GDPR, PSD2, and NIS: The Role of Security Awareness Training

There has been a lot of talk about pending GDPR requirements and the penalties associated with non-compliance, but GDPR is not the only EU cybersecurity legislation that will be affecting organizations in the near future. Alan Levine, a former Fortune 500 CISO and current Security Advisor to Wombat, spoke to Wombat Wisdom Conference attendees last month about the GDPR and two other regulations — PSD2 and the NIS Directive — and discussed the role he believes employee security awareness training will play with regard to organizational compliance with these laws.

Following, we offer quick overviews about the GDPR, PSD2, and the NIS Directive; Levine’s take on these pieces of legislation; and links to additional resources.

GDPR

Full name: General Data Protection Regulation

Date of entry into force: May 2016

Date that rules apply: May 25, 2018

A bird’s eye view: The GDPR brings a major update to Europe’s data protection regulations and has been several years in the making. It is designed to boost EU residents’ privacy protections; improve organizations’ data handling and security practices; and set forth requirements for breach notification.

Who must comply: Any company that processes or retains the personal data of any EU resident is subject to GDPR compliance, regardless of the company’s physical location. As noted on eugdpr.org, the definition of ‘personal data’ is broad:

Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Penalties for non-compliance:  Organizations can be fined up to 4% of annual global turnover or €20 million (whichever is higher).

Security awareness training requirement: Though awareness will likely prove to be a pivotal component of compliance, the GDPR text does not include an end-user security awareness requirement.

Levine’s take: “This is a personal data privacy regulation — but security is what will enable compliance. Even without an explicit awareness training stipulation, you can see the need for end-user education; just as one example, GDPR Article 39 essentially defines the Data Controller role as a security role. Those who are handling personal data of EU residents must know how to do that in a safe, secure, compliant manner.

“With accountability a huge emphasis within GDPR — and fines having the potential to cripple non-compliant companies — organizations must take this seriously. Expect examples to be made shortly after the May 2018 deadline, and don’t be surprised when an American company or other non-EU-based entity is one of the first to face a sizable fine.”

Additional resources:

Information Commissioner’s Office, Overview of the General Data Protection Regulation (GDPR)

Industry Today, “20 Million Reasons Why You Must Be GDPR Compliant”

Gartner Newsroom, “Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation”

Start raising end-user awareness levels now. Our free Cyber Security Awareness Month program can help.

PSD2

Full name: Revised Payment Services Directive

Date of entry into force: January 12, 2016

Date that rules apply: January 13, 2018

A bird’s eye view: PSD2 establishes comprehensive rules for payment services, with the intent to improve the efficiency, ease, and security of international payments (within the EU). It is also designed to open the door to new entrants into the payment markets in an effort to generate more competition and provide greater choice and better prices to consumers. As well, the directive provides a legal basis for the Single Euro Payments Area.

Who must comply: EU Member States must incorporate the directive into their national laws by January 13, 2018. Participating payment services organizations will be required to comply with the directive.

Penalties for non-compliance: Per the Payment System Regulator (PSR) — an independent economic regulator in the UK — "The interpretation of what PSD2 requires and how parties comply with it are ultimately questions of European law for the national and EU courts. We cannot provide definitive interpretations."

Security awareness training requirement: Though the directive sets forth strict rules related to payment security, customer data protections, transparency, and user rights and obligations, there is no stipulation for end-user awareness training within this directive.

Levine’s take: "A significant component of PSD2 centers around trust. Consumers must trust established institutions and new players. Trust begins with good security, and good end-user security begins with awareness and training.

"Institutions will be relying on their employees to protect transactions and consumer data; the success or failure of employees to do those things well will have significant implications for payment service providers. If organizations are not confident in their end users’ knowledge of cybersecurity best practices, awareness and education programs should be implemented sooner rather than later."

Additional resources:

Legislation summary, Revised Rules for Payment Services in the EU

Banking Technology, “Infographics: PSD2 Explained”

Payment Systems Regulator, “The PSR confirms how it will monitor and enforce new EU rules on access to payment systems”

NIS Directive

Full name: Directive on Security of Network and Information systems

Date of entry into force: August 2016

Dates that rules apply: May 9, 2018 and November 9, 2018 (see details below)

A bird’s eye view: The NIS Directive is designed to raise the overall level of cybersecurity across the EU by establishing common standards for preparedness, cooperation, response, and security awareness. The directive is aimed at EU Member States as a whole as well as specific operators of essential services within those states.

Who must comply: EU Member States must incorporate the directive into national law by May 9, 2018, and identify operators of essential services by November 9, 2018. Organizations and entities established within the directive will be responsible for compliance.

Penalties for non-compliance: Member States (not the EU) are responsible for setting and penalties for non-compliance, though the directive does stipulate that the penalties be "effective, proportionate, and dissuasive."

Security awareness training requirement: The NIS Directive does set forth requirements for education, awareness, and training programs that relate to network and information security.

Levine’s take: "As part of the NIS Directive, organizations and entities are expected to establish and sustain cybersecurity training programs; document sharing of best practices; and work to elevate user behaviors in general. Awareness and education are — rightfully — deemed to serve an elemental role in the overall cybersecurity framework of critical infrastructure services and systems.

Though it’s true that, of the three pieces of legislation discussed here, only the NIS Directive specifically requires security awareness and training, compliance with all three will heavily rely on good end-user security."

Additional resources:

Legislation summary, Directive…concerning measures for a high common level of security of network and information systems across the Union

Digital Guardian, What Is the NIS Directive? Definition, Requirements, Penalties, Best Practices for Compliance, and More

European Commission, “State of the Union 2017: The Commission scales up its response to cyber-attacks”