The EU’s Data and Security Regulations Are Sound Policy and Good Business

The European Union is not a simple marketplace. It has 28 countries, 24 languages, accounts for almost a quarter of global GDP, and is run via a complex, hybrid governmental system not renowned for quick decision making and alacrity. However, in the area of cybersecurity, the EU has acted deliberately over the last few years and gained a first-movers advantage in forcing the world to adopt regulations to protect its citizens, businesses, and own cyberinfrastructure. This is a case where sound policy is creating good business and making the EU the fulcrum for global security standards.

The EU Looks to Protect Critical Infrastructure

With the GDPR, the EU has taken the global lead in regulating personal data. The GDPR puts a formal structure on how to handle personal data privacy, and at the same time, compels the rest of the world to adopt it or suffer liability, fines, and the prospect of losing business in the EU if companies appear untrustworthy.

Now, the EU is moving to ensure that its critical infrastructure is protected across all of its member countries by implementing what is known as the Networks and Information Services Directive (NISD). The goal of the NISD is to improve security standards at essential organisations to ensure availability even in the event of a major attack. The NISD covers only essential organisations such as those in utility, healthcare, transport and similar sectors. It also differs from the GDPR in that it is a “directive” and therefore requires the individual EU countries to transpose it into their respective languages and then pass it into their own national law.

Under the NISD, a company must report a cyber incident to a local Response Team when it could significantly impact the “continuity of the essential services they provide.” Impact is assessed by looking at the potential duration of the incident and the number of users affected and its geographical reach. It requires companies to have measures in place — “appropriate and proportionate technical and organizational measures to manage [risk]” — to prevent attacks or to alternatively minimize any disruption to their systems.

Key Technical Requirements

The NISD stipulates that affected operators of essential services and digital service providers must have in place, among other requirements:

An understanding of their assets and a mechanism to identify unknown devices
A mature vulnerability management program
Mature threat detection systems, including detecting, identifying, and reporting capabilities
Response and recovery plans

The NISD Applies to U.S. Companies

Just like the GDPR, the NISD applies to U.S. companies and other multinationals doing business in the EU. Specifically, a provider has only to offer services in an EU country to be under the NISD and its reporting requirements. Also like the GDPR, the NISD imposes substantial financial penalties for non-compliance. For example, non-compliant companies can be fined up to £17 million in the U.K., or 4 percent of global turnover (again like the GDPR). According to a Dutch draft law, fines there could reach as much as €5 million — and it is likely that severe penalties will be in place across other EU member states as well.

There is also a cyber-security certification under the NISD, so that companies can certify their products and services for the EU market. The certification process is due to come into force in May 2019. The certification is important because it enables companies to market their products across the EU, and for organisations to compare/assess what they need from the certified businesses.

EU Looking to Increase Domestic Capacity and Spur Business

Part of the reason that the EU has taken up regulation is to become less dependent on foreign companies for servicing their critical cyber infrastructure and increase its own competitive advantage under a uniform EU Cyber Security policy. A Joint Communication to the European Commission noted the importance of this in 2017, stating:

“The growth of the cybersecurity market in the EU – in terms of products, services and processes – is held back in a number of ways. A key aspect is the lack of cybersecurity certification schemes recognised across the EU to build higher standards of resilience into products and to underpin EU-wide market confidence. The Commission is therefore putting forward a proposal to set up an EU cybersecurity certification framework. […] It would bring clear benefits to businesses by avoiding the need to go through several certification processes when trading across borders, thereby limiting administrative and financial costs. The use of schemes developed under this Framework would also help build consumers’ confidence, with a certificate of conformity to inform and reassure purchasers and users about the security properties of the products and services they buy and use. This would make high standards for cybersecurity a source of competitive advantage.”

Brussels, Sept. 13, 2017, JOIN (2017), pp. 14-15.

In a recent article in Forbes magazine, two executives from French ad-tech companies explained that the experience of going through the GDPR compliance process has been a tough but productive one that has given them an advantage:

“With its French roots, devotion to consumer privacy and data is nothing new for Smart,” Nevins says. “France has always been a forerunner in privacy protections (the first French data law is 40 years old). GDPR has reinforced this but the foundations were already erected.” […]

“For once, what we are experiencing in EU will help us in the U.S. market,” Rieul adds. “We will be fully prepared for CCPA and any federal regulation to follow.”

Race to Protect National Data Interests Is On

The use of national standards to protect domestic interests is nothing new, but data is not oil, steel, or milk – it can be moved at lightning speed and bundled and packaged in infinite ways. Protecting data is not an easy task, but it’s becoming critical. Why? Because data is now the most valuable commodity in the world (according to some studies). But, to keep it safe and extract the value requires more than digging a hole in the ground or enacting a tariff.

The Huawei scandal, where the company has been accused of basically spying for the Chinese government, has opened eyes all over the world. The Chinese tech giant has been excluded from this infrastructure in this country, the UK, New Zealand, and Australia. Congress passed the Cloud Act in 2018 (largely in response to Huawei), which gives the U.S. government the power to compel companies to provide whatever data it is seeking, no matter where that data is hosted. It bypasses the need for U.S. law officials to seek approval from a given country. The Cloud Act is controversial (particularly in the EU) because it could, theoretically, give the U.S. government access to sensitive data hosted by U.S. companies working with EU entities, even if it is based in the EU. EU companies are already talking about switching to non-U.S. hosting services and looking at where they might have data exposure under the Cloud Act.

Conclusion

Whether a real threat, or not, there is a feeling in the EU that it needs to do more to protect itself from large foreign-based data companies that could compromise its national security. The GDRP and the NISD are both core pieces of aiding in this goal and are a solid start that gives the EU an advantage in building out its security capabilities and the bottom line for EU companies.

David Mitnick is Chief Executive Officer of DomainSkate. He is a “recovering” intellectual property attorney turned entrepreneur, who dabbled in finance for a few years before law school. David worked on IP transactions, litigations and prosecutions during his legal career and became passionate about building an effective and affordable tool for companies to protect their brand assets and IP online. He is a graduate of the University of Wisconsin-Madison and Brooklyn Law School.