Life is changing fast for privacy professionals.
A decade ago, our focus was making sure our organizations were being transparent and thoughtful about collecting individuals’ personal data and giving them choice about the handling of their data, meticulously safeguarding it, and advising on obligations and best practices in the event personal data was compromised.
Today, I still do all these things, but as the cyber security regulatory environment has changed, my scope has grown to include not only keeping personal data private, but also how to handle threats to the integrity and availability of the services processing that personal data.
This means I spend a lot of time with Cloudflare product and engineering teams on matters related to the availability and resilience of our products. We work on developing ways to measure the effects of outages, determining which incidents must be reported and, when necessary, actually shaping the report and response.
I’m not alone in perceiving a shift in the privacy and compliance world. More than 80% of privacy professionals are tasked with working beyond their more traditional privacy duties, according to the International Association of Privacy Professionals’ 2024 Privacy Governance Report.
Cyber security regulatory compliance has become the second-most-common new responsibility among respondents whose remits are growing. In addition to protecting privacy, we now need to ensure our organizations are reducing cyber risks and enhancing resilience.
The change in the role of privacy professionals reflects a major shift in the data regulation environment. Over the last two years, a series of new regulations has made resilience and risk management as essential to compliance as data privacy always has been.
Starting with the European Union’s General Data Protection Regulation (GDPR), the first wave of major data privacy and security regulations focused on protecting individuals from the harm of having their data compromised.
Compliance with GDPR, the California Consumer Privacy Act, and other similar regulations meant respecting the rights of data subjects, limiting the amount of personal data organizations collected, and protecting that information from unauthorized disclosure and bad actors.
Three new regulations
Three new regulations that have taken effect since 2023 are representative of how compliance is changing: the Network and Information Security 2 (NIS2) directive, the Digital Operational Resilience Act (DORA), and the U.S. Securities and Exchange Commission (SEC) Cybersecurity Rule.
In Europe, NIS2 aims to improve digital resilience and security practices across 18 sectors, while DORA focuses on risk in IT management in the financial sector. The SEC’s new rule raises security and reporting standards for publicly traded American companies.
Because it covers so many industries across all of Europe, NIS2 may have the broadest impact of the three. NIS2 challenges organizations to assess risk more thoroughly, handle incidents more quickly, and do more to ensure business continuity. NIS2 requires organizations to address:
- The visibility of all IT assets across environments, enabling comprehensive risk assessment and proactive incident handling.
- The security of the software supply chains that support critical systems.
- Security across the entire lifecycle of network and information systems.
- The vulnerability of mission-critical web applications to third-party threats.
- Encryption, access control, and authentication for a range of user types, devices, and systems.
Security, privacy, and resiliency requirements
NIS2 also imposes those security, privacy, and resiliency requirements on a wider collection of industries and organizations than its predecessor, the original Network and Information Security Directive (“NIS”). NIS applied to several sectors that function as crucial national infrastructure, including energy, transportation, banking and finance, water, and healthcare.
NIS2 adds wastewater management, the space industry, public administration, and managed business-to-business IT services to that group. It also adds six new industries to the “important” category: waste management, food processing, research, post and courier services, chemical production and distribution, and certain types of manufacturing.
Firms in both categories face the same basic requirements, but NIS2 mandates that organizations in essential sectors proactively demonstrate compliance. Crucially, NIS2 requirements flow through covered organizations to the third-party data processors they employ, also.
Under NIS2, medium-sized organizations (those with more than 50 employees or €10 million in annual turnover) in essential or important sectors in the EU are now subject to exacting security standards. Failure to comply has potentially ruinous consequences: fines of up to 2% of global revenue for “essential” sector firms and 1.4% for “important” ones. Persistent non-compliance can lead to suspension of services or responsible employees.
The net effect: more companies in more industries are subject to rigorous security and resiliency standards. And privacy teams play a key role in helping meet those requirements.
Building on existing privacy investments
Many of the organizations covered by NIS2 are addressing stringent cyber security regulations for the first time. They’re doing so while also managing the complexity that confronts all of us in modern IT as they operate across on-premises systems, cloud computing deployments, and edge devices.
NIS2 identifies 10 risk management measures that covered entities must take. They include assessing and planning for a wide range of hazards, from supply-chain vulnerabilities and natural disasters to network outages and human error. That complicated mix of risks crisscrosses the physical and digital worlds.
But there’s good news for covered organizations and the privacy teams stretching themselves to ensure compliance: Many of the efforts they’ve already taken to build mature, comprehensive privacy programs can be leveraged to aid in compliance with cyber security regulations.
For instance, NIS2’s risk assessment mandates require covered firms to inventory all assets in their IT estates. DORA does the same for companies in finance. Existing data maps developed for privacy purposes give organizations a head start on understanding their asset collections and the risks facing them.
Privacy teams play an essential role in meeting the incident handling demands of NIS2 and other new regulations. For example, we help determine when incidents meet the reporting threshold and work with observability teams to ensure our organizations have the data we must share with regulators and the public.
Achieving compliance without adding complexity
However, sturdy your foundation, meeting NIS2’s mandates presents new technological challenges. For many organizations, business continuity depends on continuous availability of web applications. That means protection against distributed denial-of-service (DDoS) attacks at the network, transport, and application layers.
Covered firms also have a new level of accountability for the security of the third-party apps they use and the software supply chain underlying their stacks. The stiff penalties for non-compliance make the fundamentals of cyber security more important than ever: pre-empting phishing and malware attacks, access control and management, and the appropriate use of cryptography, encryption, and multi-factor authentication (MFA).
There’s no single system or piece of software that can take on those challenges. It’s a matter of strategy — a mix of technology, policy, procedure, and ingenuity. But the tools do matter. And choosing security solutions suited to the evolving regulatory environment can reduce complexity and cost as organizations pursue compliance.
Three key questions to ask
Here are three key questions to ask as you assess cyber security solutions in light of NIS2:
1. Are these solutions versatile enough for complex IT environments? There are point solutions that may be well suited to individual aspects of NIS2 compliance, but weaving several of them into hybrid environments can complicate management and leave security gaps.
2. Do they make visibility simpler? Inventorying IT assets, identifying potential security issues, and quickly investigating threats are essential to NIS2 compliance. The right security platform will deliver visibility and reporting on demand.
3. Are they built for business continuity? Interruptions to web applications threaten essential services. Look for solutions that reduce web downtime with multiple layers of protection against attacks.
We've featured the best privacy tool and anonymous browser.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
