I previously blogged about the new General Data Protection Regulation (GDPR) agreed as European legislation in December 2015. This blog focuses on the new Network and Information Security Directive (NISD) which was agreed at the same time and also has significant implications for business.
The Network and Information Systems Directive (NISD) was first proposed in 2013 and is now set to become a reality, with only the final legal processes of the European Parliament and Council to complete, after which it will be published in the EU Official Journal and enter into force. Member states will then have some 21 months to implement the Directive into national laws.
The key obligations emerging from this directive will be that “operators of essential services” will have to take “appropriate security measures” and to notify serious incidents to the relevant national authority. The Directive expands existing breach reporting legislation to cover sectors such as energy, transport, banking, financial infrastructure, health, water, and digital infrastructure. A big change. Member states will have to identify these operators by considering whether they are critical to societal or economic activities.
Many of the large companies operating in these sectors will be considered “essential” and that they will now have to consider breach detection, response and reporting as part of their company obligations
The NISD comes alongside the General Data Protection Regulation (GDPR) which is also expected to be passed into European law shortly. The GDPR harmonises data protection law across Europe, increasing the responsibilities and levels of sanctions imposed on organisations that mishandle sensitive personal data. With penalties of up to 4% of global turnover in the Directive, the GDPR is to be taken very seriously indeed. Combined with the NISD, there will be enormous pressure on companies and organisations to improve how they handle such data and, in turn, their cybersecurity.
The likely implications will be:
- Organisations will need to be able to demonstrate that they have taken ‘appropriate security measures’. This will be judged according to the individual company but, it is safe to say, many organisations currently do not take appropriate measures.
- Visibility of breaches will increase. This will drive public concern over the safety of online systems and whether a company can be trusted with sensitive information by users. In the US, the visibility of breaches imposed by US breach reporting laws now in place in most US states has led to a huge increase in litigation associated with breaches. Therefore:
- It has also created the cyber insurance industry which aims to provide policies to mitigate against some of the financial impact of such breaches. The cyber insurance market is already worth over $1 billion and is expected to grow at double-digit rates over the next 2-3 years. As insurers become more particular about who they consider to be an insurable risk, organisations will be driven to invest in better cyber security.
Now that the final agreed text has been published, the key questions are “do you understand the potential impact of NISD and GDPR on your business?” and “Are you confident about the cyber security across your business? Please leave a comment with your thoughts, or get in touch directly by email at firstname.lastname@example.org if you’d like to know more.