The European Commission (EC - the executive arm of the European Union) has finally published its long-awaited European cyber security strategy, and supported it with a Directive ‘concerning measures to ensure a high common level of network and information security across the Union’ to ensure that the strategy actually happens.
Directives are instructions to the member states on what has to be achieved by legislation, leaving each state to implement the legislation in the manner best suited to their own circumstances. In this way the EC’s new NIS (network information security) Directive is attempting to set a standard minimum level of security across the Union without deterring any state from setting the bar even higher.
The three key proposals in the NIS Directive are that each member state must adopt an NIS strategy and implement an NIS competent authority; must create a ‘cooperation mechanism’ to share security information across the Union; and that “operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc), as well as public administrations [are] to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.”
The key statement in the last requirement is ‘report serious incidents’, which is a significant advance on the Data Protection Regulation that requires disclosure of the loss of personal data.
It is noticeable that initial response from the security industry largely supports the EC initiative, while business itself is more reserved. “Firms are concerned that reporting online attacks and security breaches might damage their reputations,” reports the BBC. But this brings a stinging rebuke from Wieland Alge, VP and general manager EMEA at Barracuda Networks: “Businesses’ protests of trade secrets and data confidentiality are quite unfounded. By focusing on their reputation and stock market value only, they forget that what’s at stake in an attack is the customers’ data. And that means us and our data.”
More typical of the industry’s response is that from Symantec’s Ilias Chantzos, senior director of government affairs, EMEA & APJ: “Symantec welcomes the EU’s cyber security strategy and shares a commitment to its broad objectives... it is definitely a step in the right direction.”
John Yeo, EMEA director at Trustwave, takes a more reflexive view, calling it a curate’s egg. “The threat of harsher penalties for businesses that fail to protect private individuals’ data will undoubtedly cause companies to take a closer look at the measures they have in place to secure sensitive data.” That is a good thing. But he wonders about the EU’s cost saving claims which state the strategy will “save companies costs of up to 2.3 billion EUR per year and increase EU GDP by 4% by 2020.”
He suspects that the larger multinationals will benefit the most (despite the fact that they are the ones objecting the most), but that “the elephant in the room is the impact on the 23 million SMEs within the EU.” He notes that the EC already acknowledges that "the most important individual business constraint reported by SMEs is the compliance with administrative regulations,” and suspects that this will only make things worse for SMEs. What isn’t yet known is how the Directive will be implemented in individual countries, and how many of the 23 million SME’s will be drawn into that third proposal of the Directive.
Who will benefit, he asks. “Security companies, lawyers and multinational organizations look set to benefit whilst SMEs will be burdened with more expense in an already strained economic climate.”
And the key question and the fundamental drive behind the strategy: will it help consumers feel more confident in sharing their data online? “I very much doubt it,” says John Yeo. “The increased publicity around the data breaches and associated fines likely to arise from the changes could easily lead to desensitization, or the belief that suffering a data breach is inevitable.”