How will EU cyber security directive affect business?

Much focus on EU’s proposed cyber security strategy and directive has been on implementation, but what effect will it really have on business?

Since the publication of the EU’s proposed cyber security strategy and supporting directive, much of the focus has been on how difficult it will be to implement and how effective it will be in improving data security. But what effect will it have on business?

The most obvious effect is that it will mean additional costs for all businesses covered by the proposed directive in terms of creating new processes and acquiring new technology to comply.

The directive means that, for the first time, companies will be under a legal obligation to ensure they have suitable IT security mechanisms in place, which is likely to boost IT spending across the EU.

Conversely, it will mean additional income for the IT security industry as businesses are forced to find money to invest in whatever additional security technologies they need to become compliant.

Shake up for whole online industry

Bad news for most, but good news for some. But that is not the end of it. A closer look at what the EU is proposing reveals that the directive in its current form could shake up the whole online industry.

In fact, any organisation that provides any services online will fundamentally have to change the way its business operates, according to law firmField Fisher Waterhouse (FFW).

“This is huge,” said Stewart Room, partner at FFW, because the directive recognises that anything on the web that permits anyone to sell anything, offer information or engage with the rest of the world requires as much regulation as a telecommunications company.

For telcos, this will help to level the playing field, because "over the top" (OTT) providers such as Skype have enjoyed a financial advantage from being unregulated on cyber security issues. Telcos have been subject to effective cyber security regulation since the late 1990s.

This is the logical next step of an EU directive introduced in 2009 that required telcos and internet service providers not only to report all breaches of personal data, but also introduced a separate legal obligation to report all other data breaches in the interests of cyber security.

“This is a little known fact, and it is purely about the cyber security of networks," said Stewart Room. "It recognises that telecommunications networks form a platform that everything else relies on in terms of electronic communications."

Round one in 2009 was about making the underlying platform secure, while round two in 2013 recognises there is another, equally critical layer made up of the OTT players, he said.

The important thing to note is that the proposed directive introduces the idea of a “market operator” which currently covers not only providers of information society services and critical infrastructure, but also organisations that fall into six broad categories.

These are: e-commerce platforms; internet payment gateways; social networks; search engines; cloud computing services; and app stores.

This covers a very wide range of organisations, especially considering that in this context “e-commerce platforms” include any platforms that provide electronic information over a distance.

Despite the wide coverage of the six categories, the EU has left the door wide open to add more, describing the list as “non-exhaustive”.

The real effect of the proposed directive begins to emerge in the light of the fact that it requires that all “market operators” to ensure that the networks and information systems under their control meet minimum security standards, to be laid down by the EU.

In addition to the obvious large firms like Amazon, iTunes, PayPal, Google, LinkedIn and Facebook, the proposed directive will affect a whole range of other smaller organisations, potentially even down to the level of small family-owned businesses, said Room.

Theoretically, this will have the positive effect of improving the security and resilience of all networks and information systems, but this is a classic case of having to “be careful what you wish for,” he said, because the cost implications for businesses large and small could be enormous.

However, the EU and the US have gone so far down this path, no one is ever going to say that any of this is unnecessary.

Whether or not the cyber threat is as bad as the EU, US and security technology suppliers are making it out to be, network and information system security will be the cost of doing business in a cyber-enabled world as old business models fade away and slip into history.  

Three main costs

As new cyber security regulators emerge across Europe, businesses will face three main set of costs, according to Room.

Not every company is as rich as Google, Facebook and the like, and this proposed directive will not only affect those big companies, much smaller ones will be covered too

Stewart Room, Field Fisher Waterhouse

First, it will force a technology refresh for most businesses to bring themselves up to standard, and thereafter legal obligations will drive more frequent technology updates than exist today.

Second, a potentially even greater cost will be in setting up the policies, processes and training regimes that will be required to prove compliance.

“There will be a massive cost just in getting all the security knowledge that is currently in people’s heads down on paper,” said Room.

Third, as security incident detection capabilities increase so will the number of incidents detected and, consequently businesses will face a new and increasing cost of managing and responding to those alerts.

“The big problem is not every company is as rich as Google, Facebook and the like, and this proposed directive will not only affect those big companies, much smaller ones will be covered too,” said Room.

It remains to be seen, he said, if smaller companies and startups will be able to afford to comply without some protections being drafted in as EU member states move to legislation to uphold the directive.

Special protections aside, said Room, businesses need to be aware that this proposed directive will result in massive cyber security-related costs.

It will also inevitably result in the need for businesses to notify multiple regulators in the event of a data breach, which in turn will have associated costs.

A telco, for example, could potentially have to notify a telecoms sector regulator, a personal data protection regulator, a telecoms cyber regulator and a general cyber security regulator.

No one is likely to argue that greater network and information security and resiliency is not necessary, but in pursuit of that ideal, business is likely to face a whole raft of new costs.

Read more on Hackers and cybercrime prevention