EU agrees on a unified law that requires critical companies to report breaches

Flag of European Union

Flag of European Union

The rules of the Network and Information Security Directive (NIS Directive) were agreed this week.

The new law will require online firms such as Google and Amazon to report serious breaches or face sanctions.

The data breach notification duty will also apply to providers of critical infrastructure, which is likely to include many companies in the healthcare, energy, transport and finance sectors.

Affected companies will have to ensure that the digital infrastructure they use to deliver essential services can withstand cyber attacks.

Other critical providers will be determined based on three criteria:

  • Whether the service is critical for society and the economy.
  • Whether the operator depends on network and information systems.
  • Whether an incident could have significant disruptive effects on its provision or public safety.

Under the new Directive, EU member states will be required to set up a network of Computer Security Incidents Response Teams (CSIRTs) to handle incidents, including cross-border security incidents.

This directive comes in the wake of growing concern that online banking, power stations or airport control could be targeted by criminal hackers. The EU Agency for Network and Information Security (ENISA) has estimated that losses from such attacks range from €260-€340bn (£188bn to £246bn).

Once published, member states will have 21 months to adopt the Directive into national law.

Earlier, we reported on the under reporting of data breaches in Europe. Jeremy King, international director of the PCI Security Standards Council, recently stated that “Regulators in Europe are getting tired of these breaches. … We are still fighting a major battle against the cybercriminals, and organisations need to take this seriously. Criminals are finding their way in. And once they’re in, they can get access to a lot of very valuable data”.

He explained that although the international standard for payment card security, the PCI DSS does not specifically mandate the protection of personally identifiable information (PII), the processes and procedures that apply to card security can be applied to protect any other types of data.

IT Governance is an approved PCI QSA (Qualified Security Assessor). Whether you are a merchant or service provider, we can help you to improve your cyber security and comply with the PCI DSS quickly and efficiently. If you want the cardholder data you collect, process or store to be secure in 2016, IT Governance can help you.

PCI gap analysis