most US-based organizations (though awareness of this remains low). Additionally, the GDPR is not restricted to only essential services or digital service providers. Next, organizations must understand the difference between protecting network security (key for the NIS Directive) versus protecting personal data (under the GDPR). The Directive and GDPR also have different minimums for data breach notification as well as different fines, with the Directive penalizing organizations for failing to implement security measures or failing to notify of authorities of an incident, while the GDPR directly penalizes organizations for the breach itself.
Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, has created a complex environment for IT data security. With the new NIS Directive and EU GDPR on the horizon, EU Member organizations need to begin preparing now. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.