Europe will introduce new cybersecurity measures that govern data protection in the next two to three years. Instituted by the EU Networking and Information Security (NIS) and General Data Protection Regulation (GDPR), these rules will require hardware and software changes along with new reporting requirements.
To gauge the readiness of companies in France, Germany and the UK in complying with the new legislation, FireEye surveyed 260 people working in IT for organizations with over 500 employees. The report, released last week, finds that one-third of respondents believe their company doesn’t fully understand the implications of the new standards.
“The past year has shown that breaches are inevitable as hackers continue to evade security, and the EU directives are an important step toward addressing these threats,” Richard Turner, VP EMEA, FireEye said in a statement. “The EU legislation — both the NIS directive and GDPR — promotes the adoption of capabilities to respond to and report breaches.”
According to the “Mixed State of Readiness for New Cybersecurity Regulations in Europe” report, when mandatory compliance is instituted it will require “‘operators of critical infrastructures’ or ‘critical national infrastructure (CNI) market operators – which include those working in the energy, financial services, health and transport sectors, alongside public sector bodies – adopt appropriate steps to manage security risks and report serious incidents to a national competent authority, such as a computer emergency response team (CERT) which will represent a ‘single point of contact’ if not necessarily the only competent authority in each member state.”
The majority of respondents to the FireEye study, conducted by IDC Connect, believe the new EU regulations would have an overall positive impact beyond voluntary reporting and security assessments.
Two-thirds of respondents cite software and hardware upgrades as a significant financial challenge, while more than half feel they are receiving no clear guidance to comply with the new legislation.
“What most organizations do consider a certainty is that additional spending on security hardware, software and policy implementation will be needed to achieve compliance with the new regulations, and that these projects will present them with significant challenges,” the report said. “Deployment and upgrade initiatives are expected to be both complex and difficult to support due to a lack of in-house knowledge and expertise in the relevant data protection definitions and requirements.”
These laws will extend to companies doing business in the EU whether data is housed there or not, which could have future implications for cases such as the US government attempts to have jurisdiction over data hosted by Microsoft in Ireland.
Early in January, the EU Parliament said states no longer needed to comply with the EU Data Retention Directive that was invalidated by the EU Court of Justice in April. Until new legislation is finalized this year, each EU state will address data retention on an individual basis. This has created an increasingly difficult and confusing climate for European companies, as discussed with 451 analyst Rory Duncan in October.
Understanding and implementing the rules correctly will be a great concern for EU businesses going forward. Over 58 percent of those surveyed cited non-compliance fines as a major concern. The penalty for companies is far higher than it has been in the past with a possible maximum fine of €100 million (more than $113 million US) or five percent of annual global turnover.
“The new EU security and privacy requirements are incredibly important and will greatly increase the security obligations of European organizations,” Adam Palmer, International Government Affairs Director, FireEye said. “We encourage organizations of all sizes to adopt mitigation measures…however, our research does show that organizations are not fully prepared for the implementation of the legislation, and it is critical these organizations begin preparing now to be in compliance and not be caught unprepared.”
Companies in Germany are best prepared for the NIS directive, according to the report. Forty-six percent believe all measures are in place compared with 38 percent in France and 34 percent in the UK. This may be due to the fact that strict data protection requirements have been in place in Germany longer than any other EU state.
The NIS directive is set to be implemented in 2015 and the GDPR is set to be finalized early 2015 with compliance requirement beginning in 2017.