Cyber security regulatory landscape in Europe is having a major face-lift. You might have noticed the excessive noise on traditional media channels and social media platforms around the new EU data protection regulation (General Data Protection Regulation – GDPR), enforced on the 25th of May.
You might have also also noticed that everybody is talking about GDPR without actually saying too much. I reckon that this piece of legislation will raise a lot of issues in the coming years. It is too big and too wide in terms of scope as not to leave much room for interpretation.
Therefore, the fuss created around GDPR has totally shaded other very important developments in cyber security regulation in Europe. There are plenty of other equally important initiatives that will totally change the way EU understands security and most probably will disrupt the ways security businesses are run. Taking into account all legislative developments that will be exposed below, I can say that EU has reached the highest level of maturity in terms of privacy and security among other similar political structures/nations across the globe. Indeed, there has been strong development in this area in other parts of the world, but I will get back to those in another post.
In order to jump into the problem I need to give you a bit of a background regarding EU’s security initiatives over the past years, so I will start with 2013’s EU Cyber Security Strategy. The Strategy acknowledges the criticality of cyber infrastructures operating in Europe and their important role in sustaining the Digital Single Market. The Strategy sets up some priorities and actions, more or less synthesized in Fig. 3.
All developments in cyber-security have followed the 3 pillars in Fig. 3. If you followed the topic you would have identified different initiatives for each one of the pillars, such as: the NISD for the first pillar, the Directive on attacks against information systems (cyber-crime directive) for the law enforcement pillar and many other initiatives related to defense (public or not public). Each one of the pillars recorded significant progress in the last years.
The cyber-crime directive (pillar II) sets out terms, definitions and common denominators for law enforcement agencies (LEA) as to what regards “illegal access to computer systems” and other similar crimes. The directive has been implemented by all Member States. Clearly, talking the same language among EU law enforcement agencies, as regards what is considered illegal access to computer systems and how it is punished, is a must and has definitely improved LEAs response to cyber crimes.
The Network and Information Security Directive (NISD) is focused on an important piece of the civilian part of the Internet, critical digital infrastructures. The report “Incident notification for DSPs in the context of the NIS Directive” by ENISA (authored by me while I was working there), even though it focused on a particular topic within the Directive, provides a good overview of the scope and requirements of the legal act. “With a view to achieving a high common level of security of networks and information systems within the Union so as to improve the functioning of the internal market” the NISD has the following objectives:
- Improved cybersecurity capabilities at national level;
- Increased EU-level cooperation;
- Establish minimum security measures and incident reporting obligations for operators of essential services and digital service providers.
In summary NISD sets out requirements for national authorities in charge of cyber-security in Member States, establishes some structures at EU level that have responsibilities in coordinating the activities at Union level and imposes severe requirements to operators of cyber infrastructures that are considered critical. The basic idea behind the NISD is to reduce to the lowest level possible the impact of cyber threats upon the population and to secure the proper functioning of the internal market. FYI by operators of essential services we refer to operators providing utilities in the following areas: energy, transport, finance, water, health and digital infrastructures (DNS, top level domains, Internet Exchange Points). Similar requirements are imposed to another group of cyber service providers entitled digital service providers (cloud providers, online market places, search engines). As you can probably imagine, the impact of this Directive is huge, while indeed affecting only certain stakeholders, but to a deeper level. Having high level requirements such as minimum security measures and mandatory incident notification procedures, it introduces a whole new approach, needing a mindset change for many players in traditional industries such as energy, transport, water and health. These players have only recently started to acknowledge the new types of threats and started taking actionable measures. Industrial Control Systems/SCADA along with IoT are still among the top vulnerable equipment/devices out there. EU, through NISD, has clearly acknowledged the high risk level associated with the poor deployments of IT&C technologies in traditional industries. NISD quietly entered into force on the 9th of May 2018. Please see below a picture (Fig. 4) released by ENISA illustrating the outreach of the NISD.
On the military/defense side, the developments are not always publicly available but here I found the following: “The recently adopted framework for a joint EU diplomatic response to malicious cyber activities (the “cyber diplomacy toolbox”) sets out the measures under the Common Foreign and Security Policy, including restrictive measures which can be used to strengthen the EU‘s response to activities that harm its political, security and economic interests. Implementation work on the Framework is currently ongoing with Member States and would also be taken forward in close coordination with the Blueprint to respond to large scale cyber incidents”.
Another important development is the new EU Electronic Communications Code (EECC). Currently still under discussion within the formal Trilogue legislative process, the new proposal will enforce additional requirements to traditional Telecom operators and Over The Top (OTT) service providers (WhatsUp, Skype etc.). The current proposal is an improvement of the old Telecom Framework Directive, that was the first EU legislation in place to impose any kind of security requirements to an industry which services are considered critical by nowadays digital society. The new proposal is similar in terms of requirements with the NISD, extends the scope to OTTs also and reconsiders the definition of an incident, which was focused too much on availability in the previous version.
On top of the above, the EU Commission proposed, in late 2017, the ambitious Cyber Security Package “essential to keep the online economy running and to ensure prosperity”. The voluminous package contains several initiatives destined “to further improve EU cyber resilience and response”. The list of initiatives comprises the following:
- A stronger EU Cyber Security Agency (ENISA): a new and permanent mandate to ensure that the Agency provides proper support for Member States when implementing NISD and also a step up in both operational cooperation and crisis management at EU level.
- An EU cyber security certification framework with ENISA at its heart, that defines a “duty of care” principle to reduce product and software vulnerabilities and promote a “security by design” approach for all connected devices.
- A blueprint for rapid emergency response – a well-rehearsed plan in case of a large scale cross-border cyber incident or crisis, that sets out the objectives and modes of cooperation between the Member States and EU Institutions.
If the above are not enough, the EC is also revising other older regulations such as the EU Cyber Security Strategy, Directive on Attacks against Information Systems and the ePrivacy Directive (an extension of GDPR but for the Telecom sector). On top of all the above we have the allmighty GDPR, a horizontal regulation that covers every type of entity that processes personal data of EU citizens. Since 2013 up to now the developments done by EU in terms of cyber security and privacy are huge; at this point I believe they have the most comprehensive and evolved cyber security related legal framework in the world.
So a full restart on cyber security in Europe!
Judging by the requirements of the new legislative initiatives we should soon see an increase in the budgets spent on cyber security in EU. Let’s analyze the situation a bit from this point of view.
Gartner predicted that the global cyber security market will reach “$96.3 billion in 2018, an increase of 8 percent from 2017”. An older study also predicts that the market will “top $113 billion by 2020”. I am sure it will, judging by how the subject penetrated all media channels (especially after last year’s wide spread attacks Petya/NotPetya, WannaCry etc.) influencing decision makers.
Again, Gartner also points to developments in terms of new security product segments, “such as deception, endpoint detection and response (EDR), software-defined segmentation, cloud access security brokers (CASBs), and user and entity behavior analytics (UEBA). These new segments are creating net new spending, but are also taking expenses away from existing segments such as data security, enterprise protection platform (EPP) network security, security information and event management (SIEM).”
The global security service market also encounters certain developments. With an estimate total spending of over 50 bn. dollars, the market embraced the emergence of specialized managed detection and response (MDR) services that becomes a threat to traditional Managed Security Service Providers (MSSs). I guess we will just have to wait and see how the balance bends.
In Europe, according to an ENISA paper (citing also other sources), the cyber security market was estimated around 20 bn. Euro in 2014 (30 bn. North America). Moreover, Europe hosts around 900.000 security professionals and 7 out of 37 global IT security companies. A short review of similar studies will give you the general impression that Europe does not spend too much on security, compared to other regions. Nevertheless, considering the amount of regulation described above, we could assume that the situation is bound to change considerably.
Usually, investments in cyber security are not necessarily determined by cost-benefit analyses. Although the media might give you the impression that there is a lot of information out there that can support your decision, the reality is different. An interesting academic research by Jennie de Vries from Technical University Delft shows that there is a lack of reliable data in cyber security, caused by various reasons such as: constant evolution of threat landscape, reluctance to sharing information, complex architectural environments that can make similar situations improbable etc. In this regard, risk assessments are prone to errors and cannot always support a simple and straightforward decision making process. Consequently, investments in cyber security tend to be influenced by “organizational characteristics but also by the individual perspective of the decision-maker within that organization”. Being compliant with rules and regulations is also one of the key drivers for investment. The type of perception that “we are always under attack” induced by last year’s global outbreaks can also influence the perception of a responsible person within an organization.
At this point I believe that Europe is in the position where the overall vision and approach towards cyber security is about to change. Multiple key drivers will influence investments and how cyber-security is done in EU. Gartner believes that only EU’s GDPR will push up buying decisions by 65% in the coming years. Compliance with GDPR is very important as it can bring fines of up to 4% of the global turnover. But, as shown above, there are other legislative requirements being at least as demanding and topping up on the GDPR requirements.
I might conclude that the cyber security industry in Europe will see a boost in the coming years. But this boost needs to be sustained by proper resources (funds, personnel etc.) which might not be available in Europe now. Therefore, a market will be created for companies outside EU. Since security services usually represent more than half of a market value this boost will mostly create a need in this area (MSSs, MDRs etc.). But of course companies need to update their offers as the services need to be localized and focused on compliance.
In any case Europe is preparing to see a serious change in the cyber security industry, a change that can even lead them towards achieving the status of a cyber-security super power. Not in the sense you are probably thinking (offensive) but in the way where it will be safer to develop an online business in Europe than anywhere else (more resilient cyber-space, safer from cyber-threats, more privacy protection etc.).
Let me know your opinion by using the form below. If you want to see more on the topic go here.