90 - The NIS Directive & GDPR

NIS - Network and Information Security

The first piece of EU-wide cybersec legislation

National Capabilities

EU Member states must have certain national cybersecurity capabilities of individual EU countries

Cross-border collaboration

Must cooperate in order to secure cyberspace

National supervision of critical sectors

Members have to supervise cybersecurity of critical market operators in theircountry through designating one or more CSIRTs that monitor and protect OSEs

OSE - Operators of Essential Services

Private or public businesses/entities with important social and economical role

Article 8 - EU Charter of Fundamental Rights

Everyone has the right to the protection, access and correction of their personal data

GDPR - General Data Protection Regulation

  • Regulates the way businesses process and manage personal data.
  • Gives citizens control over their data
  • Streamlines regulation
  • Established uniform framework for data protection across EU
GDPR Scope

GDPR applies to you even if you're outside of EU if you process EU citizen/resident data or do business in the EU

GDPR Violation Penalties

Less severe violations

Up to 10 million euros fine or 2% of worldwide annual revenue, whichever amount is higher

Severe violations

Such violations go against the heart of GDPR, the right to privacy and right to be forgotten. 20 Million Euro fine or 4% of worldwide annual revenue, whatever is higher

Article 82 - Compensation

Article 82 gives the right to seek compensation from damages in cases of damages resulting from GDPR violation

GDPR Principle

You must process data in such a way that:

  • It is lawful, fair and transparent
  • Only for the purposes you are authorized to
  • The data is minimal, only what is necessary
  • The data is accurate and up to date
  • Stored for limited amounts of time
  • Confidentiality and integrity is assured
  • You can demonstrate GDPR compliance

GDPR Accountability and Data Security

All subjects under GDPR must be held accountable.

Data Breach Handling

GDPR states that if you have a data breach you have 72 hours to tell the subjects or face penalties

GDPR Article 6: Lawful Data Processing

Don't collect. Don't store, don't sell, unless:

  • You have specific unambiguous consent
  • Processing is necessary to enter into a contract
  • You need to process it to comply with legal obligations
  • You need to process it to save a life
  • You need to process it in public interest
  • You have a legitimate interest

Consent for GDPR must be freely given, specific, informed and unambiguous, and requests must be clearly distinguishable and presented in clear and plain lanuge.
Persons can withdraw consent whenever they want and you have to honor the decision.
Children can only give consent with parental permission.
You need to document consent.

GDPR DPO - Data Protection Officer

In some specific cases you need to appoint a Data Protection officer:

  • You are a public authority, not a court, acting in a legal capacity
  • Your activities require you to monitor people systematically on a large scale
  • Your activities are large-scale processing of special categories of data or data relating to criminals

EU Cybersecurity Certification

Products will be certifiable, like the CE certificate, complying with all EU cybersecurity aspects, and such certificate will be recognized in all EU member states.

91 - Risk Governance

Interactive Graph