A special report by FireEye, Mixed State of Readiness for New Cybersecurity Regulations in Europe, has found that the majority of organisations “in France, Germany and the UK still have work to do in implementing sufficient security measures to meet new requirements”, and a third do not understand the impact of the new legislation.
The EU Networking and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR) are both expected to be finalised this year and enforced from 2017, so it comes as a surprise to learn that:
- Only 20% of organisations have put the necessary measures in place to meet the requirements of the GDPR.
- Only 39% of organisations have put the necessary measures in place to meet the requirements of the NIS Directive.
Although organisations are, on average, better prepared for the NIS Directive than the GDPR, in both cases there is still a lot of work to be done.
Why are organisations so unprepared?
One suggested reason for this shortfall is that there is continuing confusion about what the laws will specifically require. Neither the NIS Directive nor the GDPR have yet been formally approved.
As the report notes:
“With so many aspects of both the NIS and GDPR proposals still to be finalised, and so little practical advice on compliance requirements either currently on offer, or likely to be in the future, it is no surprise that 42% of the survey feel they have little or no (20%) clear guidance on what they need to do to meet the terms of legislation which is still open to debate. This situation may effectively hamstring those IT departments which are either already in the process of upgrading data security provisions, or are planning to do so in the near term, because they cannot be sure the processes solutions they are implementing will deliver compliance at a later date.”
The simplest route to NIS and GDPR compliance
The easiest way for organisations to prepare for the NIS Directive and the GDPR is to implement an information security management system (ISMS), as set out in the international standard ISO 27001. An ISMS provides a best-practice approach to dealing with information security and data protection obligations.
Organisations with multiple compliance requirements often seek certification to ISO 27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts – it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO 27001 certification.
IT Governance’s ISO 27001 Packaged Solutions provide implementation resources and give online access to expert consultancy support to allow organisations the world over to implement an ISMS at a speed and for a budget suitable to their needs.
For more information on our ISO 27001 Packaged Solutions, and to see how we can help your organisation meet its legal obligations, please click here >>