Most EU businesses unclear on latest cyber security laws

Most EU businesses feel guidelines to achieve compliance with new European Union cyber security legislation are unclear

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe – March 2015 Edition

Most businesses in the UK, France and Germany feel guidelines to achieve compliance with new European Union cyber security legislation are unclear, a study has revealed.

A third of organisations polled also do not understand the impact of the coming cyber security legislation, according to a study by security firm FireEye.

The study assessed respondents’ understanding and expectations of the proposed Network and Information Security (NIS) and General Data Protection Regulation (GDPR) legislation.

The GDPR is set to be finalised in early 2015, with compliance becoming mandatory in 2017.

The NIS directive – set to be implemented this year – will impose new security and incident reporting requirements on a broader range of private sector companies.

The study shows that many organisations in Europe are unprepared for the changes and are challenged by the cost and complexity of complying with new EU data security legislation.

Only 39% of organisations polled said they have all the required measures in place for the NIS. Only two-thirds said their organisations fully understand the impact of the NIS and GDPR regulations.

The top concerns associated with serious data breaches and loss of personal information are potential fines (58%), damage to reputation (57%) and loss of business and/or revenue (58%).

More than 60% of the organisations surveyed said they'd had little or no clear guidance on the legislation.

Some 64% cited additional expenditure on hardware and software as a challenge, with 23% rating this as the single most important barrier to complying with the directives. Other barriers cited included implementation costs (58%) and policy complexity (56%).

The study report concluded that there is a mixed state of readiness at best, with many not understanding the true extent of the potential impact of the legislation.

“The past year has shown that breaches are inevitable as hackers continue to evade security, and the EU directives are an important step towards addressing these threats,” said Richard Turner, vice-president, Europe, at FireEye.

“Organisations need to ensure that they have the capabilities to detected, prevent, analyse and respond to breaches in a timely manner, and the EU legislation – both the NIS directive and GDPR – promotes the adoption of capabilities to respond to and report breaches,” he said.

Turner said that while this is a positive step, organisations need to look beyond the EU directives and be prepared to launch an appropriate and proportionate response to a threat or breach to protect shareholder value.

Adam Palmer, international government affairs director at FireEye, said the new EU security and privacy requirements are important and will greatly increase the security obligations of European organisations.

“We encourage organisations of all sizes to adopt mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware as these attacks constitute a majority of advanced attacks in today’s threat environment,” he said. 

But Palmer said the research shows that organisations are not fully prepared for the implementation of the legislation. “It is therefore critical that these organisations begin preparing now to be in compliance so they are not caught unprepared,” he said.

Stewart Room, partner and global head of cyber security and data protection law at PwC Legal, said that although most businesses are confused about the content and likely impact of the proposed legislation, it is relatively easy to identify the critical changes.

“These are principally about the need for good governance structures, risks assessments, the engineering-in of good privacy and security controls and appropriate levels of transparency with consumers and regulators – for instance, about consents and breach disclosure,” he said.

Room said the greater challenge is for businesses to identify the correct start point: “At PwC we help many businesses adjust to the realities of regulatory and legal reform. What is critical as a first step is gaining an understanding of the client's special characteristics, which include the desired maturity level for compliance.  

“From there, with appropriate strategic advice, it is easy to chart a course through this thicket of new legislation,” he said.

Read more on Privacy and data protection