Cyber laws must explain how businesses can collaborate on risk protection, says expert

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that many businesses are not sure what they can do to collaborate on cyber security issues and said that part of the problem lies with a lack of clarity offered by policy makers.

Scanlon was commenting after a new report by the European Union Agency for Network and Information Security (ENISA) (42-page / 3.69MB PDF) highlighted some shortcomings in the way some countries have drawn up national cyber security strategies (NCSSs). The report said that 18 of the 28 EU member states have a NCSS.

The report identified a range of objectives contained within existing EU NCSSs, but said that some of the objectives were "rather generic". The objectives include plans to create new cyber security legislation and "establish and clarify roles in collaboration between the public and private sector".

However, EU countries with NCSSs often fail to explain how their desired outcomes from the strategies link to the objectives they have set out, ENISA said.

"Overall, our review has found that most NCSS articulate objectives and outcomes in broad socioeconomic terms," the ENISA report said. "Action areas, available and projected resources and the processes that need to be put into place while implementing the strategy are often not clearly defined. Outputs are often easier to identify in the strategies; however, their relationship to the objectives is often not clearly defined."

"Although these aspects may be captured in implementation guides, the programmatic approach and agenda-setting that is often the goal of the adoption of the NCSS could be better supported by clearly articulated lines of causality and intervention logic," it said.

Scanlon said that gap between NCSS objectives and outcomes causes businesses a problem in relation to their understanding of what they can do in practice to participate in initiatives on cyber risk information sharing.

"Many organisations remain unclear about the extent they can engage in cyber risk protection initiatives," Scanlon said. "It is important for legislators to address this issue as a matter of priority."

A new cyber security information regime is envisaged under the proposed new EU Network and Information Security (NIS) Directive. Out-Law.com reported on Monday that the NIS Directive could be finalised this month.

One of the issues that businesses must grapple with when sharing information is compliance with data protection rules.

Last week, data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that financial services companies would benefit if policy makers explained in more detail the interaction between data protection laws and disclosure requirements they face.