Annual report 2022 - Report - Page 12
Companies getting
better at
cybersecurity
12 Annual Report 2022
First came the GDPR rules in
2016, dramatically increasing the
focus on how companies protect
personal data. In 2022 came the
NIS2 directive, with
comprehensive new rules for
cybersecurity. But companies are
far better equipped today to
ensure compliance than they
were seven years ago. And
customers also expect this from
them.
In 2016, one of the most far-reaching sets
of rules ever seen in the EU was adopted:
the General Data Protection Regulation
or GDPR. We have now had seven years
to get familiar with GDPR, leading to
much greater digital maturity in Danish
companies, according to Maria Pilh
Arendsdorf Bengtsen. Maria is an
attorney at Horten, where she advises on
data protection. The new security
requirements in the NIS2 directive are
therefore unlikely to be as disruptive as
GDPR was.
“The mindset has changed. When the
GDPR rules came on the scene in 2016,
management had to get busy because
there were no clear answers as to what
companies needed to do to meet the
requirements. There is a different
awareness of data protection today. We
are more used to incorporating
compliance into business processes, and
all the hard work companies have done in
this area has really made a difference. So
even though the NIS2 directive may bring
back memories of the implementation of
GDPR, most companies will be better
prepared and ready to incorporate the
new requirements,” says Maria Pilh
Arendsdorf Bengtsen.
While the GDPR focused on protecting
personal data, the NIS2 Directive –
adopted by the European Parliament in
2022 – sets requirements for companies’
cybersecurity.
“The new rules also create opportunities.
Digital compliance has become a
competition parameter, and is now under
the spotlight. Working to identify risks,
improve security measures and create
operational policies in the area has direct
value in itself to companies. It could have
a big impact on their business.”
Management responsibility
GDPR and NIS2 are not just central legal
frameworks in the area of data. The new
rules also demand organisational and
business-critical insight, which company
management must take responsibility for.
Under NIS2, which will enter into force by
October 2024, the management of any
companies that do not comply with the
directive requirements can be liable and
subject to sanctions.
“Digital regulation is growing in the EU,
and the future will see regular new
requirements in areas such as data
protection, AI and cybersecurity.
Compliance takes time and resources, so
it may be tempting to focus elsewhere,
but it is essential for management to be
at the forefront and aware of their
responsibility,” says Maria Pilh Arendsdorf
Bengtsen.
But it is not enough for management to
be aware of their responsibility – because
it is as individual employees process data
that security breaches occur.
“It is crucial that data security is anchored
in management, but it also places
demands on employees. They have to
handle the new requirements in practice
and raise the alarm if they encounter
problems. It is important that
management sets clear guidelines
matched to the reality in the organisation.
You have to understand your flow of data
and your organisation,” notes Maria Pilh
Arendsdorf Bengtsen.
Data ethics can offer competitive
advantages
Cybersecurity is not the only thing that
needs to be anchored in management.
The same is true for data ethics, which
class C and D companies have had to
cover in their annual report since 2021.
According to attorney Emilie Loiborg,
data ethics and data protection go hand
in hand. She specialises in digital
management and has worked extensively