Drawing on our experience and engagement with cyber security policymakers around the world, we've released the second edition of our NCC Group Global Cyber Policy Radar.
The report offers a unique insight into key regulatory changes and policy developments organisations need to be aware of for the remainder of 2024, with a spotlight on data privacy.
Group Head of Government Affairs, Kat Sommer, comments:
“In today’s rapidly evolving cyber landscape, staying informed is crucial. Our Cyber Policy Radar delves into the latest developments in cyber regulations, offering insights that are essential for navigating the complexities ahead.”
“Governments are enacting plans to harmonise cyber rules. However, the remaining fragmentation and barriers to implementation mean that regulated organisations will have to continue navigating complex and overlapping regulations for some time to come. Responsibility—and, in some cases, liability—is being firmly placed on senior leaders. It’s therefore critical that organisations’ c-suite have the information they need to make, justify, and defend decisions about their cyber strategy.
Additionally, governments are cracking down on the use of offensive cyber tools. Poorly crafted rules may affect CISOs’ ability to access these tools, impeding their ability to conduct effective security testing. It’s therefore critical that the industry engages in the making of these rules from the outset – as we are doing through the Pall Mall Process."
Spotlight on Data Privacy
Through a new NCC Group analysis of data privacy fines that have been issued by global regulators, the report also reveals the increasing complexity of the data privacy landscape. Using data collated by privacy, security, and data ethics platform OneTrust, NCC Group found that:
- There have been over 2,700 fines related to data privacy totalling €6,6 billion since 2020.
- Of the penalties levied to date, only 14 fines have been issued in the UK and 72 in the US, while Spain has racked up over 840.
- Ireland has emerged as the de facto European regulator for multinational technology firms, levying 20 fines accounting for over a third of total worldwide penalties (around €2,5 billion).
- The public sector is the biggest area of global enforcement, although this only results in a penalty in one in three cases. When it does, fines are comparatively small (averaging around €117,000).
- Social media, e-commerce, and technology firms are facing significant fines – averaging €59,3 million, €11,5 million, and €7,9 million, respectively.
Kat adds:
“While GDPR has become the de facto standard across many countries, these differences in national and sector enforcement – alongside an evolving political landscape and regulators’ increasing focus on what online safety and the widespread adoption of AI means for data privacy – are creating an increasingly complex compliance landscape."
You can view or download the full cyber policy report here, which also includes a roadmap for organisations to navigate the complex and ever-evolving cyber security landscape and supports them in making better-aligned and future-proofed security investments.