Autumn 2015 Staffing Industry Review Europe / 9 A s the digital economy continues to grow, cyberattacks are increasing in frequency and magnitude. While some hackers infiltrate systems to prove a point, increasingly sophisticated criminals are targeting businesses that handle large quantities of personal data. These attacks result not just in the loss of data but can cost affected companies millions of euro.

The European Commission estimates that, on a daily basis, there are 150,000 computer viruses in circulation and 148,000 computers compromised. According to Statista, the US had the highest average cost of cybercrime per company in 2014 at €9.56 million, while Germany was second with €6.25 million. The UK ranked fifth behind Japan and France, with €4.47 million damages per company.

It is not just crime that businesses need to protect themselves against, but also human errors, natural disasters and technical failures, as well as malicious events.

In 2013, the European Commission published its cybersecurity strategy entitled, “An Open, Safe and Secure Cyberspace,” intended to “further European values of freedom and democracy and ensure the digital economy can safely grow.” It is likely there will be a new directive in place by the end of this year to ensure a high common level of network and information security across the European Union. The Network and Information Security Directive (NIS Directive), which must be approved by the Council of Ministers from all 28 nations, is likely to be adopted together with the proposed Data Protection Regulation.

There is currently a fragmented approach across the EU with regard to national preparedness for security breaches and no effective mechanism at the EU level for cooperation between member states to share information or to intervene to ensure effective prevention and response. The commission concluded that a voluntary approach would not work and that regulation was needed to create a level playing field and to close legislative loopholes.

As a result, the NIS Directive requires member states to ensure a high level of security of the network and information systems within their jurisdiction by:

  1. Adopting a national strategy for network and information security (NIS) to define the roles and responsibilities of government and key players; and to identify measures on preparedness, response and recovery plus cooperation between public and private sectors;
  2. Establishing a national competent authority or regulator to monitor the application of the directive’s objectives; and laying down sanctions for infringement that are both proportionate and dissuasive;
  3. Setting up a computer emergency response team (CERT) responsible for handling incidents and risks according to a well-defined process;
  4. Together with the European Commission, form a cooperative network of competent authorities across Europe to circulate early warnings on risks and incidents; and to share knowledge and best practice; and
  5. Ensuring that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of their systems. The “market operators” identified by the proposals include critical infrastructure providers involved in supplies of energy and transport as well as banking, financial markets and the health sector.

Member states will have 18 months from the date of adoption of the NIS directive to put in place the national strategy, authorities and legislation.

Effect on Staffing

It is unlikely staffing firms will be directly affected by the need to take measures to protect security, or to notify breaches to the national authority that will oversee the strategy. But any business processing personal data will be required under the forthcoming Data Protection Regulation to operate tighter controls in the management of that data. Regardless of any regulatory compulsion, clients operating in the market sectors identified by the NIS Directive will expect a high standard of security from their suppliers, with processes in place to protect any confidential information relating to their business.

It is also hoped that the benefits of an EU-wide system for monitoring threats and sharing knowledge and best practices will be felt by Internet users across the European Union, making digital operations a less risky way of doing business.