Differing standards of protection possible for compliance with new EU rules on IT security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2014/january/differing-standards-of-protection-possible-for-compliance-with-new-eu-rules-on-it-security/

Certain businesses that deploy high standards of security may be deemed in
breach of new EU rules on network and information security whilst other
businesses conforming to lower standards of protection remain compliant,
under the latest proposals.

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) at the
European Parliament has published a document containing a list of draft
amendments (http://tinyurl.com/l9b6tpf 63-page / 392KB PDF) MEPs in the
group would like to see made to the European Commission's proposed Network
and Information Security (NIS) Directive.

The draft Directive, first published by the Commission in February last
year, aims to ensure that that banks, energy companies and other businesses
involved in the operation of critical infrastructure maintain sufficiently
secure systems.

But MEP Marie-Christine Vergiat has now suggested that the standard of
protection required of organisations should differ based on the extent of
damage that could be caused in the event of the protections put in place by
each organisation being breached.

"Public administrations and private undertakings, including network
service-providers and suppliers of information and software, should regard
the protection of their information systems and of the data which they
contain as forming part of their duty of care," the proposed amendment
suggested by Vergiat said. "Appropriate levels of protection should be
provided against reasonably identifiable threats and areas of
vulnerability. The cost and burden of such protection should reflect the
likely damage which a cyber-attack would cause to those affected."

Under the Commission's plans, public administrators and 'market operators'
would have to notify designated regulators of "significant" cyber security
incidents that they experience. Not all breaches reported to the regulators
would necessarily be conveyed to the public under the plans, but regulators
would be required to determine on a case-by-case whether it was in the
public interest to inform them. The regulators would be obliged to share
information with one another on cyber security risks in accordance with the
proposed framework.

However, MEP Christian Ehler has suggested a slight change to the planned
notification obligations to place a timeframe on reporting.

"Member States shall ensure that public administrations and market
operators completely and without measurable delay notify to the competent
authority incidents having a significant impact on the security of the core
services they provide," Ehler's draft amendment said.

Other proposals contained in the LIBE committee document would, if
implemented, see the implementation of the NIS Directive postponed until
after reforms to EU data protection rules – currently subject to separate
negotiations – are introduced. A separate personal data breach notification
regime is envisaged under the draft General Data Protection Regulation that
has been outlined.

In addition, EU member states would be obliged to draw up their own
national strategies on network and information security within a year of
the NIS Directive being adopted, under a proposal drafted by MEP Csaba
Sógor.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.