Regulatory frameworks your organisation must comply with to ensure its cyber security
In 2022, cyber attacks cost French organisations around €2 billion. The private sector accounts for three quarters of this cost, and the public sector for a quarter. In response to this phenomenon, a number of regulations and standards have been introduced in recent years.
What regulatory frameworks need to be observed? How can the government help the private sector to strengthen its cyber security?
What legislation is needed to ensure organisations are secure?
There are different levels of regulation for organisations:
Personal data protection legislation:
All European organisations must comply with the General Data Protection Regulation (GDPR). It includes a series of measures to be enforced when collecting, storing and processing consumers' personal data. The GDPR formalizes founding principles, such as the obligation to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk", consistent with data encryption, for example.
It supplements national regulations which already required organisations to protect personal data against unauthorized or unlawful processing, as well as against accidental loss, destruction and damage. It is imperative to comply with these laws, or risk receiving a formal notice from the regulatory body in charge of enforcing the law and incurring a fine.
Sector standards:
Depending on their industry, organisations are subject to additional legal standards. For instance, this is the case in the medical industry where health data must be stored by an HDS-certified host. Operators of Vital Importance (OIVs) in France are required, regardless of industry, to comply with the French Military Programming Law, which specifies the cyber security measures to be taken to protect their Information Systems of Vital Importance (ISVIs).
The new NIS2 Directive covers a wide range of industries: healthcare, finance, transport, telecommunications, public administration, space, social networks, etc. It requires European organisations operating in these fields to report security incidents to ANSSI, adopt a cyber risk management strategy, and conduct security tests and audits.Internal regulatory framework:
As well as complying with legal requirements, organisations must draw up internal cyber security policies. These can be formalized in an Information Systems Security Policy (ISSP). This internal approach establishes the security rules to be enforced, processes for storing and processing data, protocols to be followed in the event of an incident and makes each employee responsible for applying best cyber practices.
How can the government strengthen cyber security?
The role of a government is to help organisations secure themselves against cyber attacks in order to protect national interests. It draws up laws and regulations to secure information systems and online activities.
Beyond this regulatory aspect, the government supports private players in a number of ways:
Providing surveillance and protection:
Government agencies, such as ANSSI in France, constantly monitor cyber threats, identify new operating methods used by hackers, and raise awareness among organisations to prevent cyber attacks. It is also tasked with balancing national security and the privacy of citizens.
Promoting international cooperation:
Effective collaboration between governments promotes the sharing of information, best practices and expertise. These are all valuable resources for governments to protect organisations from cyber attacks. The Budapest Convention, signed by a number of countries, is an international treaty which provides a framework for inter-state mutual assistance in the fight against cyber crime. International cooperation can also lead to large-scale police operations to dismantle cyber crime networks, through Interpol for instance.
Encouraging cybersecurity:
Financial cost is the main barrier for organisations to adopt cyber security solutions. Some countries don't hesitate to offer tax incentives. This is the case in Belgium, which offers a 13.5% deduction of amounts invested in cyber security-related investments from taxable profits.
France, for its part, is focusing on the development of a national cyber security industry, by supporting organisations in this industry, developing training for cyber security professionals, and promoting national offers.
To ensure cyber security, organisations need to comply with European, national and industry-specific regulatory frameworks. They can also define their own internal cyber security policies. For their part, governments are carrying out fundamental work, both to protect organisations from cyber threats, and to encourage them to adopt robust, sovereign cyber security solutions.