Laws with cybersecurity requirements: time for the lawyer to wear a hoodie and for the CISO to put on a lawyer’s gown. [because we all know that’s how the other profession dresses 100% of the time]
For years I have been stressing the need for cybersecurity and legal teams to work as one – and to ensure that cybersecurity isn’t left to technical teams but made into a core company-wide strategy discussed at Board/Management level.
Recent laws increasingly contain technical cybersecurity obligations. The UNECE Regulations for cybersecurity & software updates in the automotive sector were a good example [read here a piece I wrote while at my previous law firm: https://lnkd.in/dA9-ucgj ].
The newest one is an EU Commission Delegated Regulation of 11 March 2024 “establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows”, which complements and is aligned with the NIS2 Directive.
This Delegated Regulation covers *a lot*, such as:
– Broad objectives for a cybersecurity management risk system (including a requirement for “senior management [to be] informed of relevant legal obligations and [to] actively contribute[…] to the implementation of the cybersecurity management system through timely decisions and prompt reactions”)
– Requirements to comply with any “minimum cybersecurity controls”, covering a wide range of topics, from background checks (which must be “proportionate and strictly limited to what is necessary” and in accordance with the GDPR / data protection rules) to “traceability of the application of the cybersecurity specifications from the development through production until delivery of ICT products, ICT services or ICT processes
– An obligation for authorities to collaborate on a “matrix to map the controls set out in [Art. 28(1)(a) & (b) of the Delegated Regulation] against selected European and international standards as well as relevant technical specifications
+ much more
Recommended reading even if you aren’t in that specific sector (electricity), as it shows what might be coming to other sectors too.
What does this mean?
*WORK TOGETHER*: Ensure you have a conversation with all stakeholders, as you need each other’s expertise
*GET ADVICE*: Your usual advisor/legal/consultant is unlikely to have the full breadth of expertise to cover all aspects (legal & infosec in particular), so get people involved who *can* help.
*MAKE IT FUTURE-PROOF*: You need a cybersecurity strategy that will work in the long run (internal structure, resources, etc.).
*GET BUY-IN*: Everyone need to be involved: top to bottom, all contribute to the strategy.
Link to Delegated Regulation: https://lnkd.in/e4Krgu5T
Need help? Reach out!
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗