As I am sure we all remember from last year’s GDPR rush, there has been significant progress in cyber security legislation from the European Union. But what has happened since then to protect us and our businesses?
I’m sure we have all felt the effects of cyber crime, I have just recently! With the copious articles I have written about spread of cyber attacks, the Beyond the Cloud security statistics and speaking to IT departments, cyber-security may appear hopeless.
I thought I would use my degree and understand cyber-security legislation.
But things are being done, quite rapidly actually.
To name the most recent development, the NIS Directive (introduced for the security of network and information systems) has become law in Member States. An EU Directive sets a result which needs to be achieved but does not legislate as to how this must come about. All member states now have the NIS as national cyber security legislation.
Surprisingly, given the political climate, the UK is at the forefront of implementing EU directives. The Network and Information Systems Regulations 2018 implemented in May 2018 was one of the leading documents from which Member States followed suit.
What is the NIS?
The NIS Directive is aimed at creating a baseline across EU Member States not only for authorities to exist, but to set out the responsibilities of these public authorities within cyber security.
Carl-Christian Buhr, deputy head of cabinet for Mariya Gabriel, European commissioner for digital economy and society said, “In addition, it places requirements on essential service providers to run their systems in a more secure way and to exchange information,”
“This is an important part because it provides the first glimpse of how we have tried to build the economic incentives into making all of us more secure, because we want to remove the ‘bad incentive’ that everybody had to be quiet about the challenges they faced and to be quiet about the breaches they may have suffered, out of fear of damaging their reputation.
“If there is a requirement for everybody to share information [about challenges and breaches], then the incentive to keep quiet is at least weakened, if not removed, which is the ultimate intention. The result will be that everybody is more secure because the peers of whoever is attacked first will benefit.”
As cyber-security is increasingly a global problem, this will aid building exchange mechanisms so industry sectors across the EU can become more secure.
What to keep an eye out for
The Cyber Security Act was proposed in 2017 and is likely to be implemented in national cyber security legislation by Spring this year (Brexit impact pending for the UK, of course)
This “will create a European cyber security certification framework for the first time, again bringing economic incentives into our work by increasing incentives for companies to certify their products for the EU in a one-stop-shop way, making it easier, faster and cheaper.” according to Buhr.
What this essentially means in addition is that universal legislation will be used to challenge an increasingly universal problem.
All of this will not be lost after Britain leaves the EU. The UK is committed to working with cyber security partners in Europe after Brexit, according to the UK’s National Cyber Security Centre.
Ciaran Martin, CEO of the NCSC concluded: “whether it’s future telecommunications infrastructure, or digital security more generally, we want to work with everyone across Europe and beyond to push these changes, to deliver the digital world we all want to see, one that is not just free and prosperous, but safer as well.”
Therefore, we will hopefully continue seeing these changes benefit us and our business community. The importance of a united front against cyber-attackers is at the forefront.
Cyber-security is affecting us all, but it is important to keep an eye on these changes and understand what the EU is doing to safeguards our interests online.
Cyber-security and hacking will not go away, but cyber security legislation is a start.