Just when you think you’ve solved GDPR . . . A new EU cyber regulation goes live
Yesterday (May 9, 2018) was the deadline for the new Network and Information Security (NIS) Directive to be transposed into EU member states’ national legislation. This new regulation is aimed at creating a base level of security for organizations that are operating essential services within the EU.
The primary sectors covered by this regulation are: energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers. Organizations in this scope are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.
This EU directive was passed on July 6, 2016, and member states were given 21 months to transpose the directive into their national legislation, which is due today. While much of the preparation over the past two years was concerned with the building of capabilities at a member-state level, it is only now that the directive is going to start impacting your company directly.
You will start to find out over the next six months whether you are in scope of the directive (by November 9, 2018 at the latest). Here are some of the key ways in which you will be impacted:
The good news is that most organizations already had most of what is required in place.
I have some concerns about the way that the directive is being applied across Europe, which I think creates potential difficulties for organizations impacted by it:
- As NIS is a directive rather than a regulation, it is up to member states to determine how they apply it. This means that different EU member states will have different implementations of required security controls. If your organization operates in multiple jurisdictions, you will need to manage a complex set of potentially competing requirements for demonstrating NIS compliance.
- For fines involving personal data, the GDPR will also apply. A significant concern for your organization would be whether so-called NIS Directive/GDPR “double jeopardy” is an issue. While it is expected that both the applicable NIS competent authority and the relevant GDPR data protection regulator would both wish to investigate, I believe that in these cases one regulator should be designated as the primary authority for the purposes of levying a penalty to ensure that the organization is not punished twice for the same breach.
- Finally, while it allows maximum choice to member states, the ability of each to either select a single centralized authority or adopt a sectoral approach involving multiple regulators will only create confusion for organizations with operations in multiple jurisdictions as to how and whom they report to in which country. A centralized approach to management of competent authorities would have been a simpler approach.
I will be undertaking research later in the year to understand how organizations are getting on with NIS Directive implementation and how member states are applying it.