In his State of the Union Address, Jean-Claude Juncker, European Commission President aptly said, “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks.”
His statement is 100% true!
Online privacy and security of the general public are among the top most concerns for the governments as well as businesses across the globe.
In some EU Member States, 50% of all crimes committed are cybercrimes. Critical sectors like health, finance, transport, energy, and more are dependent on digital networks and information systems. Statistics show that 4,000 ransomware attacks occur every single day. Hackers can and are targeting everyone from individuals to essential services providers, which is causing enormous loss of sensitive information. These critical services form the backbone of a nation and major cybersecurity attacks on them can create ripples across entire countries, or perhaps the world. And it is an understatement to say that they are at a risk. With Network and Information Systems (NIS) Directive, the cybersecurity landscape in the EU is all set to receive a much-needed upgrade.
The NIS Directive is the first legislation on cybersecurity which is applicable across the EU. An important bit to note here is that it is not a regulation like GDPR, it is a Directive. The word ‘Directive’ is key. It means that the responsibility to interpret it and make it a part of their legal system lies with the individual member states.
NIS Directive focusses on operators of essential services and the providers of digital services. So, it is about creating gold standards of cybersecurity for services that have the maximum impact on the lives of the general public. There are three objectives that the Directive sets to fulfil.
• Upgrading the National Cybersecurity of the Member States
• Improving EU-wide co-operation in matters of cybersecurity
• Creating standards of reporting for the organisations (it applies to)
Is There a Need for Both GDPR and NIS co-exist?
The European Union (EU) has introduced the General Data Protection Regulation (GDPR) to deal with issues of individual privacy. Privacy and cybersecurity go hand in hand. Secure online systems are a prerequisite to provide privacy to the data subjects. GDPR tackles organisation-wide issues of data privacy, while the NIS Directive deals with the national-level cybersecurity concerns.
With GDPR it is clear what organisations have to do because it’s a law and it’s uniformly applied across the EU. NIS Directive, on the other hand, may be a little difficult for organisations to comprehend because it will differ from one country to another. So, how a country adopts the NIS Directive in their own legal framework will depend on the maturity of its laws vis-a-vis the modern digital world. Some Member States may only have to make some improvements, few may have to do some serious upgrades, and while others may have to completely transform the way they look at their cybersecurity laws. It is each country to its own.
There is definitely a need for the NIS Directive to exist even in a world where GDPR is present because it furthers the cause of data security, which is the need of the hour and the statistics agree.