The Internet is often referred to as the Wild West, a relatively ungoverned space, yet the European Union (EU) took a huge step forward in coming to agreement on what should be included in the forthcoming Network and Information Security (NIS) Directive. This landmark directive – the first time the EU has legislated on cybersecurity – aims to raise cybersecurity and resilience capabilities across the EU’s 28 member nations.
What does this mean for businesses?
First and foremost, the December 7, 2015 agreement now moves the directive into the more formal steps – it will progress from concept into application via the development of national implementing regulations. Until now it’s been easy to view this as a distant goal, timelines immediately become more predictable. Furthermore, with a defined scope of what types of organisations are covered and how, each should be looking to define their own plan now to ensure relevant compliance.
Who does it apply to?
The NIS directive has requirements at both a member state level and for businesses. Member states must have a defined national cyber strategy and capabilities to manage incidents that could impact digital society, by establishing (if they don’t already have one) a national CSIRT or computer security incident response team.
The directive specifically calls out obligations for “operators of essential services”, or those entities that are generally part of a country’s Critical National Infrastructure. The directive lists those essential services, which include as examples finance, healthcare, and energy, and requires them to have state-of-the-art cybersecurity that notifies, without undue delay, when they have significant incidents that could impact the continuity of the services they provide.
Also included are digital service providers (which was an area of much debate) and include the likes of e-commerce platforms, search engines, and cloud service providers. While the plan is that the requirements will be lighter on this group, their inclusion is a clear reflection of just how core these services are becoming to our increasingly digital society.
What should you do next?
Now that the scope has been settled, you should be able to clearly validate if you, your business partners, and/or your supply chain will be covered, so you can validate what the implications will be for your business.
Closely monitor implementation, especially by member states. Once the directive is published in the Official Journal of the European Union (which should occur shortly), member states will have 21 months to enact implementation regulations or laws. Timelines will become much clearer, which will allow you to define your plan for compliance.
At the same time, monitor for the General Data Protection Regulation which has similarly reached agreement. Although a separate piece of legislation, it is on a parallel track, and its conclusion will likely add to your requirements – pay attention to its scope and timelines.
The right mindset is key when thinking about compliance
In my experience, as businesses review the implications of the legislation, they can easily over focus in on the new requirement to notify. This is due to response being the largest gap for many in their current capabilities; to date, many had no mandate to do so. However, before focusing your energies on response, you should first determine if you are effectively doing all you can to prevent cyber incidents from occurring in the first place. The more you prevent, the less you will require responsive capabilities.
Cybersecurity continues to evolve at a rapid pace, yet it’s very easy to slip into the habit of taking the same security measures that worked in the past. Ask yourself when you last changed a security process, or reviewed your capabilities, and whether they remain state of the art. More rudimentary is: how do you measure success; just what is the yardstick that allows you to validate the need for change? In the dynamic cybersecurity arena, continuing to do the same old things because they worked in the past typically means you are slowly slipping away from state-of-the-art capabilities.