Double Trouble: GDPR + NIS
Overlapping data protection legislation may result in multiple fines for a single breach.
There was a lot of press, blogs, articles, and webinars earlier this year dealing with the General Data Privacy Regulation (GDPR) and its impact on businesses. The European Union (EU) put the privacy regulation into effect on May 25, 2018. It requires compliance from all businesses that collect and store personal data of EU-based citizens.
Most everyone knows about GDPR by now, but do you know about the EU's directive on the security of Network and Information Systems (known as the NIS Directive), which is cybersecurity legislation that can result in fines for organizations that don't have the proper security in place to prevent a breach of IT infrastructure?
The EU directive on the security of Networks and Information Systems can be just as influential for IT as GDPR has been. The NIS Directive applies to all EU member countries and allows each country the flexibility to adapt legislation appropriately for alignment with other national legislation and circumstances, which means each country will have their own versions and specifications. But broadly, the NIS Directive concerns the security of nationally important infrastructure such as energy, water supplies, transportation, and healthcare.
U.S. businesses that are involved with these sectors in the EU will have to comply with this directive as well. Its goal is to improve the security and resilience of these services by enhancing and protecting networks against cyber attacks.
Introduction to the NIS
The directive requires EU members to create and operate "a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority.
The Directive provides the legal footing to:
- Ensure that EU members have a national framework so that they are equipped to manage cyber security incidents and oversee the application of the Directive.
- Set up a Cooperation Group among EU members to support and promote strategic cooperation and the exchange of information across country borders.
- Ensure that organizations which rely heavily on information networks are identified by each EU member as "operators of essential services" (OES). Those OES will have to take appropriate security measures to manage risks to their network and information systems. The OES will be required to notify the relevant national authority of cybersecurity incidents.
This means that any organization that operates and maintains infrastructure in energy, healthcare, transportation, and water services will have to comply with the NIS Directive as well as the GDPR. The U.K.'s National Cyber Security Centre (NCSC) provides a good review of the NIS Directive and how it applies to U.K. law here.
Data protection is becoming more complicated, with cost implications that will continue to rise. It's not just GDPR. If you are processing data in the cloud, data protection complications increase. When you use cloud services, you may be storing, processing, and transporting data. Have your legal department or organization lawyers investigate whether your cloud data processing is impacted by the NIS Directive.
A cloud customer can have a direct contract with a software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS) provider. When a cloud customer has a direct contract with a SaaS provider, the SaaS provider may have outsourced to an IaaS or PaaS or even another SaaS provider that you need to know about to ensure you know your and the SaaS provider's liabilities. And due to the trend that sees many service providers using another's infrastructure -- like AWS and Azure -- connectivity and payment services providers can also be involved. There can be a complex chain of organizations involved your cloud computing initiatives, and you need to know about each one of them.
You Could Have Double Penalties
As Dr. Kuan Hon of the European law firm Fieldfisher explained in a recent Computing article, under GDPR and NIS, critical infrastructure providers could end up being fined twice for the same data breach.
GDPR is designed to protect the personal data of EU citizens. The purpose of NIS is to protect the security of information systems at critical infrastructure providers. The NIS Directive has a broad definition that includes any connected device on any network as well as the data that is associated with those devices and networks. When a provider's network is breached, and it contains personal data, there's a possibility of penalties under both GDPR and NIS.
Compliance Will Cost you
U.S. IT staff need to be mindful of these regulations and adjust their procedures and tools to ensure compliance. IT staff will need training around new and evolving compliance efforts. Of course, there are bound to be some organizations that are not affected by the European regulations. But for those who are affected, even if you believe you are in compliance with GDPR and NIS, it's a good idea to have internal staff or third-party consultants reevaluate your compliance efforts to ensure you're still doing everything you should be doing and the proper protections are in place. It's better to be safe now than sorry later.
What About Your Job?
When security is breached in IT systems and networks, it can cost IT staff their jobs as well as the CIOs and CEOs. All business today is dependent on IT. It's not enough for executives to relegate security to the tech staff and call it a day.