European Directives and reglements for Information security

Transcription

1 Е а а И ац а *** European Directives and reglements for Information security Krassi BOGDANOVA LISO for the Secretariat-General, the Cabinets of Commissioners and the European Political Strategy Centre, European Commission 17/09/2015

2 Regulations, Directives and other acts Legally binding acts "Directive": is a legislative act that sets out a goal that all EU countries must achieve. "Regulation": A "regulation" it must be applied in its entirety across the EU. "Decisions": In Community law, a decision is binding in its entirety on all those to whom it is addressed. Non-binding acts "Strategy": The purpose of strategy, is to help the decision-maker define a course of action when, per definition, unpredictable events could occur. "Recommendation": Recommendation as a legal instrument encourages those to whom it is addressed to act in a particular way without being binding on them. "Opinions": Opinions shall have no binding force.

3 The history of European acts for Information security First step Next 1 st EU strategy mentioning the majors threats was published in Later in 2006 a strategy for a secure information society (COM(2006)251) was adopted in order to coordinate efforts for building up trust and confidence in electronic communications and services. On 30 March 2009, the Commission adopted a Communication (COM(2009) 149) on Critical Information Infrastructure protection (CIIP). Additionally, the Commission launched an action plan with five pillars of actions. A Council Resolution on "A collaborative European approach to network and information security" adopted on 18 December The European Commission's Digital Agenda for Europe (COM(2010) 245) forms one of the seven pillars of the initiative Europe 2020 Strategy. Internal Security Strategy in action (COM(2010)673).

4 After THE DIGITAL AGENDA The Digital Single Market A Digital Single Market is one in which the free movement of goods, persons, services and capital is ensured and where individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence. Achieving a Digital Single Market will ensure that Europe maintains its position as a world leader in the digital economy, helping European companies to grow globally.

5 CORRELATION BETWEEN DIGITAL SINGLE MARKET & INFORMATION SECURITY

6 Pillar II and the question of cybersecurity Legislative proposals to reform the current telecoms rules 2016 Review the Audiovisual Media Services Directive 2016 Comprehensive analysis of the role of platforms in the market including illegal content on the Internet 2015 Review the e-privacy Directive 2016 Establishment of a Cybersecurity contractual Public-Private Partnership 2016

7 Directive 95/46 what is new The Cybersecurity can only be sound and effective if it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the European Union and EU core values. Any information sharing for the purposes of cyber security, when personal data is at stake, should be compliant with EU data protection law and take full account of the individuals' rights in this field. The new legislation will require much stronger protection of personal data and procedures and tools for managing information loss and reporting. The new legislation, taking effect in summer 2016 is EU law. The same law applies in all EU member states and there will be few exceptions.

8 Directive on network and information security (NIS) An EU cyber security strategy was presented by the Commission and in The cybersecurity strategy "An Open, Safe and Secure Cyberspace" represents the EU's comprehensive vision on how best to prevent and respond to cyber disruptions and attacks. Specific actions are aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber-security policy and cyber defence. The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a significant impact.

9 Directive on network and information security (NIS) The strategy articulates the EU's vision of cyber-security in terms of five priorities: Achieving cyber resilience Drastically reducing cybercrime Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP) Developing the industrial and technological resources for cyber-security Establishing a coherent international cyberspace policy for the European Union and promoting core EU values

10 Coordination between NIS competent authorities/certs, law enforcement and defence

11 Possible difficulties The network and information security directive (NIS) is progressing slowly, despite several attempts to nudge it closer to completion. Currently the situation ins blocked in the Council s court, with three working group meetings this month, including one on Wednesday 16 th of September. The next informal, three-way discussions with the Commission will be called before November. Member states see digital security as a national issue Cybersecurity legislation is still being held up by member state reluctance to report attacks on their digital networks: There is a fear that the legislation won't have the effect in the end. On the other hand, the member states fear they will sacrifice some of their interests in case of mandatory and too detailed reporting.

12 Thank you for your attention!