(ID999) INCIDENT RESPONSE - Tel: UK 0044 1732 897 601

EU Cyber Security Strategy and Directive

What is the EU cyber directive? What is the EU's new NIS?

The Cyber Security Directive represents the most significant change to data protection in the UK and EU since 1995.

Directives are instructions on what has to be achieved by legislation, leaving organisations to implement the legislation in the manner best suited to their own circumstances. In this way the EC’s new NIS (network information security) Directive is attempting to set a standard minimum level of security across the Union without deterring any state from setting the bar even higher.

The three pillars

The three key pillars in the NIS Directive are that each member state must adopt an NIS strategy and implement an NIS competent authority; must create a ‘cooperation mechanism’ to share security information across the Union; and that “operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc), as well as public administrations [are] to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.”

The key statement in the last requirement is ‘report serious incidents’, which is a significant advance on the Data Protection Regulation that requires disclosure of the loss of personal data.

The cost and inherent impact on all EU businesses

Organisations that fail to comply with the proposed new Directive will be fined a percentage of their global revenues, although the exact level is not yet clear, with reports ranging from 1% to 5%. This article will be updated when new information becomes available.

There will be obvious additional costs for all countries covered by the proposed directive. This will include the creation of new processes and policies and of course acquiring new technology to comply. Conversely, it will mean additional income for the IT security industry as businesses are forced to increase budget to invest in additional security technologies the will need to become compliant.

The directive means that, for the first time, companies will be under a legal obligation to ensure they have suitable IT security mechanisms in place, which is likely to boost IT spending across the EU.

Sharing your information with member states

The EU is keen for member states to share information about cyber-attacks and will require organisations to tighten up their cyber-defences.

Under the new proposals, each country would have to appoint a Computer Emergency Response Team similar to that of ID999 and create an authority to whom companies would report breaches. These new bodies would decide whether to make the breaches public and whether to fine companies.

According to the EU, only one in four European companies has a regularly-reviewed, formal ICT security policy. Even among ICT companies, the figure is only one in two, it says. It is not clear to BII where the figures have been resourced or what 'regularly-reviewed' would constitute in this instance. We will update this article when further information is available.

Using BII as your CSP to prepare for the Directive

BII's Business Development Director -
Stuart Hargreaves

The Directive is no surprise, the UK and US have been moving down this road for a long time.

The cost and reputation of an organisation in the UK for non-compliance is difficult to comment on at this time but it goes without saying that the Directive is the start of things to come.

BII Compliance built its reputation assisting organisations with the myriad of conflicting regulations, especially those spread across boarders. We have seen too many crossed hairs with current data related regulations in the UK and privacy simply isn't taken seriously enough in the UK (like it is in Germany).

It's about time the bar was raised and generalised geographically. BII are of course in a great position to assist our clients with Directive compliance scoping and the delivery of technology refresh and additional technology should it be required. I am not aware of any other UK CSP that can offer a full US and European wide incident response SLA backed up with full Cyber Liability Insurance cover.