90 - The NIS Directive & GDPR
The first piece of EU-wide cybersec legislation
EU Member states must have certain national cybersecurity capabilities of individual EU countries
Must cooperate in order to secure cyberspace
Members have to supervise cybersecurity of critical market operators in theircountry through designating one or more CSIRTs that monitor and protect OSEs
Private or public businesses/entities with important social and economical role
Everyone has the right to the protection, access and correction of their personal data
GDPR applies to you even if you're outside of EU if you process EU citizen/resident data or do business in the EU
Up to 10 million euros fine or 2% of worldwide annual revenue, whichever amount is higher
Such violations go against the heart of GDPR, the right to privacy and right to be forgotten. 20 Million Euro fine or 4% of worldwide annual revenue, whatever is higher
Article 82 gives the right to seek compensation from damages in cases of damages resulting from GDPR violation
You must process data in such a way that:
All subjects under GDPR must be held accountable.
GDPR states that if you have a data breach you have 72 hours to tell the subjects or face penalties
Don't collect. Don't store, don't sell, unless:
Consent for GDPR must be freely given, specific, informed and unambiguous, and requests must be clearly distinguishable and presented in clear and plain lanuge.
Persons can withdraw consent whenever they want and you have to honor the decision.
Children can only give consent with parental permission.
You need to document consent.
In some specific cases you need to appoint a Data Protection officer:
Products will be certifiable, like the CE certificate, complying with all EU cybersecurity aspects, and such certificate will be recognized in all EU member states.