Week 9: Cybersecurity Laws and Regulations

In hindsight, one of the things we should have mentioned when we discussed the myths around cybersecurity is how strictly regulated the field of cybersecurity is. One reason for this is the surge in cybercrime and the fact that people are increasingly conscious about their privacy and security when it comes to being online and staying connected.?

At the end of the day, individuals want businesses they trust with their data to be accountable for their security posture. Hence, this article. We thought we’d cover some of the key legislations that affect both businesses and individuals.?

Note: Laws and regulations might vary depending on your geographic location. The following list is not exhaustive. The goal behind this article is not for you to achieve compliance; rather, you appreciate that there are initiatives to tackle cybercrime and protect information.?

• General Data Protection Regulation (GDPR)

GDPR was introduced in 2016 with a dual objective: To give individuals more control over their data and to standardize data privacy laws across the European Union (EU). It applies to all businesses that operate within the EU and all European citizens, irrespective of their location.?

GDPR puts a strong emphasis on consent and rights, including but not limited to Rectification and Erasure. In addition, businesses must notify all breaches that affect individual rights and freedoms within 72 hours. Fines for non-compliance can go up to 20 million euros or 4% of global turnover, whichever is higher.?

The full text can be found here.

Note: We’ll cover GDPR in greater detail during the second quarter of this year.?

• The EU Cybersecurity Act (CSA)

This was introduced in 2019, and its primary goal was to increase protection against cyber threats within the EU.? According to this Act, ICT service providers and manufacturers are required to use one certificate across the union. The institution responsible for developing this framework is The European Union Agency for Cybersecurity (ENISA).

But what does all this mean? For a long time, member states relied on national rules and technical specifications for evaluating the “cybersecurity properties” of services and products. This divergence disrupted the free flow of ICT within the EU. The CSA, hence, aims to replace the national-level certificates to increase trust and security, which is crucial for the smooth functioning of the common market.?

The full text can be found here.

• The Network and Information Systems (NIS) Directive 2

The EU adopted NIS2 in January 2023 in response to the increasing number of attacks against critical infrastructure. Member states must implement it by October 2024. If your organization meets all of the following criteria, then compliance is required:

1. If your business is located or carries out activities in any of the member states.
2. If they are deemed as medium (More than 50 employees and more than 10 million euros in annual turnover) or large (More than 250 employees and more than 50 million euros in annual turnover) companies.
3. If they are deemed as Essential (for example, healthcare, transport, and banking) or Important (for example, research and manufacturer for medical equipment) entities.?

Key aspects of NIS2 include enhanced cooperation amongst member states, new incident reporting timescales, supply chain risk management, and additional responsibility for management:

1. Enhanced cooperation: ENISA is mandated to create a European Vulnerability Disclosure Database to allow information sharing within EU countries.
2. Incident Reporting: Within 24 hours, an early warning must be made to the competent authorities or the CSIRT.? After 72 hours, another notification must be made containing the impact, severity, and indicators of compromise (IoCs). After a month, a final report must be presented.
3. Supply Chain: Risk Management is key, but NIS2 requires enterprises to address issues within the supply chain (including within supplier relationships).?
4. Management Accountability: Management under NIS2 is required to approve risk treatment plans (We will cover this in a later article, but in a nutshell, it refers to how risks should be addressed, i.e., accepted, rejected, transferred, or mitigated). In addition, management should sign off on employment training.?

The penalties for violating this directive (including not having basic cyber hygiene measures) are quite steep. Essential entities can face fines of up to 10 million euros or 2% of their total turnover, whereas Important entities can be fined up to 7 million euros or 1.4% of their total turnover. Individuals can also be prohibited from holding management positions for repeated violations.?

The full text can be found here.

• The Digital Operational Resilience Act (DORA)

DORA entered into force in early 2023, and the deadline for compliance is January 2025.? This piece of legislation aims at strengthening financial entities such as credit and payment institutions, investment firms, credit rating agencies, and crowdfunding services providers.?

At first glance, DORA and NIS2 might seem quite similar, but they differ in many aspects. The simple and most obvious one is the intended scope. While NIS2 offers high-level actions for businesses considered to be Critical Infrastructure, the latter focuses on the financial sector.?

DORA also expands on managing ICT-related incidents for which previously there were only European Banking Authority (EBA) guidelines, hence improving operational resilience across the EU. It does so by taking a deep dive into the requirements around Business Continuity Management (BCM), penetration testing, and Third Party Risk Management (TPRM).

Another difference between NIS2 and DORA is that the first looks at supply chain security (i.e., the hardware and software), while the latter emphasizes more on TPRM. One point worth noting here is that DORA looks at risk as a systemic issue (i.e., if one entity is down, there could be a cascading effect on others). Finally, NIS2 defines penalties for non-compliance, whereas DORA leaves that decision to the different member states. A key takeaway here is that both pieces of legislation complement each other.?

The full text can be found here.

Note: We’ll cover the key concepts around Business Continuity and Risk Management during the second quarter of this year.

• Computer Misuse Act (CMA) of 1990

While the CMA is UK-centric, other countries have passed similar legislation. CMA aims to protect your personal and private information from being accessed or modified without prior authorization.?

Under the Act, the following are strictly forbidden and can lead to financial penalties or imprisonment:

1. To access a computer without permission.
2. To introduce unauthorized modifications of data. This includes deleting and altering data as well as deploying malware.
3. To access a computer with the intent of committing further crimes. This includes using a device to commit fraud.?

The full text can be found here.

Note: In 2021, the UK Home Secretary announced it was planning to review the CMA.

Next week we’ll cover reporting cybercrimes.

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:

• What is GDPR? The summary guide to GDPR compliance in the UK.?
• The EU Cybersecurity Act.
• The NIS Directive: From NIS to NIS2.
• A guide to the Computer Misuse Act (1990) CMA.?
• NIS2 and DORA: Why two pieces of cybersecurity legislation?