It’s May, which means GDPR will take effect in a matter of days now, not months; and along with it, we have new legislation around the protection of digital-enabled critical infrastructure in the Network and Information Security (NIS) Directive, also going live this month. And we still have more to come in the EU, with the draft Cybersecurity Act and its proposed EU cybersecurity certification framework, currently going through the European Parliament, plus the Electronic Communications Code, which will update regulations for Europe’s telecom industry and includes security requirements for these companies, nearing final stages of negotiations in Brussels.
Think of May, then, as the start of ongoing change. We use technology every day, and the digital world touches every part of our lives. GDPR, NIS and other changes in regulation are set up to ensure every organisation takes seriously its cybersecurity responsibilities. This is good, right?
Yet I face mixed emotions. Every day, I hear from some organizations how they are preparing well for GDPR, and yet others at this late date are still asking questions which would indicate they are ill-prepared and don’t have a good grasp on the requirements. Some organizations still talk of waiting for the first fines to hit those around them before they take it seriously.
So, what can we expect?