EU Cyber Security Directive Poses Risk Challenge for European Corporates

New European Union (EU) legislation on cyber security will result in complex technological, process and governance challenges for organisations across Europe, according to Marsh.

The insurance broking and risk advisory group reports that following a vote earlier this month by the EU’s committee on civil liberties, justice and home affairs (LIBE), far-reaching changes to data protection regulation, which will replace 1995’s Data Protection Directive (95/46/EC), are a step closer to being introduced next year.

The new regulation means that as well as redesigning their IT systems, companies involved in the collection and processing of personal data will also be required to update their compliance procedures.

Designed to respond to the evolving technological environment in which EU citizens live and work, the measures detailed in the proposed regulation include: fines of up to €100m or 5% of global turnover, whichever is the greater; stringent authorisation regarding the transfer of data to non-EU countries; the ‘right to be forgotten’; and the appointment of a data protection officer in organisations that process more than 5,000 records in a 12 month period.

“The cost to business of implementing the changes required to comply with this piece of regulation may be significant, but the cost of failing to comply could be far greater,” said Stephen Wares, Marsh’s cyber liability practice leader for Europe, the Middle East and Africa (EMEA).

“It is clear that there is a strong will from the EU to give national regulators increased powers, with the suggested fining structure acting as an effective deterrent for non-compliance.

“While the deadline for implementation next year remains fluid, organisations should start considering the effect of the regulation on their operations and begin a process for ensuring compliance. Firms should also consider the effectiveness of their existing insurance arrangements and whether there are other alternatives that could more adequately provide the protection needed to reflect their changing risk profile.”


Related reading