Yesterday, the European Commission agreed the first EU-wide legislation on cybersecurity. First proposed in 2013, the Network and Information Systems Directive (NISD) now only needs approval from the European Parliament and Council to be entered into force.
Following approval, member states will have 21 months to implement the directive into law, which will include mandatory data breach notifications for a range of critical infrastructure companies.
CBR reached out to cybersecurity professionals to get their reaction to this landmark case – the first such cybersecurity ruling in the EU.
1. Send shivers up the spines of CEOs everywhere
Andrew Rogoyski, Head of Cyber Security at CGI & Chair of Tech UK’s Cyber Security Group, said:
"This will drive an even higher level of interest in cybersecurity, creating interest in security consultancy, secure design, and monitoring services. The NISD has huge implications for cybersecurity now that whole new sectors will be obliged to declare their breaches.
"Who wants to be the first company to have to disclose a breach under this new law, especially if the subsequent GDPR imposes a fine of 5% global revenue?"
"The NISD is going to significantly increase the focus on cybersecurity at board level – the obligation to publicly declare a breach will send shivers up the spines of CEOs everywhere"
2. Good and bad news
Matt Middleton-Leal, regional director, UK & Ireland at CyberArk, said:
"The new NIS directive and mandatory data breach reporting is both good and bad news according to our customers. Organisations will need additional funding to help them improve their security posture, however the fear, uncertainty and doubt created by new regulations can also hinder rational decision making.
"The inevitable time delay in interpreting the text according to each individual EU member state’s own laws will mean that this likely won’t come into effect for some time."
3. The end of ‘keeping mum’
Nigel Hawthorn, Skyhigh Networks’ European spokesperson, said:
"The agreement of the first EU-wide cybersecurity directive is a landmark occasion. For too long businesses have tried to tip-toe their way out of notifying customers about data breaches, worried about the damage it can have on reputation and sales.
"Banks especially have been guilty of trying to keep ‘mum’ whenever they can. While this directive is aimed at critical infrastructure companies, it will still provide customers with greater confidence and, more importantly, raises their expectations of privacy."
4. EU playing catch-up
Phil Lee, partner in the Privacy, Security and Information group at Fieldfisher, said:
"For some time Europe has been considered ahead of the US in terms of data privacy and security, but it’s interesting to note that the US already has state-level data breach reporting requirements in most states and a federal level cybersecurity strategy.
"When it comes to cybersecurity preparedness then, the EU is really playing catch-up so this Directive, once finally adopted, will be a welcome development."
5. Potential for catastrophe
Ross Brewer, vice president and managing director for international markets at LogRhythm, said:
"It only takes a small breach for a company’s reputation to take a severe hit, which is bad enough, but when it comes to Critical National Infrastructure (CNI) a breach has the potential to be catastrophic.
"It’s no good having rules in place that enforces the sharing of information if tools aren’t in place to provide this information as soon as a breach occurs. JD Wetherspoon was clueless for six months, but if the initiative had been in place when it happened, would that mean that they would have found the breach any sooner? It’s unlikely."
