User:LakshmiMod/sandbox

From WikiProjectMed
Jump to navigation Jump to search

European Union

Cyber Security standards have been of great prominence in today's technology driven businesses. In order to maximize their profits, corporations leverage technology by running a majority of their operations via the internet. Since there are a large number of risks that entail inter-network operations, it is essential that such operations are protected through comprehensive and extensive regulations. Existing Cyber Security regulations each cover different aspects of business operations and often vary by region or country in which a business operates. Given the differences in a country's society, infrastructure and values, one over arching cyber security standard is not optimal for the purpose of decreasing risks. While American standards provide a basis for operations, the EU has created a more tailored regulation for businesses operating specifically within the European Union. Also, in light of Brexit, it is important to consider how the UK has chosen to adhere to such security regulations.

Three major regulations within the EU include, ENISA, the NIS Directive and the EU GDPR. Each regulation holds

ENISA

ENISA, the European Union Agency for Network and Information Security, is a governing agency that was originally set up by the Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 for the purpose of raising network and information security, NIS, awareness for all inter-network operations within the EU. ENISA currently runs under,  Regulation (EU) No 526/2013[1], which has replaced the original regulation in 2013. ENISA works actively with all member states of the EU to provide a range of services. The focus of their operations are on three factors

  • Recommendations to Member States on course of action for security breaches
  • Policy making and implementation issue support for all members states of the EU
  • Direct support, where ENISA will take a hands on approach to working with operational teams within the EU[2]

ENISA is made up of a management board who relies on the support of The Executive Director and the Permanent Stakeholders Group. The majority of operations however, are run by the heads of various departments[3].

ENISA has released various publications that cover all major issues regarding cyber security. ENISA's past and current initiatives include; The EU Cloud Strategy, Open Standards in Information Communications Technology, A Cyber Security Strategy of the EU and a Cyber Security Coordination Group. ENISA also works in collaboration with existing international standard organizations such as the ISO and the ITU. [4]

NIS Directive

On July 6th 2016, The European Parliament set into policy the Directive on Security of Network and Information Systems (the NIS Directive). The directive went into affect in August of 2016 and all member states of the european parliament were given 21 months to incorporate the directive's regulations into their own national laws. [5]The aim of the NIS Directive is to create an overall higher level of cyber security in the EU. This directive significantly affects digital service providers, DSPs, and operators of essential services, OES. Operators of essential services include any organizations whose operations would be greatly effected in the case of a security breach, provided that engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting security incidents of a certain caliber to Computer Security Incident Response Teams, CSIRTs.[6] While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even when DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents. [7]

The member states of the EU are required to create a NIS directive strategy which includes the aforementioned CSIRTs in addition to National Competent Authorities, NCAs, and Single Points of Contact, SPOCs. Such resources are given the responsibility of handling cyber security breaches in a way that minimizes impact. In addition all member states of the EU are encouraged to share cyber security information. [8]

Security requirements of the NIS Directive include technical measures that manage the risks of cyber security breaches in a preventative manner. In addition both DSP and OES must provide information that allows for an in depth assessment of their information systems and security policies.[9] As aforementioned, all significant incidents must be notified to the CSIRTs. Significant cyber security incidents are determined by the count of users whom will be affected by the security breach as well as the longevity of the incident and the geographical reach of the incident. [9]

EU GDPR

The EU General Data Protection Regulation, GDPR, was set into place on April 14th in 2016 however the current date of enforcement is set to be on May 25th in 2018. [10]The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes that the GDPR will bring about include the redefining of geographical borders. The regulation not only applies to entities that operate in the EU but also entities that deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen's data is being processed, the entity is now subject to the GDPR.[11] Fines are also much more stringent under the GDPR and can total twenty million euros or 4% of an entity's annual turnover, which ever amount is higher. [11] In addition, similar to previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours. The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.

Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer citizens the right to easily back out of sharing data just as easily as citizens consented to sharing data.[12]In addition citizens can also restrict processing of the data stored on them; they can chose to allow companies to store their data but not process it thus creating a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen's data outside of the EU or to a third party without prior consent of the citizen. [12]

Brexit Considerations

In light of the recent political event in which the UK has decided to withdraw its membership from the EU, the regulations that now apply to the UK only include ENISA and the NIS Directive. [13]

There is still some speculation however that the GDPR still applies to the UK due to the time that the GDPR was set in place. Regardless of a pending implementation date, because the GDPR was signed into effect while the UK was still a part of the EU, it is said that the UK must comply.[14] In addition, not being a part of the GDPR would mean that the UK misses out on valuable resources.

  1. ^ "L_2013165EN.01004101.xml". eur-lex.europa.eu. Retrieved 2017-03-08.
  2. ^ "About ENISA — ENISA". www.enisa.europa.eu. Retrieved 2017-03-08.
  3. ^ "Structure and Organisation — ENISA". www.enisa.europa.eu. Retrieved 2017-03-08.
  4. ^ Purser, Steve (2014). "Standards for Cyber Security". IOS Press.
  5. ^ "The Directive on security of network and information systems (NIS Directive)". Digital Single Market. Retrieved 2017-03-12.
  6. ^ 09:36, 7 Jan 2016 at; tweet_btn(), OUT-LAW COM. "The Network and Information Security Directive – who is in and who is out?". Retrieved 2017-03-12. {{cite web}}: |last= has numeric name (help)CS1 maint: numeric names: authors list (link)
  7. ^ "NIS Directive Published: EU Member States Have Just Under Two Years to Implement - Data Protection Report". Data Protection Report. 2016-07-21. Retrieved 2017-03-12.
  8. ^ "Agreement reached on EU Network and Information Security (NIS) Directive | Deloitte Luxembourg | Technology | Insight". Deloitte Luxembourg. Retrieved 2017-03-12.
  9. ^ a b "Network and Information Security Directive will be implemented in the UK despite Brexit vote, government confirms". www.out-law.com. Retrieved 2017-03-12.
  10. ^ "Home Page of EU GDPR". EU GDPR Portal. Retrieved 2017-03-12.
  11. ^ a b "Key Changes with the General Data Protection Regulation". EU GDPR Portal. Retrieved 2017-03-12.
  12. ^ a b "Overview of the General Data Protection Regulation (GDPR)". ico.org.uk. 2017-03-03. Retrieved 2017-03-12.
  13. ^ "UK business unlikely to dodge EU cyber security rules post-Brexit". ComputerWeekly. Retrieved 2017-03-12.
  14. ^ Joshi, Harshul (2016-11-15). "Cybersecurity and the impact of Brexit". Infosecurity Magazine. Retrieved 2017-04-06.
Retrieved from "https://mdwiki.org/wiki/User:LakshmiMod/sandbox"