New EU Cyber Directive a guide for SMEs

Date published: 28 Apr 2014

The new EU Cyber Directive (officially known as NIS –Network & Information Security) is putting compliance issues at the forefront of concerns for the information security industry, if the keynote speeches at Infosec Europe are anything to go by.

More industry-specific seminars have also been organised, seeking the help of cyber security experts and information security consultants, in order to understand how the new EU Cyber Directive reforms and legislation will affect them.

Naturally SMEs are less excited at the prospect of an extra layer of compliance on top of existing administrative regulations. Perhaps worse than the extra layer of mandatory compliance is the extra layer of confusion surrounding the new EU Cyber Directive.

As the penalties announced will hit the budgets of recovering businesses hard, it is only natural that small and medium enterprises will want to understand and adjust to the incoming EU Cyber Directive law. Here is a look at a few key aspects of the legislation that will hopefully shed some light on the issue:

Cyber security strategy plan

The UK government gave us a head start with the Cyber Essentials Scheme which, devised to offer best practice guidance, actually does what it says on the tin; by providing help to businesses in a non-intrusive manner.

The government body

The ICO (Information Commissioners Office) already announced it does not want the extra strain on the budget and no other national authority has come forth to take the responsibility of collecting information from SMEs and reporting back to ENISA. Until the issue gets further clarification, it is only a matter of waiting.

Introducing the DPO (Data Protection Officer)

It wasn’t long ago that the CISO became a role in business, and it got a fairly begrudging welcome, as some CIO’s perceived this new role as a threat to their responsibilities. Now the Cyber Directive will introduce the rise of the DPO – Data Protection Officer, rumoured to have an arching role over both the CIO and CISO in an organisation. The DPO will also take on the less desirable role of the “no” guy within the organisation when any innovative process involving data will be stifled under the “cyber directive” framework.

Auditing does not have to be painful

Although audits should happen at least once a year, lack of enforcement and high costs mean that organisations view it about as expectantly as a visit to the dentist. It doesn’t have to be painful though. If you can’t find anyone who simply loves trawling through compliance policies, keeping up with updates and de-cluttering industry-specific standards, then you could use a compliance auditing tool such as Paws Studio for regular monitoring and a trustworthy penetration tester to check your security twice a year.

Better cooperation between management & IT

The relationship between management and IT does need to improve, otherwise (as breach examples happen time and time again) the business and – most importantly – the customers end up suffering.

The CERT team

Although it sounds more or less like having a SWAT team hanging around in the IT department, the Computer Emergency Response Team refers to one or more people assigned as the first point of contact when something goes wrong and putting together a mitigating plan. As far as security and compliance policies go, this is a fairly sensible measure. It’s the type of measures that can bring about some sense of control and reactiveness amid the havoc and distress of a cyber-incident.

What’s an SME to do?

Unfortunately it does not look as if the law will be bringing in savings of billions to the ones that need it most, though it may bring a better security education and increased awareness. However at least for the time being we must wait and see what the European Parliamentary elections (22 – 25 May 2014) bring forth, and to see if the proposed legislation survives the dissolution of the current Parliament.


In Association With