NIS directive & GDPR: Regulations that will have a global impact

NIS directive & GDPR: Regulations that will have a global impact
By Natasja Bolton, Senior Acquirer Support QSA

With the increase of malware and other malicious cyber security attacks that have had a global impact in the last few years, governments around the world have been trying to implement concrete safeguards through regulation. The goal of these regulations being to not only protect valuable infrastructure services but also businesses.

 

In the European Union (EU), the directive on Network and Information Systems (NIS) will be going live in May 2018. The NIS directive applies to operators of essential services in critical sectors and digital service providers. These organisations are required to take measures to manage their cyber security risk and report major security incidents. Companies that have not put the required safeguards in place by this time face the prospect of enforcement action and/or financial penalties and may also be leaving themselves vulnerable to cyber-attack exploitation.

 

Our previous article ‘Timelines set for EU Directive on Network and Information Security’ addressed in more detail what the directive is and the rules that it will put in place. We highly recommend reading this article if you haven’t already.

 

In the UK, the government is launching a consultation on their plans to implement the NIS directive into national law.  The law will set out the approach and requirements to ensure the confidentiality, integrity and availability of the network and information systems that deliver and support essential services and the digital economy. The need to address the gaps that may exist in network and information security, particularly in organisations that provided essential services, is evident from the impact of the recent WannaCry and NotPetya malware attacks. Those attacks affected organisations across the globe, most notably infrastructure services such as hospitals, telecommunication businesses, power companies, and financial institutions.  The impact of these attacks spanned across businesses in the UK, Europe, the U.S. and beyond.

 

Cyber insecurity increasing

The 2017 UK Government cyber security breaches survey estimated that 46% of all U.K. businesses (rising to 68% of large businesses) have discovered at least one cyber security breach or attack in the previous year.  The survey findings indicate that the WannaCry and NotPetya ransomware attacks, widely reported in the media, may just be the tip of the iceberg.  All organisations, whether they are within the scope of the NIS directive or not, should consider their exposure to (as well as the potential impact of) cyber-attacks and security breaches to take appropriate measures to protect their business.

 

Also in force from May 2018, is the General Data Protection Regulation (GDPR) which focuses on the privacy and protection of customer personal data.  Though a legal requirement created by the EU, GDPR is applicable to personally identifiable information (PII) related to EU citizens.  Therefore, GDPR will apply to businesses handling such PII even when they operate outside the EU; hence the impact of this new regulation will be felt globally.

 

GDPR not just another regulatory compliance

In the U.S., organisations are already accustomed to meeting security requirements driven by regulatory obligations, such as Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and Special Publication 800-53r4, International Organization for Standardization (ISO) 27001 & 27002, and the Homeland Security Act (HSA), so GDPR may be seen as just be another compliance audit to be undertaken each year. However, Sysnet believe that U.S. companies and all businesses based outside of the EU should not consider GDPR to be just another regulatory compliance obligation to be met. Sysnet’s Jeremy Lacy, Senior Cyber Security Consultant, U.S. highlighted the importance of this: “I honestly believe that if GDPR is implemented correctly and changes (with) the global business landscape, it may be a step towards a global information security data security and privacy standard.  With that in mind, American companies need to do their part and participate in the development of GDPR to maintain the highest level of information security and data privacy possible.”

Organisations that are not compliant with GDPR also face serious fines:

 

  • Fines of up to €10 million or 2% of worldwide annual turnover, whichever is the higher, for breaches such as:
    • failing to obtain consent for the processing of children’s Personal Data;
    • failing to implement appropriate technical and organisational measures;
    • controllers failing to comply with obligations in relation to the engagement of and processing carried out by Data Processors
    • failing to notify a Personal Data breach;
    • failing to complete a data protection impact assessment, when one is required;
    • failing to appoint a Data Protection Officer, if one is required.
  • Fines of up to €20 million or 4% of worldwide annual turnover, whichever is the higher, for infringements of GDPR provisions, including:
    • the basic principles for processing, including conditions for consent;
    • the data subjects’ rights;
    • meeting the conditions required for transfers of Personal Data to third countries or international organisations.