In its latest survey entitled “Mixed State of Readiness For Cybersecurity Regulations in Europe”, anti-malware specialist FireEye reveals that more than one-third (39 percent) of organisations in the UK, Germany and France do not have the defensive measures in place for the Network and Information Security (NIS) directive and General Data Protection Regulation (GDPR), with this figure even lower for the long-awaited GDPR.
Only two-thirds of respondents (66 percent) said that their firm fully understood the impact from the proposed regulations, while the study highlighted that more than half had serious reservations over the proposed fines (58 percent), the potential damage to business reputation (57 percent) and the loss of business and/or revenue (58 percent). In addition, 60 percent claimed that there was ‘no clear guidance' on the legislation, while 68 percent and 56 percent respectively bemoaned implementation costs and policy complexity.
The EU General Data Protection Regulation was expected to be finalised by early 2015, with compliance becoming mandatory in 2017 after a two-year sunset period. The law will establish fines of up to five percent of global turnover (or €100 million) and will introduce mandatory data breach disclosure. On this last point, businesses will be asked to report data breached within a 72-hour window.
The NIS directive – also known as the Cybersecurity Directive - was first proposed by the European Commission in 2013 and is also expected to get the green-light later this year. It aims to ensure critical national infrastructure (CPNI) operators, such as banks and energy companies, meet appropriate IT security standards, share information about cyber-threats and report when they have been breached.
“The new EU security and privacy requirements are incredibly important and will greatly increase the security obligations of European organisations,” said Adam Palmer, international government affairs director at FireEye.
“We encourage organisations of all sizes to adopt mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware as these attacks constitute a majority of advanced attacks in today's threat environment. However, our research does show that organisations are not fully prepared for the implementation of the legislation, and it is critical these organisations begin preparing now to be in compliance and not be caught unprepared.”