As predicted, 2015 has seen cybersecurity continue to rise up the agenda. Both on a national security level and in terms of business and data protection, everyone has to respond to the increased threat levels. There have been a number of high profile cyberattacks including on TalkTalk and Ashley Madison which have helped highlight the issue.
Alongside legislative initiatives, there are countless government and industry initiatives, particularly in finance and banking, to find cybersecurity solutions, to insure against cyberattack, and to prepare breach response plans. In January, the government announced new measures to help UK businesses with cybersecurity and promote UK cybersecurity solutions businesses which was followed by various commitments to invest including £860m in the National Cyber Security Programme to protect and promote the UK and £1m in a voucher scheme to help companies protect themselves. Most recently, and the government announced it would double investment in cybersecurity to £1.9bn in the next five years.
This, of course, represents an opportunity for solution providers and we are likely to see an increasingly crowded marketplace in this space. For more on cybersecurity developments, read our Global Data Hub article.
The Network Information Security Directive
The European Commission is expected to publish the final version of the Network Information Security Directive (NISD) imminently after reaching political agreement on the wording. NISD is set to impact on a wide range of organisations including e-commerce platforms, social networks, search engines, cloud computing services, app stores and energy suppliers. It will require organisations falling within the definition of “market operators” to take appropriate technical and organisational measures to manage risks posed to the security of networks and information systems and report “significant cyber security incidents” to regulators which Member States will be required to set up. It has been the definition of “market operators” which has proved the most controversial element of this legislation.
It now appears that there will be a two-tier system. Businesses falling within the definition of “operators of essential services” will have to take appropriate security measures and notify serious incidents to the relevant national authority. This will include utilities, transport, banking, financial market infrastructure and digital infrastructure providers.
Important digital businesses falling within the definition of “digital service providers” will be subject to a similar regime although are expected to face lighter-touch obligations. This will include the providers of online marketplaces, cloud computing services and search engines, with an exemption for small providers.