This week the European Government proposed the first EU-wide legislation on cybersecurity.
It will require providers of vital services such as energy, banking and healthcare to take appropriate security measures, and to report cybersecurity breaches to government.
European member governments now have 21 months to implement the Directive, and only six months to identify what companies it applies to.
But how will the Directive impact companies not initially within its scope:-
1. Mission Creep
Governments have a long history of introducing legislation that slowly expands to cover industries and companies not within the initial scope.
Income tax in the UK was first introduced in 1842 as a temporary measure, and 173 years later it's still with us.
While the focus of the NIS Directive is initially on providers of vital services like banking, it's safe to assume this will slowly expand to cover other industries and companies, of all shapes and sizes.
2. Board Level Engagement
The threat of mission creep, and the PR damage caused by a breach, will drive greater Board level engagement and interest in cybersecurity.
No company will welcome the prospect of disclosing a breach, especially as possible sanctions include a fine of 5% global revenue.
The NISD is going to significantly increase the focus on cybersecurity at board level - the obligation to publicly declare a breach will send shivers up the spines of Boards everywhere, even those not currently within its scope.
3. How Do You Even Know You've Been Breached? And How Quickly Can You Respond?
PwC research suggests 90% of companies suffered a cybersecurity breach of some description in the last 12 months. It's becoming clear that companies cannot expect to keep hackers out of their IT infrastructure.
Recent high profile breaches are telling as they reveal there is often a period of months between an initial breach, and sensitive data being compromised. All too often companies have little idea they've been breached until it's too late.
There is an increasing focus within cybersecurity circles on the time taken to respond to the initial breach, preventing lateral movements into other parts of the business, therefore minimising the damage.