European Information Security Directive Looms Large for CISOs
Second in a two-part series
CISOs whose companies do business in Europe will soon have to review and in all probability update their security infrastructure and processes in response to the European Union’s Cyber-Security Directive that was released last month.
As a sign of the times, over 100 nations have enacted security and privacy legislation compared to a mere 4 countries in 1993, according to a new report by the Accenture Institute for High Performance.
The EU proposal, officially called The Network and Information Security Directive, was created to boost the overall level of cyber-security in member states in response to the continued increase in the frequency and severity of cyber attacks.
For example, an attack on a German iron plant via the corporate network caused massive damage to the physical plant. In a world beset by such dangers, the members of the European Parliament Internal Market Committee felt the need to implement stricter government regulations. The final step in its enactment will be for the EU Parliament to endorse it.
The Directive will have implications even for companies based outside EU member states if they provide essential or digital services to parties inside the EU.
Energy, transportation, banking, health, search engine, online marketplace and cloud computing service providers are some of the industries that will be impacted. Big-name digital services like Google, eBay and Amazon, although headquartered in the U.S., will also have to ensure the safety of their infrastructure and will be obliged to report major incidents to national authorities. These digital service providers deal with personal consumer data, partner information and system access and financial transactions such as bank-to-bank transfers over their infrastructure.
International legal practice Osborne Clarke suggest that other types of businesses could become subject to the directive as well. “Companies providing IT infrastructure and support to operators of essential services can expect to see requirements flow down contractually, which will require them to co-operate and assist in notifying and reporting to national regulators.”
International law firm Allen & Overy discusses details of the Cyber-Security Directive, calling out its requirement that essential service operators take technical and organizational risk management measures to prevent and minimize the impact of incidents that affect their networks and information system security.
Digital services companies must take technical and risk management measures to ensure an appropriate level of security for systems and facilities including:
- Incident management
- Business continuity
- System monitoring
- Regulatory compliance
- Standards compliance
Both essential and digital service providers may be required to provide authorities with documented policies for assessing the security of their networks and information systems. Essential service providers also may have to present evidence of effective implementation of such policies such as the results of a security audit.
Learn about Masergy’s professional security services including comprehensive security audits, regulatory compliance testing, vulnerability assessments, and risk management.