The Internet is often referred to as the Wild West, a relatively ungoverned space, yet this week the European Union (EU) took a huge step forward in coming to agreement on what should be included in the forthcoming Network and Information Security (NIS) Directive. This landmark directive – the first time the EU has legislated on cybersecurity – aims to raise cybersecurity and resilience capabilities across the EU’s 28 member nations. First proposed in 2013, it may have seemed the directive was a long time in discussion, which is really validation of how important it was to society. Carefully defining what is required and who is included was critical to encourage confidence in the ever-growing digital world, bolstering potential GDP growth with a more secure and resilient cyberspace.
What does this mean for businesses?
First and foremost, the December 7 agreement now moves the directive into the more formal steps – it will progress from concept into application via the development of national implementing regulations. Until now it’s been easy to view this as a distant goal, timelines immediately become more predictable. Furthermore, with a defined scope of what types of organisations are covered and how, each should be looking to define their own plan now to ensure relevant compliance. Although the final text is yet to be released, much of the content has been long decided.
Who does it apply to?
The NIS directive has requirements at both a member state level and for businesses. Member states must have a defined national cyber strategy and capabilities to manage incidents that could impact digital society, by establishing (if they don’t already have one) a national CSIRT or computer security incident response team.
The directive specifically calls out obligations for “operators of essential services”, or those entities that are generally part of a country’s Critical National Infrastructure. The directive lists those essential services, which include as examples finance, healthcare, and energy, and requires them to have state-of-the-art cybersecurity that notifies, without undue delay, when they have significant incidents that could impact the continuity of the services they provide. Moving forward, member states will determine exactly which entities fall into these categories.
Also included are digital service providers (which was an area of much debate) and include the likes of e-commerce platforms, search engines, and cloud service providers. While the plan is that the requirements will be lighter on this group, their inclusion is a clear reflection of just how core these services are becoming to our increasingly digital society.
It’s worth noting that there are strong rumours that the Data Protection Regulation reforms under negotiation are to be finalised before the end of the year which would move the reform into the closing stages.
What should you do next?
- Now that the scope has been settled, you should be able to clearly validate if you, your business partners, and/or your supply chain will be covered, so you can validate what the implications will be for your business.
- Closely monitor implementation, especially by member states. Once the directive is published in the Official Journal of the European Union (which should occur shortly), member states will have 21 months to enact implementation regulations or laws. Timelines will become much clearer, which will allow you to define your plan for compliance.
- At the same time, monitor for the General Data Protection Regulation to similarly reach agreement in the coming months. Although a separate piece of legislation, it is on a parallel track, and its conclusion will likely add to your requirements – pay attention to its scope and timelines.
The right mindset is key when thinking about compliance.
In my experience, as businesses review the implications of the legislation, they can easily over focus in on the new requirement to notify. This is due to response being the largest gap for many in their current capabilities; to date, many had no mandate to do so. However, before focusing your energies on response, you should first determine if you are effectively doing all you can to prevent cyber incidents from occurring in the first place. The more you prevent, the less you will require responsive capabilities.
Cybersecurity continues to evolve at a rapid pace, yet it’s very easy to slip into the habit of taking the same security measures that worked in the past. Ask yourself when you last changed a security process, or reviewed your capabilities, and whether they remain state of the art. More rudimentary is: how do you measure success; just what is the yardstick that allows you to validate the need for change? In the dynamic cybersecurity arena, continuing to do the same old things because they worked in the past typically means you are slowly slipping away from state-of-the-art capabilities.
In summary, it may seem obvious to tackle the new requirement of notification, but the greatest business benefit comes from stopping the incident in the first place. Finding the right balance between prevention and response is critical.