Lack of experts, little education and poor preparedness to withstand cyber incidents. This is only part of the challenges inherent in cybersecurity. We spoke to Štefan Pilar, a lawyer at Bukovinský & Chlipala, about the future of legislation in Slovakia and at the European level in general.
So what are the legislative challenges in the KB area for 2022?
Legislation has its pleasant side, namely predictability. By the time a particular regulation comes into force, the addressees have sufficient time to familiarise themselves with its content in draft form. Selected stakeholders can comment on the draft regulation. In the case of European legislation, there is considerably more time. Some regulations take years to develop. Many regulations give obliged persons a transitional period during which they have time to implement and comply with their obligations.
Unfortunately, this predictability often goes untapped. We have been living with the Cybersecurity Act in Slovakia for more than four years and its transitional periods have long since passed. Despite this, we have entities in Slovakia that have little or no response to the requirements of this law. Honour the exceptions. I would even dare to say that the number of such entities is prevalent; many cybersecurity auditors would be able to tell the story. The final audit reports attest to this.
So the challenges are many. Lack of experts, virtually non-existent education, little awareness, insufficient preparedness to withstand cyber security incidents or insufficient understanding of the purpose and substance of legislation requiring information protection. We have had this state of affairs for years, and there are certainly more to come, along with unrecognised challenges.
So is there no point in looking ahead?
It certainly does, after all, that’s how it should work by default. Knowledge of the incoming legislation and its new requirements is a must. But to conclude that we should just look at the horizon and wait for the next regulation would not be very correct. In Slovakia, we still owe a great debt to legislation that has been in force for years, such as the aforementioned law on cyber-security.
What debt do you have in mind?
It depends on the point of view, or where to start. Let us start by saying that the concept of cybersecurity is still an abstract concept. Worst of all, even for those who are legally supposed to be concerned with it. Many see the concept and its content as yet another bureaucratic invention of the European Union, a burden on business, or something that is not needed at all. After all, who would attack it any more? Yet, on the other side of the spectrum, others see the concept and its content as an excellent marketing and business opportunity. Beware, their outputs often lack the necessary quality.
Why is this so?
There are a number of reasons for this, and the issue of inadequate compliance with the requirements of the Cybersecurity Act is not black and white. It would be wrong and unfair to say that everything is the fault of the addressees of these obligations. It is important to recognise that the issue of cyber security is a difficult one. There is a shortage of qualified experts not only in Slovakia, but throughout the world. We cannot be surprised at this outcome if there is a lack of sufficient awareness and education, or if the explanation of the substance of the new legislation, with its clear added value, is weak.
What do you think is the solution to this situation?
There are also several solutions and opinions on their effectiveness vary. Some people are not interested in awareness-raising and education, but rather prefer repression. And it has to be said that in the case of the Cybersecurity Act, the latter is not insignificant. Others prefer awareness-raising and education to fines. Perhaps unconventionally, but as a lawyer, I am inclined towards the need for awareness-raising. Indeed, a fine is merely a coercive, perhaps also a ‘motivating factor’, but one that represents negative emotion and coercion rather than persuasion of benefit. Raising awareness is a way of understanding the essence and moving towards a rational conviction that I need or want something. Not because I have to, but because it is important. Cybersecurity is all about people. People, in this context employees, are the greatest and often overlooked value. And those same people also have a significant impact on security. Under the threat of sanctions, acting management will not do much until employees understand the risks and understand what values they are protecting. And the reverse is also true. Cybersecurity without the support of an organization’s leadership has no chance of success.
So these are not the best prospects.
I didn’t want to be completely negative again. (Laughter.) And it has to be said that a lot of work has already been done in this area, and results cannot be expected immediately and everywhere. A typical example is the much-mentioned education, which is certainly a long haul. The important thing is to finally get on that track.
Comparing the current situation with 2018, we are generally much further ahead. Every year there are a number of conferences, seminars and training events where we see increased interest and participation. Cybersecurity is also getting more and more space in the media. The audits carried out are also very helpful in improving the situation, whereby the obliged persons are directly confronted with the reality of the situation. Last but not least, the topic of cyber security is also being pushed forward by the current poor security situation.
So we are also registering positive news. So what about legislation and 2022?
With regard to the current legislation and the old sins, it will be important to properly address the shortcomings identified by the audits. Lastly, we know from the information available that compliance percentages are predominantly low. So until the next audit, ideally within the next two years, these bodies will have a lot of work to do. It remains to be hoped that they take on this work responsibly and with the right people.
And the incoming legislation? We can partly look at the Cybersecurity Act as new legislation. At the European Union level, a number of certification schemes for cybersecurity products, processes or services are being developed. Let’s mention the almost completed scheme for the cloud – EUCS, the upcoming schemes for 5G, HW, SW and services. These schemes will be subsequently adopted into national conditions, where certification will be carried out by accredited entities (in Slovakia accredited by SNAS). Certification could help not only to better navigate the large number of even low-quality products or services available on the market today, but also to speed up the public procurement process in terms of evaluating the fulfilment of the conditions of participation on the part of the bidders.
Then there is the forthcoming NIS Directive 2, i.e. legislation following the first directive, which we can thank for the Slovak law on cyber security. If the new directive is correctly transposed into our legal order (probably in the form of an amendment to the Cybersecurity Act), we can expect an expansion of sectors and sub-sectors, obliged persons or security requirements.
And it is certainly worth mentioning the forthcoming Cyber Resilience Act, which should build on both the regulation introduced by the NIS Directive and the Cyber Security Act. This will introduce common cyber security (resilience) rules for digital products and related services placed on the EU market.
Can we expect legislative activity in Slovakia as well?
At the level of the Slovak Republic, we can expect in 2022 the issuance of a decree setting knowledge standards for certain security roles (e.g. cyber security manager) and perhaps also an amendment to Decree No. 362/2018 Coll., which reflects the wording of the Cyber Security Act from before 1 August 2021 in relation to the areas for which security measures are taken.
It could be said that Slovakia, especially from the EU, is being hit with relatively extensive legislation in the area of cyber security. Entities that do not fall under today’s law on cyber security, but are envisaged under the new NIS 2 Directive, should beware. As the proposal currently stands, we can say that the sectors concerned are mainly energy (hydrogen), waste management, manufacturing (e.g. motor vehicles), the food industry and space. Furthermore, it is necessary to prepare for the fact that, although the intended certification of products, processes or services in the field of cyber security should not be mandatory, it is not excluded that certification will be a condition of participation in certain types of public procurement (the Cyber Security Act explicitly allows for this).
So there is a lot of work to be done, not only in relation to existing but also future requirements for cyber security. Cybersecurity needs to be reckoned with, intensively addressed and started to be seen as a coherent system of rules, processes and measures to protect what organisations value most. Their assets, without which neither they nor society or the state can function. And the rest of us will continue to patiently explain, help and seek out more enthusiasts for this interesting and important topic.
You might be interested in: Právna zodpovednosť pri cloude je zdieľaná.
