IT and business leaders have been urged to plan now for the forthcoming European Network and Information Security (NIS) directive, despite confusion over its scope, timetable, and how it will fit with existing national laws.
In March, the European Parliament approved a draft version of the directive, which is very broadly designed to improve cyber security in the European Union in a way that ensures consistency among member states.
The two main requirements are that affected organizations implement security measures to guarantee a level of security appropriate to their risk; and that they notify the relevant authorities in the event of a serious security incident.
It’s uncertain, however, how much overlap the latter will have with the notification rules in the forthcoming General Data Protection Regulation.
The idea is that NIS applies to organizations in critical infrastructure industries, such as energy, healthcare, transport, and financial services – operators of any infrastructure, “the disruption or destruction of which would have a significant impact in a Member State”.
As such, an original plan to include technology providers of e-commerce, social networking, app store, payment gateway and other cloud platforms, appears to have been shelved by lawmakers for now.
Attendees at a London conference hosted by European security body EEMA on Wednesday agreed that confusion still exists over exactly which type of companies the directive will affect and what they will be required to do – a fact which could make it difficult to engage many on the issue.
Sue Milton, immediate past president at ISACA London, argued that despite this lack of clarity, organizations need to strive for greater understanding of the directive because “it’s potentially a very large job”.
Significant investment may be needed to ensure the right technologies are put in place to satisfy compliance requirements and to “prove you comply” by creating the right policies, training and processes, she explained.
Aletheia CEO Jon Roffe argued that even though NIS doesn’t apply to all companies, the themes it covers should be universal.
Organizations should be looking at how it could impact their current cyber security related activities, and whether it can be turned into a competitive advantage, he added.
Fines for non-compliance, and extra revenue impact from regulator investigations, customer defections, remediation costs and reputational damage should all focus minds.
“It’s difficult to talk about what you must do in such a confusing environment where there’s little in the way of prescription and … it’s not sure whether it will make it into legislation,” Roffe said.
“But the directive is coming over the horizon and if you’re not ready you may find yourself in a very difficult position, if you’ve no plan or budget.”