EU cybersecurity directive will reach Britain, come what May
Brexit may have got us out, but EU rules still affect us deeply
The passage of the EU Directive on the Security of Network and Information Systems (NIS) will have a profound effect on corporate security across Europe and even in Britain, despite the Brexit vote.
The NIS Directive applies to organisations that provide elements of a country’s critical national infrastructure – i.e. operators in energy, transport, health, and banking – requiring them to report cyber security breaches promptly on pain of severe fines.
Cloud providers, internet exchanges, online marketplaces and more also need to comply with the rules.
As it is an EU directive, rather than a regulation, EU member states are obliged to pass domestic laws to apply its rules. NIS represents the first EU-wide rules on cybersecurity, at least in the purest sense of the term. The EU has long established privacy regulations.
The new directive, coupled with the General Data Protection Regulation (GDPR) means yet another element of compliance for corporates to chew down upon. Both compliance rules come into full effect in May 2018.
Adam Palmer, director of international government affairs at FireEye, commented: “The EU NIS directive will have a fundamental impact on the way that most organisations in European Union member states implement security policies and report breaches. Organisations of all sizes will now need to adopt mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware as these attacks constitute the majority of advanced attacks in today’s threat environment.”
Recent research carried out by FireEye shows that many organisations are not fully prepared to implement the legislation, which comes into effect in less than two years' time. The UK's withdrawal from the EU will take at least two years so UK companies will be subject to the rules for several months, if not longer. Even after that period, UK companies that process EU citizens’ personal data will still be obliged to comply.
FireEye’s Palmer concluded: “Long-term, the UK will need to ensure it finds a way to be considered as a country with an adequate level of data protection, so that neither data storage or data transfer will prove problematic. The UK Data Protection Authority would also do well to encourage the UK government to align with EU data protection laws in order to safeguard the trust of global customers."
Nic Scott, managing director for the UK & Ireland at endpoint data protection and security firm Code42, agreed that UK data protection watchdogs would play a pivotal role.
"The UK DPA (Data Protection Authority) should encourage UK politicians to take compliance with the NIS and GDPR very seriously, right now,” Scott said. “After all, 10 per cent of the UK's GDP comes from the provision of digital services. This is not an insignificant chunk of the economy, and it definitely should be safeguarded against reels of red tape.” ®