What SMBs need to know about the new EU cybersecurity regulations

Europe

With a continued rise in cybercrime, the EU has been drafting new legislation that will have an impact on every business. The General Data Protection Regulation (GDPR), and the Network and Information Security (NIS) Directive, will require companies to comply with, or act in regard to, certain cybersecurity requirements. What do they mean for small businesses and how they manage their security?

In essence the new regulations aim to deliver a more security-conscious business community. The legal framework that currently applies to all forms of digital data that your business might hold about customers or commercial partners will now need to be strengthened. Your business may have already dealt with the so-called 'cookie law' which now governs opt-ins to your website and how personal information is used. The GDPR goes much further.

Adam Palmer, director of international government relations at FireEye explained: "The NIS Directive is focused purely on security while the GDPR is focused on data privacy. They each have different rules and scope. The GDPR applies to any entity that processes the personal data of EU residents related to the offering of goods or services or to monitor their behaviour.

"The NIS Directive applies more narrowly to 'operators of essential services' and digital service providers with 50 or more employees. The NIS Directive requires that entities within the scope of the NIS Directive implement 'state of the art' security measures that 'guarantee a level of security appropriate to the risk'."

The changes that Brussels wants to make in essence make all information that relates to a consumer or business partner 'personal' and as such it needs to have strong security applied to it. With so much personal information shared across the EU every second, it's hoped that the new regulations will make that information much more secure.

The GDPR regulations apply to medium-sized businesses with 250 employees or more. And the stated penalties look set to be high at €20 million (around £15.8 million, or $23.2 million) or 4% of annual turnover, whichever is the higher.

Big data

Entire industries are being transformed by using data to create personalised products and services

Advantages of a proactive approach

Says Jason du Preez, CEO of Privitar: "Our global economy is dependent on data driven decision-making. Entire industries are being transformed by using data to create personalised products and services in every sector imaginable. The GDPR represents a sea change in how big data analytics investments can be designed, delivered and leveraged.

"Organisations have two years to comply with GDPR, but those that are proactive can gain competitive advantage by winning customer trust. The more customers understand how their data is being used and for what purpose, the less likely they are to opt out simply because they do not understand the arrangement in place."

For most organisations that fall under the scope of the new regulations, a new post of Data Protection Officer (DPO) will be needed if your business processes require the storage and manipulation of certain categories of data.

Andy Green, senior technical content specialist, Varonis, explains: "The GDPR is a huge, complex law. And the writers of the regulations were aware that teeny or small businesses would not be able to deal with all of it.

"They made some exceptions to the more burdensome requirements, and they also gave the DPAs (Digital Protection Authorities), for example, the power to take into account the size of the business in terms of applying the law – proportionality, in their words.

"For example, SMBs are generally relieved of the requirement of hiring a data DPO. There are also exceptions made for DPIAs (Data Protection Impact Assessments), which is a new requirement for documenting the effects of collecting very sensitive data. Other documentation requirements are also lessened for SMBs.

"My overall feeling is that if a small/medium business follows the ideas of 'Privacy By Design', which is referred to a lot in the GDPR, they'll be fine – especially the principles of minimising data collection of personal data and keeping consumer records longer than need be."

Latest in Security
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch