- Two free ways to get a Perplexity Pro subscription for one year
- The 40+ best Black Friday PlayStation 5 deals 2024: Deals available now
- The 25+ best Black Friday Nintendo Switch deals 2024
- Why there could be a new AI chatbot champ by the time you read this
- The 70+ best Black Friday TV deals 2024: Save up to $2,000
#Infosec2024: 104 EU Laws Have Different Definitions of Cybersecurity
There are currently over 100 pieces of pending or existing EU legislation, all of which define cybersecurity differently, a leading data protection lawyer has claimed.
Ropes & Gray partner, Rohan Massey, told attendees at Infosecurity Europe today that one of the key challenges facing organizations in this context is to understand what exactly is being regulated.
He shared several key tips to help chart a path through this legal complexity.
Massey argued that while EU laws can be “incredibly objective” and blunt, with little detail, explanation or context, they have more recently enshrined the principle of “proportionality.”
This means, organizations must interpret the objective elements of such laws subjectively, according to a number of aspects.
“In assessing the application of law, an entity must understand and take into account its size, overall risk profile and the nature, scale and complexity of the services, and activities and operations it undertakes,” said Massey.
“This is critical for every single organization. For me, I’d focus on this more than anything else when you think about compliance programs, and understand how cybersecurity trends are changing. It’s not really how they’re changing generally, but how they’re changing for you contextually within your organization.”
A Three-Point Plan
Taking DORA and NIS2 as his guide, Massey explained that organizations should consider the following:
- Accountability and governance: From the outset, organizations must understand “what their business is doing, where it’s doing it, what its risk profile is,” and document it all, with oversight at all levels of the organization
- Supply chain risk: Take measures to assess supply chain risks and vulnerabilities, and address them via education, contract and/or review and monitoring “to ensure the vulnerability on the supply chain doesn’t escalate to the regulated organization”
- Risk assessment and management: Implement policies procedures and tools – including reporting lines – to address risk. Organizations should also put in place robust security controls and advanced resilience testing systems, and ensure clarity of decision making to accelerate incident response
