Business Law & Compliance

UK organisations do not fully understand the impact of new EU cybersecurity legislation

4 min read

27 January 2015

Based on a survey of organisations from the UK, France and Germany, a recent FireEye report found that many organisations in Europe are unprepared for and challenged by cost and complexity of compliance with new European Union (EU) security legislation.

The General Data Protection Regulation (GDPR) legislation is currently set to be finalised in early 2015, with compliance becoming mandatory in 2017. The proposed Network and Information Security (NIS) directive – set to be implemented in 2015 – will impose new security and incident reporting requirements on a broader range of private sector companies.

But despite the EU’s proposal to increase the maximum penalty for serious breaches of its new data protection regulation to either €100m or five per cent of an organisation’s annual global turnover, only 39 per cent of organisations throughout the UK, Germany and France indicated that they have all the required measures in place for the new legislation.

The report also gauges how organisations perceive the scale and importance of the legislation and predicts how organisations in France, Germany and the UK are most likely to prepare themselves for compliance. Based on responses, it concludes that there is a mixed state of readiness at best, with many not understanding the true extent of the potential impact of the legislation.

The top concerns associated with serious data breaches and loss of personal information are potential fines (58 per cent); damage to reputation (57 per cent); and loss of business and/or revenue (58 per cent).

64 per cent cited additional expenditure on hardware and software as a challenge, with 23 per cent rating this as the single most important barrier to complying with the directives. Other barriers included implementation costs (58 per cent) and policy complexity (56 per cent).

And over 60 per cent of the organisations surveyed believe they are being provided little or no clear guidance on the legislation.

“The past year has shown that breaches are inevitable as hackers continue to evade security, and the EU directives are an important step toward addressing these threats,” said Richard Turner, VP EMEA, FireEye. “Organisations need to ensure that they have the capabilities to detected, prevent, analyse and respond to breaches in a timely manner. 

“The EU legislation – both the NIS directive and GDPR – promotes the adoption of capabilities to respond to and report breaches. While this is a positive step, organisations need to look beyond the EU directives and be prepared to launch an appropriate and proportionate response to a threat or breach in order to protect shareholder value.”

“The new EU security and privacy requirements are incredibly important and will greatly increase the security obligations of European organisations,” said Adam Palmer, international government affairs director at FireEye. “We encourage organisations of all sizes to adopt mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware as these attacks constitute a majority of advanced attacks in today’s threat environment. 

“However, our research does show that organisations are not fully prepared for the implementation of the legislation, and it is critical these organisations begin preparing now to be in compliance and not be caught unprepared.”