Cost of EU Legislation

Could new EU legislation cost you dearly?

The IT Insider explores the potential impact on UK businesses when the EU Network and Information Security (NIS) Directive comes into force.

Described as ‘the most lobbied against piece of European legislation’ and with over 4,000 amendments received on the proposal to date, the EU Network and Information Security (NIS) Directive has proved controversial, to say the least. With Cyber Security so high on the agenda at both a global and national level though, it’s only a matter of time before an agreement is finally reached. And with the regulation set to apply to ‘any European business that processes personal data’, as well as ‘any business outside of the EU that processes personal data obtained from offering goods or services to EU citizens’, it’s not something that any business with an EU customer base can afford to ignore.

With potential fines of up to 5% of annual worldwide turnover or €100m for companies not complying with new regulations, it’s vital that you understand what will be required of your business once the legislation comes into effect. Some of the key requirements include:

  • Taking appropriate technical and organisational security measures to protect your data
  • Ensuring that security policies are regularly tested and evaluated
  • Keeping detailed documentation on the data being processed
  • Where a business has data on more than 5,000 people in any 12 month period, or handles sensitive data such as in the health industry, it will be a legal requirement to appoint an experienced Data Protection Officer
  • It will also be a legal requirement to report any data breach to a Data Protection Authority (DPA) without undue delay.

This infographic from IBM puts the scale of the task at hand into perspective – highlighting just how vulnerable businesses now are to cyber attacks and insider security threats. Click on the image to view and download

The 2015 Cost of a Data Breach study from The Ponemon Institute also makes for an interesting read. With the UK companies participating in the annual study reporting that their data breaches increased in cost over the last month, the most profitable investments in helping to lower the cost of any future data breach were identified as:

  • Extensive use of encryption
  • Incident response planning
  • Business continuity management
  • Board-level involvement
  • Employee training
  • The appointment of a CISO with enterprise-wide responsibility
  • Insurance protection.

The cybersecurity environment is constantly evolving, which means your business needs to be proactive in order to remain secure. Understanding the current threat landscape, including the volume of attacks, the most common types of attacks and attackers, the industries being targeted and factors enabling these attacks, is vital if you are to stay ahead of the game. Research from IBM X-Force is a great starting point – providing a wealth of information and advice for business.

For the majority of organisations, significant time, resources and change will be needed in order to ensure compliance. It’s not something that can simply happen overnight, so the sooner you start to put the necessary plans and processes into place with a view to meeting the requirements of this new EU directive, the less painful (and potentially costly!) it will prove in the long run.