One third of IT decision-makers from across Europe don’t fully understand the implications of new security and data protection laws about to sweep the region, with twice that number claiming to have been provided with little or no guidance to help them.
That’s according to new research from FireEye, which commissioned IDG Connect to interview IT pros from the UK, France and Germany about the forthcoming Network and Information Security (NIS) Directive and the EU General Data Protection Regulation (GDPR).
IT departments were expected by most respondents (62%) to have responsibility for assessing compliance requirements and drawing up policy reports and compliance frameworks.
Organizations appeared better prepared for NIS than GDPR, with 39% claiming to have all required measures in place for the former, versus just 20% for the latter.
However, there are concerns over levels of understanding about the impact of the laws.
Although two-thirds of respondents claimed to “fully understand” the proposed directive and regulation, the laws have yet to be finalized, and anecdotal evidence points to much confusion still surrounding requirements, FireEye claimed.
Backing this up is the fact that most organizations feel they have received little (42%) or no (20%) clear guidance on NIS and GDPR.
The fact is that they are unlikely to get any help from Europe while legislation is still being finalized, and even after this only policy guidelines rather than specific technical requirements will be forthcoming, claimed the report.
It added:
“This situation may effectively hamstring those IT departments which are either already in the process of upgrading data security provisions, or are planning to do so in the near term, because they cannot be sure the processes solutions they are implementing will deliver compliance at a later date.”
Confusion over NIS mainly centers around which type of organization it covers. At present it is relevant to all bodies which supply critical infrastructure – energy, healthcare, transport, financial services, and so on.
However, this could be extended to other organizations in the future.
When it comes to GDPR, the details are also still yet to be finalized. The earliest date this could happen is 2015 but some commentators are claiming it could take another year to iron out all the issues.
FireEye EMEA CTO, Greg Day, argued that organizations don’t need the finalized legislative plans to start making preparations today.
“The first tip would be to recognize this is not an IT security task but a business task. All appropriate stakeholders need to recognise the implications and plan how they will prepare,” he told Infosecurity.
“If businesses are to meet the requirements, investments in cyber will have to be rebalanced to aid discovery. This must happen in 2015, to allow organisations time in 2016 to develop and test the policies and skills required.”
Day urged organizations to start now by testing their incident discovery and response processes in order to measure “how far you are from your target.”