#Infosec24: 104 EU Laws Have Different Definitions of Cybersecurity
There are currently over 100 pieces of pending or existing EU legislation, all of which define cybersecurity differently, a leading data protection lawyer has claimed.
Ropes & Gray partner, Rohan Massey, told attendees at Infosecurity Europe today that one of the key challenges facing organizations in this context is to understand what exactly is being regulated.
He shared several key tips to help chart a path through this legal complexity.
Massey argued that while EU laws can be “incredibly objective” and blunt, with little detail, explanation or context, they have more recently enshrined the principle of “proportionality.”
This means, organizations must interpret the objective elements of such laws subjectively, according to a number of aspects.
“In assessing the application of law, an entity must understand and take into account its size, overall risk profile and the nature, scale and complexity of the services, and activities and operations it undertakes,” said Massey.
“This is critical for every single organization. For me, I’d focus on this more than anything else when you think about compliance programs, and understand how cybersecurity trends are changing. It’s not really how they’re changing generally, but how they’re changing for you contextually within your organization.”
A Three-Point Plan
Taking DORA and NIS2 as his guide, Massey explained that organizations should consider the following:
- Accountability and governance: From the outset, organizations must understand “what their business is doing, where it’s doing it, what its risk profile is,” and document it all, with oversight at all levels of the organization
- Supply chain risk: Take measures to assess supply chain risks and vulnerabilities, and address them via education, contract and/or review and monitoring “to ensure the vulnerability on the supply chain doesn’t escalate to the regulated organization”
- Risk assessment and management: Implement policies procedures and tools – including reporting lines – to address risk. Organizations should also put in place robust security controls and advanced resilience testing systems, and ensure clarity of decision making to accelerate incident response