Regulatory Timeline: Cyber Security
Published on 7th Oct 2015
“In 2015, cyber security has rarely been out of the headlines. Major attacks on public and private targets have resulted in widespread data loss and operational disruption. The cost of dealing with breaches and reputational damage, not to mention potential civil and regulatory liability, means that cyber security will remain one of the most pressing issues for businesses for some time.
The key developments on the horizon are the Network and Information Security Directive, and how that will interact with the new General Data Protection Regulation (when each of those comes into force).”
October 2015 – Procurement for public sector cyber security services
The Crown Commercial Service (“CCS”) is working with CESG, the information security arm of GCHQ, to develop a central route to market to enable public sector organisations to buy certified cyber security services.
The procurement process will involve two stages: CESG certification and appointment by CCS onto a framework. The invitation to tender is expected to be published in October 2015, with the first awards expected to be made in early 2016.
2015 / 2016 – EU Network and Information Security Directive
As far back as 2013, the European Commission published its proposed directive to bolster legislation in Europe on cyber security – the Network and Information Security (“NIS”) Directive.
The NIS Directive will apply to operators of ‘critical infrastructure’, who will have reporting obligations and will be required to adopt technical and organisational measures to protect against cyber security risks.
The NIS Directive will also require member states to adopt a national strategy and appoint a competent authority to prevent and respond to incidents.
The NIS Directive has been the subject of debate in Europe for over two years. One of the key areas of disagreement is whether information services such as search engines, online platforms and social media should constitute ‘critical infrastructure’, alongside energy, transport, banking and health.
In order for the NIS Directive to be adopted, it needs to be agreed by the European Council. It has been reported that the European Parliament and Commission have reached agreement, and It had been hoped that the NIS Directive would be adopted before the end of 2015, but it is looking increasingly likely that this will not be until 2016.
Late 2015 / early 2016 – Internet of Things Trust Framework
The Internet of Things (“IoT”) as a concept is now well-embedded into the digital market. From smart metering to wearable tech and medical aids, the range of devices and applications covered is immense and growing, as are the security risks associated with the IoT.
In an attempt to address this, a group of technology providers known as the Online Trust Alliance has recently consulted on a draft trust framework, which contains 23 minimum requirements and 12 further recommendations addressing various privacy and security-related issues.
For more information, see our article here. The consultation has now closed and a response is expected in late 2015 or early 2016.