In his State of the Union Address, Jean-Claude Juncker, European Commission President aptly said, “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks.”
His statement is 100% true!
Online privacy and security (under NIS directive 2018) of the general public are among the topmost concerns for the governments as well as businesses across the globe.
In some EU Member States, 50% of all crimes committed are cybercrimes. Critical sectors like health, finance, transport, energy, and more are dependent on digital networks and information systems. Statistics show that 4,000 ransomware attacks occur every single day. Hackers can and are targeting everyone from individuals to essential services providers, which is causing enormous loss of sensitive information. These critical services form the backbone of a nation and major cyber security attacks on them can create ripples across entire countries, or perhaps the world. And it is an understatement to say that they are at a risk. With Network and Information Systems (NIS) Directive, the cyber security landscape in the EU is all set to receive a much-needed upgrade.
The NIS Directive 2018 is the first legislation on cyber security which is applicable across the EU. An important bit to note here is that it is not a regulation like GDPR, it is a Directive. The word ‘Directive’ is key. It means that the responsibility to interpret it and make it a part of their legal system lies with the individual member states.
NIS Directive focusses on operators of essential services and the providers of digital services. So, it is about creating gold standards of cyber security for services that have the maximum impact on the lives of the general public. There are three objectives that the Directive sets to fulfil.
• Upgrading the National Cyber security of the Member States
• Improving EU-wide co-operation in matters of cyber security
• Creating standards of reporting for the organisations (it applies to)
Is There a Need for Both GDPR and NIS co-exist?
The European Union (EU) has introduced the General Data Protection Regulation (GDPR) to deal with issues of individual privacy. Privacy and cyber security go hand in hand. Secure online systems are a prerequisite to provide privacy to the data subjects. GDPR tackles organisation-wide issues of data privacy, while the NIS Directive 2018 deals with the national-level cyber security concerns.
With GDPR it is clear what organisations have to do because it’s a law and it’s uniformly applied across the EU. NIS Directive, on the other hand, may be a little difficult for organisations to comprehend because it will differ from one country to another. So, how a country adopts the NIS Directive 2018 in their own legal framework will depend on the maturity of its laws vis-a-vis the modern digital world. Some Member States may only have to make some improvements, few may have to do some serious upgrades, and while others may have to completely transform the way they look at their cyber security laws. It is each country to its own.
There is definitely a need for the NIS Directive to exist even in a world where GDPR is present because it furthers the cause of data security, which is the need of the hour and the statistics agree.