EU Legislation on security breaches coming our way next year

The EU Commission has published a draft Network and Information Security (NIS) Directive.

What is it

It will need a range of businesses, including energy suppliers, transport infrastructure bodies, banks and health care bodies, e-commerce platforms, online payment ‘gateways’, social networks, search engines and cloud providers to be responsible for informing regulators of any ‘significant’ cyber security incidents they experience.

The Commission has also published a cyber security strategy.

Under the proposals, ‘public administrations and market operators’ will be required to carry out ‘appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations’. Under the threat of ‘effective, proportionate and dissuasive’ sanctions. These measures would have to be ‘appropriate’ to the security risks that each organisation faces.

In the event of a breach that has a ‘significant impact on the security of the core services they provide’ the organisation would have to notify their local regulator.

There is also a mechanism for local regulators to mandate public disclosure if the regulator deems it necessary as well as specified co-operation between member state regulators in a form of an early warning system


The document says into law 2014-2015


Obviously the draft is going through its comment stage and this has thrown up a couple of peaches!

  • ‘Software producers shall be responsible for correcting security breaches, within 24 hours of being informed for serious cases, and 72 hours for cases were the effects are unlikely to result in any significant financial loss or serious breach of privacy’
  • ‘Commercial software producers shall not be protected from ‘no-liability’ clauses when it can be demonstrated that their products are not properly designed to handle foreseeable security threats.’

I fancy some overpaid lobbyists will be working hard to get those removed, more is the pity

The UK has put back a response which basically says it’s probably a good thing but more info is required

Proposed Costs

Obviously with a strong pinch of salt…

1,250,000 EUR to set it all up, including:

  • a Rapid Alerting and Notification System for NIS (275 000EUR);
  • an Information Exchange Platform (400 000 EUR);
  • an Early Warning and Response System (275 000 EUR);
  • a Situation Room (300 000 EUR)

In fairness a more detailed implementation plan will be defined by the nattily titled Feasibility study and preparatory activities for the implementation of a European early warning and response system against cyber-attacks and disruptions. Which was awarded to Deloitte at the end of last year (27.12.2012) for 179 325 EUR ex VAT.

Projected annual staff cost of 890,000 EUR pa for 5 Commission employees (nice work etc etc) there will be the local regulator costs which are not covered in the proposals.

To be honest that seems light to me but I’m sure Deloittes will put them right

So What?

It will eventually become law and that will mean that data security will have to be taken seriously. Organisations will have to bear a cost to meet the regulations and may have their failings publicly disclosed. Services such as IP Sentinel Monitoring will become invaluable as part of the breach monitoring systems

It is also my opinion that this will create massive growth in the data security insurance market. The introduction of a regulatory framework will let organisations be more honest (in private anyway) and this will allow insurance companies to assess the risks in a way they cannot in the current state of market fragmentation. Once again using a system such as IP Sentinel Monitoring will prove to an insurer that an organisation is taking their mitigation seriously