Directive on Security of Network and Information Systems

Similar documents
NIS-Directive and Smart Grids

Directive on security of network and information systems (NIS): State of Play

Network and Information Security Directive

The NIS Directive and Cybersecurity in

ENISA s Position on the NIS Directive

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

The Network and Information Security Directive - ENISA's contribution

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Regulating Cyber: the UK s plans for the NIS Directive

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

European Union Agency for Network and Information Security

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Cybersecurity Strategy of the Republic of Cyprus

Discussion on MS contribution to the WP2018

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Cyber Security in Europe

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

ENISA EU Threat Landscape

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Securing Europe's Information Society

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

Call for Expressions of Interest

Bradford J. Willke. 19 September 2007

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

EU policy on Network and Information Security & Critical Information Infrastructures Protection

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

Package of initiatives on Cybersecurity

Valérie Andrianavaly European Commission DG INFSO-A3

Council of the European Union Brussels, 14 September 2017 (OR. en)

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

ENISA Cooperation in the EU / NIS Directive

Member of the County or municipal emergency management organization

Security and resilience in Information Society: the European approach

EISAS Enhanced Roadmap 2012

NIS Directive development The Incident Notification Framework

EU Code of Conduct on Data Centre Energy Efficiency

The Digitalisation of Finance

Cybersecurity & Digital Privacy in the Energy sector

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

National Policy and Guiding Principles

Critical Infrastructure Protection in the European Union

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

13967/16 MK/mj 1 DG D 2B

ehealth Network ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Promoting Global Cybersecurity

Cyber Security Beyond 2020

Cybersecurity Package

Cyber Security in Europe and CEER s new PEER initiative

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

STRATEGIC PLAN. USF Emergency Management

NIS Directive : Call for Proposals

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

NIS Standardisation ENISA view

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Committee on Civil Liberties, Justice and Home Affairs

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 18 May 2018

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

European Code of Conduct on Data Centre Energy Efficiency

Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

NYDFS Cybersecurity Regulations

The SPARKS Project Motivation, Objectives and Results

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

16474/08 JJ/ap 1 DGH4

ENISA S WORK ON ICS AND SMART GRID SECURITY

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Commonwealth Cyber Declaration

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Current developments in Germany and Europe

Cyber security: a building block of the Digital Single Market

CEF Telecom Calls: CEF-TC : Cyber Security TZAFALIAS ARISTOTELIS POLICY OFFICER DG CONNECT

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

ASEAN COOPERATION ON DISASTER MANAGEMENT. Disaster Management & Humanitarian Assistance Division, ASEAN Secretariat

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

V{ xy Éy à{x Vtu Çxà Éy ` Ç áàxüá

Plan of action for Implementation of the Sendai Framework for Disaster Risk Reduction in Central Asia and South Caucasus Region

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Committee on the Internal Market and Consumer Protection

Australian Government Cyber-security Activities in the Pacific

UPU UNIVERSAL POSTAL UNION. CA C 4 SDPG AHG DRM Doc 3. Original: English COUNCIL OF ADMINISTRATION. Committee 4 Development Cooperation

Transcription:

European Commission - Fact Sheet Directive on Security of Network and Information Systems Brussels, 6 July 2016 Questions and Answers The European Parliament's plenary adopted today the Directive on Security of Network and Information Systems (see welcoming statement by European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, and Commissioner Günther H. Oettinger, in charge of the Digital Economy and Society). The Directive on Security of Network and Information Systems ('NIS Directive') represents the first EUwide rules on cybersecurity. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU, by means of: 1. Improved cybersecurity capabilities at national level 2. Inreased EU-level cooperation 3. Risk management and incident reporting obligations for operators of essential services and digital service providers 1. Improved cybersecurity capabilities at national level What will Member States do to increase their national cybersecurity capabilities? Each Member State will adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures. The strategy should include: - Strategic objectives, priorities and governance framework - Identification of measures on preparedness, response and recovery - Cooperation methods between the public and private sectors - Awareness raising, training and education - Research & development plans related to NIS Strategy - Risk assessment plan - List of actors involved in the strategy implementation Member States will designate one or more national competent authorities for the NIS Directive, to monitor the application of the Directive at national level. Member States will also designate a single point of contact, which will exercise a liaison function to ensure cross border cooperation with the relevant authorities in other Member States and with the cooperation mechanisms created by the Directive itself. Member States will designate one or more Computer Security Incident Response Teams (CSIRTs). CSIRTs will be responsible for, at least: - monitoring incidents at a national level - providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents - responding to incidents - providing dynamic risk and incident analysis and situational awareness - participating in the network of the national CSIRTs (CSIRTs network) 2. Increased EU-level cooperation How will Member States cooperate? The NIS Directive establishes a Cooperation Group, to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence.

It also establishes a network of the national CSIRTs, in order to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation. What will the Cooperation Group do? The Cooperation Group will be composed of representatives of Member States, the Commission and ENISA (the European Union Agency for Network and Information Security), with the European Commission acting as secretariat. The procedural arrangements necessary for the functioning of the Cooperation Group will be adopted by the Commission through implementing acts. The Cooperation Group will work on the basis of biennial Work Programmes, in four different areas: Planning: - Establish a Work Programme 18 months after entry into force (i.e. February 2018) - Prepare a Work Programme every two years thereafter Steering: - Provide guidance for CSIRTs Network - Assist Member States in NIS capacity building - Support Member States in the identification of operators of essential services - Discuss incident notification practices - Discuss standards - Engage with relevant EU institutions and bodies - Evaluate national NIS strategies and CSIRTs (on voluntary basis) Sharing information and best practices on: - Risks - Incidents - Awareness-raising - Training - R&D Reporting: - Every 1.5 years provide a report assessing the experience gained with cooperation. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive. What will the CSIRTs Network do? The CSIRTs Network will be composed of representatives of the Member States CSIRTs and CERT i EU (the Computer Emergency Response Team for the EU institutions, agencies and bodies). The Commission will participate in the CSIRTs network as an observer. ENISA will provide the secretariat and actively support the cooperation among the CSIRTs. The CSIRTs Network will have the following tasks: - exchanging information on CSIRTs services, operations and cooperation capabilities - exchanging and discussing information related to incidents (on request and voluntary) - identifying a coordinated response to an incident (on request and voluntary) - support cross-border incident handling (voluntary) - exploring further forms of operational cooperation - informing the Cooperation Group of its activities and requesting guidance - discussing lessons learnt from NIS exercises - discussing issues relating to an individual CSIRT (on request) - issuing guidelines on operational cooperation Two years after entry into force of the NIS Directive, and every 18 months thereafter, the CSIRTs Network will produce a report assessing the experience gained with operational cooperation, including conclusions and recommendations. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.

3. Risk management and incident reporting obligations for operators of essential services and digital service providers What are operators of essential services, and what will they be required to do? Operators of essential services are private businesses or public entities with an important role for the society and economy. Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. The security measures include: - Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk. - Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks. - Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services. How will Member States identify operators of essential services? Each Member State will identify the entities who have to take appropriate security measures and to notify significant incidents by applying these criteria: (1) The entity provides a service which is essential for the maintance of critical societal/economic activities; (2) The provision of that service depends on network and information systems; and (3) A security incident would have significant disruptive effects on the provision of the essential service. Which sectors does the Directive cover? The Directive will cover such operators in the following sectors: - Energy: electricity, oil and gas - Transport: air, rail, water and road - Banking: credit institutions - Financial market infrastructures: trading venues, central counterparties - Health: healthcare settings - Water: drinking water supply and distribution - Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries What kind of incidents will be notifiable by the operators of essential services? The Directive does not define threshold of what is an significant incident requiring notification to thethe relevant national authority. It defines 3 paramaters which should be taken into consideraton: - Number of users affected - Duration of incident - Geographic spread These parameters may be further clariefied by means of guidelines adopted by the national competent authorities acting together within the Cooperation Group. What are digital service providers (DSPs), and what will they be required to do? Important digital businesses, referred to in the Directive as "digital service providers" (DSPs), will also be required to take appropriate security measures and to notify substantial incidents to the competent authority. Security measures cover the following: - Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk. - Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks. - Handling incidents: The measures should prevent and minimize the impact of incidents on the IT

systems used to provide the services. The security measures taken by DSPs should also take into account some specific factors, to be further specified in a Commission implementing act: - security of systems and facilities - incident handling - business continuity management - monitoring, auditing and testing - compliance with international standards What kind of incidents will be notifiable by the DSPs? The Directive does not define thresholds of what is a substantial incident requiring notification to thethe relevant national authority. It defines 5 paramaters which should be taken into consideration: - Number of users affected - Duration of incident - Geographic spread - The extent of the disruption of the service - The impact on economic and sociatal activities These parameters will be further specified by the Commission by means of implementing acts. Which Digital Service Providers does the Directive cover? The Directives covers: - Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online) - Cloud computing services - Search engines All entities meeting the definitions will be automatically subject to the security and notification requirements under the NIS Directive. Micro and small enterprises (as defined in Commission Recommendation 2003/361/EC) do not fall under the scope of the Directive. How will a light-touch and harmonised approach for DSPs be achieved? The Commission will adopt implementing acts with regard to security requirements and notifications obligations of DSPs within one year from the adoption of the Directive. Member States will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the Directive What is the timeline for implementation of the Directive? Date entry into force + Milestone August 2016 - Entry into force February 2017 6 months Cooperation Group begins tasks August 2017 12 months Adoption of implementing on security and notification requirements for DSPs February 2018 18 months Cooperation Group establishes work programme May 2018 21 months Transposition into national law November 2018 27 months Member States to identify operators of essential services May 2019 May 2021 33 months (i.e. 1 year after transposition) 57 months (i.e. 3 years after transposition) Commission report assessing the consistency of Member States' identification of operators of essential services Commission review of the functioning of the Directive, with a particular focus on strategic and operational cooperation, as well as the scope in relation to operators of essential services and digital service providers

MEMO/16/2422

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback