< Back
Regulatory frameworks your organisation must comply with to ensure its cyber security

Tags:

Ercom
11 June 2024

Regulatory frameworks your organisation must comply with to ensure its cyber security

According to statista.com, “Globally, the monetary damage caused by cyber crime was around seven trillion U.S. dollars in 2022, estimated to reach 8.15 trillion U.S. dollars in 2023.” The private sector accounts for three quarters of this cost, and the public sector for a quarter. 

In response to this phenomenon, a number of regulations and standards have been introduced in recent years.

What regulatory frameworks need to be observed? How can the government help the private sector to strengthen its cyber security?

 

What legislation is needed to ensure organizations are secure?

 

There are different levels of regulation for organizations: 

 

  • Personal data protection legislation: 

    All European organizations must comply with the General Data Protection Regulation (GDPR). It includes a series of measures to be enforced when collecting, storing and processing consumers' personal data. The GDPR formalizes founding principles, such as the obligation to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk", consistent with data encryption, for example. 

    It supplements national regulations which already required organizations to protect personal data against unauthorized or unlawful processing, as well as against accidental loss, destruction and damage. It is imperative to comply with these laws, or risk receiving a formal notice from the regulatory body in charge of enforcing the law and incurring a fine. 

 

  • Sector standards: 

    Depending on their industry, organizations are subject to additional legal standards. For instance, this is the case in the medical industry where health data must be stored by an HDS-certified host. Operators of Vital Importance (OIVs) in France are required, regardless of industry, to comply with the French Military Programming Law, which specifies the cyber security measures to be taken to protect their Information Systems of Vital Importance (ISVIs).

    The new NIS2 Directive covers a wide range of industries: healthcare, finance, transport, telecommunications, public administration, space, social networks, etc. It requires European organizations operating in these fields to report security incidents to ANSSI, adopt a cyber risk management strategy, and conduct security tests and audits.

 

  • Internal regulatory framework: 

    As well as complying with legal requirements, organizations must draw up internal cyber security policies. These can be formalized in an Information Systems Security Policy (ISSP). This internal approach establishes the security rules to be enforced, processes for storing and processing data, protocols to be followed in the event of an incident and makes each employee responsible for applying best cyber practices. 

 

How can the government strengthen cyber security?

The role of a government is to help organizations secure themselves against cyber attacks in order to protect national interests. It draws up laws and regulations to secure information systems and online activities.

 

Beyond this regulatory aspect, the government supports private players in a number of ways: 

 

  • Providing surveillance and protection

    Government agencies, such as ANSSI in France, constantly monitor cyber threats, identify new operating methods used by hackers, and raise awareness among organizations to prevent cyber attacks. It is also tasked with balancing national security and the privacy of citizens.

  • Promoting international cooperation:

    Effective collaboration between governments promotes the sharing of information, best practices and expertise. These are all valuable resources for governments to protect organizations from cyber attacks. The Budapest Convention, signed by a number of countries, is an international treaty which provides a framework for inter-state mutual assistance in the fight against cyber crime. International cooperation can also lead to large-scale police operations to dismantle cyber crime networks, through Interpol for instance. 

  • Encouraging cybersecurity: 

    Financial cost is the main barrier for organizations to adopt cyber security solutions. Some countries don't hesitate to offer tax incentives. This is the case in Belgium, which offers a 13.5% deduction of amounts invested in cyber security-related investments from taxable profits.

 

France, for its part, is focusing on the development of a national cyber security industry, by supporting organizations in this industry, developing training for cyber security professionals, and promoting national offers.

To ensure cyber security, organizations need to comply with European, national and industry-specific regulatory frameworks. They can also define their own internal cyber security policies. For their part, governments are carrying out fundamental work, both to protect organizations from cyber threats, and to encourage them to adopt robust, sovereign cyber security solutions.