Week 9: Cybersecurity Laws and Regulations
Puneet Tanwani Manghnani
Cybersecurity Consultant ?? | Risk & Compliance, Strategy and IAM | Mental Health Ally
In hindsight, one of the things we should have mentioned when we discussed the myths around cybersecurity is how strictly regulated the field of cybersecurity is. One reason for this is the surge in cybercrime and the fact that people are increasingly conscious about their privacy and security when it comes to being online and staying connected.?
At the end of the day, individuals want businesses they trust with their data to be accountable for their security posture. Hence, this article. We thought we’d cover some of the key legislations that affect both businesses and individuals.?
Note: Laws and regulations might vary depending on your geographic location. The following list is not exhaustive. The goal behind this article is not for you to achieve compliance; rather, you appreciate that there are initiatives to tackle cybercrime and protect information.?
GDPR was introduced in 2016 with a dual objective: To give individuals more control over their data and to standardize data privacy laws across the European Union (EU). It applies to all businesses that operate within the EU and all European citizens, irrespective of their location.?
GDPR puts a strong emphasis on consent and rights, including but not limited to Rectification and Erasure. In addition, businesses must notify all breaches that affect individual rights and freedoms within 72 hours. Fines for non-compliance can go up to 20 million euros or 4% of global turnover, whichever is higher.?
The full text can be found here.
Note: We’ll cover GDPR in greater detail during the second quarter of this year.?
This was introduced in 2019, and its primary goal was to increase protection against cyber threats within the EU.? According to this Act, ICT service providers and manufacturers are required to use one certificate across the union. The institution responsible for developing this framework is The European Union Agency for Cybersecurity (ENISA).
But what does all this mean? For a long time, member states relied on national rules and technical specifications for evaluating the “cybersecurity properties” of services and products. This divergence disrupted the free flow of ICT within the EU. The CSA, hence, aims to replace the national-level certificates to increase trust and security, which is crucial for the smooth functioning of the common market.?
The full text can be found here.
The EU adopted NIS2 in January 2023 in response to the increasing number of attacks against critical infrastructure. Member states must implement it by October 2024. If your organization meets all of the following criteria, then compliance is required:
Key aspects of NIS2 include enhanced cooperation amongst member states, new incident reporting timescales, supply chain risk management, and additional responsibility for management:
The penalties for violating this directive (including not having basic cyber hygiene measures) are quite steep. Essential entities can face fines of up to 10 million euros or 2% of their total turnover, whereas Important entities can be fined up to 7 million euros or 1.4% of their total turnover. Individuals can also be prohibited from holding management positions for repeated violations.?
The full text can be found here.
领英推荐
DORA entered into force in early 2023, and the deadline for compliance is January 2025.? This piece of legislation aims at strengthening financial entities such as credit and payment institutions, investment firms, credit rating agencies, and crowdfunding services providers.?
At first glance, DORA and NIS2 might seem quite similar, but they differ in many aspects. The simple and most obvious one is the intended scope. While NIS2 offers high-level actions for businesses considered to be Critical Infrastructure, the latter focuses on the financial sector.?
DORA also expands on managing ICT-related incidents for which previously there were only European Banking Authority (EBA) guidelines, hence improving operational resilience across the EU. It does so by taking a deep dive into the requirements around Business Continuity Management (BCM), penetration testing, and Third Party Risk Management (TPRM).
Another difference between NIS2 and DORA is that the first looks at supply chain security (i.e., the hardware and software), while the latter emphasizes more on TPRM. One point worth noting here is that DORA looks at risk as a systemic issue (i.e., if one entity is down, there could be a cascading effect on others). Finally, NIS2 defines penalties for non-compliance, whereas DORA leaves that decision to the different member states. A key takeaway here is that both pieces of legislation complement each other.?
The full text can be found here.
Note: We’ll cover the key concepts around Business Continuity and Risk Management during the second quarter of this year.
While the CMA is UK-centric, other countries have passed similar legislation. CMA aims to protect your personal and private information from being accessed or modified without prior authorization.?
Under the Act, the following are strictly forbidden and can lead to financial penalties or imprisonment:
The full text can be found here.
Note: In 2021, the UK Home Secretary announced it was planning to review the CMA.
Next week we’ll cover reporting cybercrimes.
This article is part of a project called Security Chronicles, written jointly with Walter Buyu .
Sources:
Cybersecurity Lead - Fever | CISM, CISA, CEH
9 个月Very interesting article Puneet Tanwani Manghnani!