Cybersecurity and regulation: a difficult binomial

Talking about something like cybersecurity, which is both complex and essential in the digital transformation we live in, does not make sense if it is not done from a global perspective. A geographically-limited analysis does not make sense, and the starting point must be as broad as possible. Subsequently, its regulation must be adapted to encompass this reality and bring support, shape and cohesion to the mechanisms and endeavors that, during the last decade, have been launched to regulate this always-evolving subject.

Thus, on July 6th, the European Parliament adopted the Directive on Security of Network and Information Systems [1]. This Directive will need to be transposed to the internal set of laws of the Member Countries within 21 months, meaning it will not be practically implemented until May, 2018. Sanctions are set for the countries that do not do it. The directive wants to create (and impose) a European framework from where cybernetic incidents can be fought: viruses, identity theft, technical defaults, and so on. Taking into account that these attacks have raised 38% between 2014 and 2015 [2] , this directive is both unavoidable and ambitious, and it has actually been one of the top-priority legal proposals of the year from a European perspective.

The aim of the directive is to develop an international policy applicable to all kind of industries and companies, a common standard for cybernetic security to insure a reliable digital environment. The core idea is to consider security as a process and not as a state, which obliges companies to develop tools that allow them to react to both known and yet unknown risks. Basically, it takes for granted that security does not mean an absolute protection but a system able to respond to anyone operating contrarily to the legal framework agreed, as a reflection of the policy already assumed by the European Parliament. The creation of a supranational body aiming at exchanging data and assisting the member countries will be launched in order to insure the necessary international cooperation. Its implementation on a national level will also imply the creation of a competent organization to watch how the Directive is put into place.

As regards the direct consequence of its implementation, each of the members will have to point out the companies essential for some specific industries. All the companies that can fit in the list provided by the Directive will have to report all the incidents that can be considered as serious. Renowned companies such as Facebook, Paypal or Amazon do not get rid of it, along with the mentioned “operators of essential services”.

Knowing that these cybernetic attacks hurt both European companies and economy in general with losses of hundreds of thousands euros each year [3], it has taken too long to draft this legal frame to protect this reality. Singling it out by industry, for example, many people have been surprised to learn that the gas and oil industries have be the ones who have suffered more attacks last year, closely followed by technological industry and telecommunications. On the other end of the scale, the pharmaceutical industry stands out for having tremendously increased the security measures in order to avoid these results. We should ask ourselves, however, if the regulation will really be useful for those who really need it or if, on the contrary, it arrives too late and will always be one step behind the measures already implemented by the wronged. We could fear that it can convert into an obstacle to the free development of the cybernetic reality which it is supposed to regulate and protect.

Certainly, people suspect that this “statement of intent” cannot easily apply to a global and changing tool like Internet, especially when it is necessary to coordinate a variety of companies and governments of the EU. This skepticism mixes with the one habitually inherent to any European Directive, as they are usually implemented at a very low pace. This directive faces not only the usual difficulty of any regulation affecting several states and companies, but also the ever-muting monster of Internet and the digital era.

Finally, it should be noted that, paralleling the legal course, 91% of wronged companies have adopted operational structures in favor of cybersecurity. It is the wronged who, with or without a Directive, develop paths to insure this security when they carry out their activity. This does not downplay the goal pursued by this legal initiative: provide a broad-range regulation that enables, protects and channels the cybersecurity initiatives to protect the growing number of users and realities.

Written by Ana Grau, Lawyer at Adarve

Originally published (in Spanish) in the newspaper El País Retina: http://www.elpaisretina.com/ciberseguridad-y-regulacion-un-dificil-binomio/

[1] The Directive on security of network and information systems -the NIS Directive- 2013/0027/COD

[2] PwC Survey: “The global State of Information Security Survey 2016” Global State of Information Security® Survey 2016.

[3]European Commission – Fact Sheet: Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats.