Anyone who works with flows, logs and other sources of information to protect network and information security should already be familiar with Recital 49 of the GDPR, where European legislators explained why that was (subject to a risk-based design) a good thing. Now the European Commission has published its draft of the replacement Network and Information Security Directive (NIS2D), it’s interesting to see how that thinking has been refined. Comparing Recital 69 of NIS2D with Recital 49 of GDPR gives us an update of what, how and why the Commission think we should be doing to defend networks, systems, users and data.
Both start with exactly the same premise:
processing … for the purposes of ensuring network and information security … constitutes a legitimate interest of the data controller concerned
But, while GDPR moves straight to examples of what defenders “could” try to achieve:
preventing unauthorised access … and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems
NIS2D starts with a much more complete description of the classical process for protecting systems that we “should” be following:
measures related to the prevention, detection, analysis and response to incidents
and recognises that this cannot be done by individuals or teams working alone:
to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure … voluntary exchange of information on those incidents, cyber threats and vulnerabilities, IoCs, tactics, techniques and procedures, cybersecurity alerts and configuration tools
The change from “could” to “should” reflects the move by Data Protection regulators (in their Opinion on Breach Notification, and subsequent fines) from viewing incident detection and response as something that is permitted to something that is required.
And the explicit recognition of the need for defenders to share information is very welcome, as this was one area where there remained some nervousness about whether GDPR might require European teams to reduce their sharing activities. Here we have a very clear statement to the contrary: information sharing “should” be happening, and the legal framework for it is the same legitimate interests basis as for our internal system defence activities.
Finally, there’s an interesting shift between the two laws in why network and information security matters. GDPR’s examples – unauthorised access, malware and DoS – are incidents that harm individuals. But NIS2D Recital 3 adds a much broader perspective:
cyber incidents can impede the pursuit of economic activities …, generate financial losses, undermine user confidence and cause major damage to … economy and society
I think that may also signpost a clearer legal framework for international sharing than the current patchwork of relevant GDPR measures, but I’m still working on that idea.
Finally note that, although the main focus of the NIS2 Directive is National CSIRTs and Critical Infrastructures, Article 27 is explicit that “entities falling outside the scope” must be included in information sharing. Together with the exact repetition of Recital 49’s motivating sentence, that seems a clear justification for reading Recital 69 back to the full GDPR scope: i.e. – according to the Article 29 Working Party Opinion – all data controllers.