Here’s What We Can Expect as NIS and GDPR Arrive

It’s May, which means GDPR will take effect in a matter of days now, not months; and along with it, we have new legislation around the protection of digital-enabled critical infrastructure in the Network and Information Security (NIS) Directive, also going live this month. And we still have more to come in the EU, with the draft Cybersecurity Act[1] and its proposed EU cybersecurity certification framework, currently going through the European Parliament, plus the Electronic Communications Code, which will update regulations for Europe’s telecom industry and includes security requirements for these companies, nearing final stages of negotiations in Brussels.[2]

Think of May, then, as the start of ongoing change. We use technology every day, and the digital world touches every part of our lives. GDPR, NIS and other changes in regulation are set up to ensure every organisation takes seriously its cybersecurity responsibilities. This is good, right?

Yet I face mixed emotions. Every day, I hear from some organizations how they are preparing well for GDPR, and yet others at this late date are still asking questions which would indicate they are ill-prepared and don’t have a good grasp on the requirements.   Some organizations still talk of waiting for the first fines to hit those around them before they take it seriously.

So, what can we expect?

Examples will be made of noncompliant organizations…

I’m certainly no lawyer and can’t argue the finer points of enforceability. But increasingly, new regulations are including significant penalties to ensure business executives take them seriously. Whilst, in my opinion, those penalties should be a final resort, companies that simply have flaunted the requirements should be prepared for the worst case.

…but the impact of GDPR enforcement is likely months away

I suspect we won’t see those examples made right away, as it takes time to investigate details and define just how bad violations were. If we assume the worst – poor documentation, poor metrics and little legacy evidence – it’s likely that assessments could take months; and this is before lawyers start to negotiate the end outcome, testing and setting the precedents around the definitions of the regulation and culpabilities of those involved. As such I suspect it may be much later in 2018 before we see the real impact of GDPR.

Management teams will seek a much deeper understanding of local laws

The NIS Directive comes into effect just a tad earlier than GDPR, the 10th of May, and it is a little harder to get your head around. Not to be confused with a regulation, the NIS Directive functions as an instruction to EU member state governments to implement their own laws in support of the directive’s goals. Member states were required to transpose the NIS Directive into national law by May 10, 2018. Some countries have existing laws that they need to update slightly; others require further adaptation, and for some, this may be a whole new requirement. Differing countries are in different states of preparedness, depending on their prior maturity. As such, depending on whether and where you provide the essential or digital services covered under NIS, you will need to look at each local implementation of the directive, if you are covered, and what you need to do.

Your team will need to be able to explain the following:

• What will be the local (domestic) law implementing the NIS Directive and when is it due to come into effect?[3]
• Which national authority or entity will be responsible for applying and potentially enforcing the local law? Looking at the UK as an example, the NCSC is the central coordination point, but the existing, competent authorities in each specific, covered critical national infrastructure (CNI) sector will continue to be the lead engagement points for that industry space.[4]
• What will be the framework they use to define and measure the required controls? Noting that NIS does include the requirement for prevention, early views would suggest many may adopt ISO, NIST or other tried and tested methodologies.

Whilst May is a milestone, it is still effectively the start of the ongoing journey to raise the bar on cybersecurity in an increasingly digital world, in the EU and beyond. I’m not expecting the big bang moment as things suddenly change, but over the next 6-12 months, the definitions and scope of GDPR will started to be tested. NIS will continue to move from a directive to national laws, and in the meantime, the EU will keep pushing forwards new requirements aimed to ensure confidence in an increasingly digital society with the Cybersecurity Act and other proposals.

If you are well on your GDPR journey, I applaud you. For those hanging back, I encourage you to get started. This is real, and there are the implications that go with it. And as I’ve shared in previous blogs, don’t downplay the NIS Directive just because it’s not generating the same volume of headlines as GDPR. The realities of its implementation are no less significant, and the cybersecurity bar it sets, considering the essential services it focuses on, are even higher than GDPR’s.

[1] https://ec.europa.eu/info/law/better-regulation/initiative/111956/attachment/090166e5b507c22c_en

[2] http://www.consilium.europa.eu/en/policies/electronic-communications-code/

[3] UK example of translating the NIS directive to national law – Network & Information systems regulation http://www.legislation.gov.uk/uksi/2018/506/regulation/1/made

[4] UK guidelines for competent authorities on NIS https://www.gov.uk/government/publications/nis-regulations-guidance-for-competent-authorities