Legislation

Europe

The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States had to transpose the Directive into their national laws by 9 May 2018 and identify operators of essential services by 9 November 2018.

  • Most member states legal implementation will be more strict and more severe, but the deadline of mid 2018 has not been met by most members! Today most member states have their own law in place, based on the NIS Directive.
  • A key element of the directive is that member states must ensure public bodies and certain market operators (managing critical infra-structures) take appropriate technical and organisational measures to manage the security risks to networks and information systems – these must guarantee a level of security appropriate to the risks and should prevent and minimise the impact of security incidents affecting the core services they provide. 
    • Security requirements
    • Use of Standards
    • Enforcement (powers to investigate cases of non-compliance)

The implementation of Article 14 of the NIS Directive is described via 4 top-level objectives:

  • Objective A. Managing security risk

Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services.

  • Objective B: Protecting against cyber attack

Proportionate security measures are in place to protect essential services and systems from cyber attack.

  • Objective C: Detecting cyber security events

Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.

  • Objective D: Minimising the impact of cyber security incidents

Capabilities to minimise the impact of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.

The NIS Directive is applicable to all member states of the European Union. On the map above the UK is still visble as a member state, but we all know that the UK will leave the EU soon.

Another law that has been issued in the EU is the GDPR.

The EU General Data Protection Regulation (GDPR) was adopted in April 2016 and has taken effect across the EU on 25 May 2018. It supersedes the 28 current national data protection laws based on the 1995 Data Protection Directive (DPD).

Data protection is no longer just a legal, compliance or security issue. Given the magnitude of the penalties, GDPR compliance needs to be a priority on the agendas of the board and senior management.

The main reason why the GDPR is in place is to stop organisations and social media to collect and use private data of people. The GDPR mandates how to collect, protect and store personal data in companies across the whole EU. Personal data is data about personal information of humans. Companies should be able to demonstrate how the data is collected, protected, maintained, stored and deleted when no longer required.

Large organisations should select and nominate a dedicated Data Protection Officer (DPO). In small organisation it could be a shared function, but it requires special attention.

Penalties of non-compliance could go up to 4% of the total revenue or 20 Million Euro, which ever is the greatest.

This legal Requirement effects your HR systems and processes and not your Process Control environment!