Cybercrime Legal Obligations: What Should Companies Follow?
In the digital age, businesses operating in Europe and the United Kingdom are required to adhere to stringent cybersecurity regulations to protect their network and information systems.
The Network and Information Security Directive (NISD) and the Network and Information Systems Regulations (UK NIS) apply to entities operating in certain sectors, necessitating the implementation of appropriate and proportionate technical and organizational measures to manage risks and prevent incidents.
Under the EU's NIS Directive, which is yet to be fully implemented in the national laws of each Member State, in-scope entities are required to implement minimum measures such as incident handling, business continuity, crisis management, supply chain security, and human resources security measures. Similarly, UK NIS requires in-scope entities to notify the relevant UK sector regulator about any incidents that have a significant impact on the continuity or provision of their services within 72 hours of becoming aware of the incident.
Both NIS 2 Directive and NIS 2 Implementing Regulation set out specific technical and methodical risk management requirements for certain categories of in-scope entities. For instance, NIS 2 imposes steep penalties for non-compliance, at least the higher of €7 million or €10 million (depending on sector), or 1.4% or 2% (depending on sector) of total worldwide turnover in the preceding financial year. On the other hand, the maximum penalty that could apply for non-compliance with UK NIS is £17 million.
In the event of serious personal data breaches, businesses must also notify affected data subjects directly. Qualifying personal data breaches under the EU GDPR/UK GDPR must be reported to the competent regulator(s) within 72 hours of becoming aware of the incident, and incident notifications must include certain information.
Failure to address gaps in an organizational security framework increases the risk of falling victim to cyber-attacks, facing negative press, regulatory scrutiny, and financial penalties. Therefore, businesses should continually review their cybersecurity posture, incident response, and business continuity processes to ensure compliance with the applicable requirements and adaptability to future changes in the threat landscape.
Moreover, the EU's General Data Protection Regulation (GDPR) requires companies to ensure data protection, transparency, and user consent. In the UK, companies must adhere to the UK GDPR and the Data Protection Act 2018 for data privacy. Both regions impose duties to protect personal data and maintain cybersecurity to avoid penalties and reputational damage.
Entities in-scope of NIS 2 must promptly inform service recipients of any measures or remedies they can take in response to significant cyber threats, and where appropriate, they must inform recipients of the threat itself. The relevant national authority may inform the public about an incident if public awareness is necessary to prevent or address the incident, or if disclosure is in the public interest.
For questions or assistance with these issues, contact John Timmons or Joe Devine.
In conclusion, understanding and complying with cybersecurity obligations is crucial for businesses in the EU and UK. Non-compliance can result in hefty fines, reputational damage, and increased risk of cyber-attacks. By continually reviewing and improving their cybersecurity posture, businesses can protect their network and information systems, safeguard personal data, and ensure business continuity.
Read also:
- Microsoft's Patch Tuesday essential fixes: 12 critical vulnerabilities alongside a Remote Code Execution flaw in SharePoint
- Russia intends to manufacture approximately 79,000 Shahed drones by the year 2025, according to Ukraine's intelligence.
- Dynamic interplay of power and communication channels set the course for the network's new era
- Spacecraft seizures and celestial armaments in orbit: The 21st century heralds space as the fresh battleground
