European Information Security Directive Looms Large for CISOs

January 18th, 2016

Second in a two-part series

CISOs whose companies do business in Europe will soon have to review and in all probability update their security infrastructure and processes in response to the European Union’s Cyber-Security Directive that was released last month.

As a sign of the times, over 100 nations have enacted security and privacy legislation compared to a mere 4 countries in 1993, according to a new report by the Accenture Institute for High Performance.

The EU proposal, officially called The Network and Information Security Directive, was created to boost the overall level of cyber-security in member states in response to the continued increase in the frequency and severity of cyber attacks.

For example, an attack on a German iron plant via the corporate network caused massive damage to the physical plant. In a world beset by such dangers, the members of the European Parliament Internal Market Committee felt the need to implement stricter government regulations. The final step in its enactment will be for the EU Parliament to endorse it.

The Directive will have implications even for companies based outside EU member states if they provide essential or digital services to parties inside the EU.

Energy, transportation, banking, health, search engine, online marketplace and cloud computing service providers are some of the industries that will be impacted. Big-name digital services like Google, eBay and Amazon, although headquartered in the U.S., will also have to ensure the safety of their infrastructure and will be obliged to report major incidents to national authorities. These digital service providers deal with personal consumer data, partner information and system access and financial transactions such as bank-to-bank transfers over their infrastructure.

International legal practice Osborne Clarke suggest that other types of businesses could become subject to the directive as well. “Companies providing IT infrastructure and support to operators of essential services can expect to see requirements flow down contractually, which will require them to co-operate and assist in notifying and reporting to national regulators.”

Tighten Security

International law firm Allen & Overy discusses details of the Cyber-Security Directive, calling out its requirement that essential service operators take technical and organizational risk management measures to prevent and minimize the impact of incidents that affect their networks and information system security.

Digital services companies must take technical and risk management measures to ensure an appropriate level of security for systems and facilities including:
  • Incident management
  • Business continuity
  • System monitoring
  • Testing
  • Auditing
  • Regulatory compliance
  • Standards compliance

Both essential and digital service providers may be required to provide authorities with documented policies for assessing the security of their networks and information systems. Essential service providers also may have to present evidence of effective implementation of such policies such as the results of a security audit.

Learn about Masergy’s professional security services including comprehensive security audits, regulatory compliance testing, vulnerability assessments, and risk management.

David Venable

David Venable, Vice President of Cyber Security at Masergy Communications, has over 15 years experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a former intelligence collector with the National Security Agency, with extensive experience in Computer Network Exploitation, Information Operations, and Digital Network Intelligence. He also served as adjunct faculty at the National Cryptologic School.