On 10 November, the European Parliament adopted a new EU directive that obliges businesses offering essential services to protect themselves adequately against cyberattacks. It concerns companies like supermarket chains and courier services. Bernold Nieuwesteeg, director of the Centre for the Law and Economics of Cyber Security (CLECS) of Erasmus School of Law, is enthusiastic about the new directive but doubts the controllability of the government due to a lack of cyber expertise.
The concerned businesses will have to meet more strict safety measures after implementing the rules and will be obliged to report cyberattacks. In addition, for the first time, the CEO of a company can be suspended by the supervising authority when this person neglects to maintain an adequate level of cybersecurity. Be that as it may, the exact terms for such a suspension still have to be worked out. The new directive is a good stimulus for companies, explains Nieuwesteeg to De Telegraaf: “Businesses that are the victim of a ransomware attack are often hesitant of sharing their experiences. They often do not share when they have paid a ransom. Sharing this information is useful for others to learn from.”
The new directive and the eventual implementation of the new laws are a step in the right direction. Still, the success of this directive is not yet guaranteed, reckons Nieuwesteeg: “how is the government going to check a company’s cybersecurity? Many smart cyber experts work in the private sector. It would be weird for the government to employ those specialists because they also provide the same cybersecurity services. That’s like marking your own exam.”