The Conversation (0)
The European Union reached an informal agreement with the Parliament on network and information security rules affecting companies across the EU.
The European Union reached an informal agreement with the Parliament on network and information security rules affecting companies across the EU.
According to a blog post from Orrick:
On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on important network and information security rules (“NIS-Directive”) affecting companies across the EU. The culmination of the European Commission’s Cybersecurity strategy effort that began in February 2013 with the European Commission’s proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.
[…] The NIS-Directive will not only require critical infrastructure and companies that are digital service providers to take actions aimed at improving their networks’ ability to resist cyber-attacks, but organizations will now have to consider establishing a compliance function around the new requirements. Accordingly, many organizations – specifically cloud service providers, online search engine providers, online marketplaces and other internet service providers – will need to actively assess the security and integrity of their network resources.
The reporting obligations also mean that companies should strongly consider conducting post-attack investigations, directed by legal counsel, to identify the extent of reporting obligations, especially given the likelihood of significant fines and penalties from national authorities for companies that do not comply with these obligations. Moreover, given that companies will no longer be able to remain silent in the event of a security breach, they should strongly consider proactively planning for how they will manage brand and reputation after an incident. These complicated considerations are best handled through preparation and incident response planning.
Click here to read the full post.