Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Similar documents
Directive on security of network and information systems (NIS): State of Play

Directive on Security of Network and Information Systems

ENISA s Position on the NIS Directive

NIS-Directive and Smart Grids

Network and Information Security Directive

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

The NIS Directive and Cybersecurity in

Regulating Cyber: the UK s plans for the NIS Directive

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

13967/16 MK/mj 1 DG D 2B

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

The Network and Information Security Directive - ENISA's contribution

European Union Agency for Network and Information Security

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

NIS Standardisation ENISA view

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

ENISA EU Threat Landscape

Cybersecurity Strategy of the Republic of Cyprus

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cyber Security in Europe

Data Processing Clauses

NIS Directive development The Incident Notification Framework

EISAS Enhanced Roadmap 2012

Discussion on MS contribution to the WP2018

DECISION OF THE EUROPEAN CENTRAL BANK

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

ARTICLE 29 DATA PROTECTION WORKING PARTY

Legal and Regulatory Developments for Privacy and Security

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Economic and Social Council

Securing Europe's Information Society

ENISA today and in the future

National Policy and Guiding Principles

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

EU Code of Conduct on Data Centre Energy Efficiency

JOINT MOTION FOR A RESOLUTION

ENISA Cooperation in the EU / NIS Directive

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

MOTION FOR A RESOLUTION

European Directives and reglements for Information security

EU Security research in support to Critical Infrastructure Protection

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

Cyber Security in Europe and CEER s new PEER initiative

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

Committee on Civil Liberties, Justice and Home Affairs

ICB Industry Consultation Body

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 18 May 2018

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

RESOLUTION 45 (Rev. Hyderabad, 2010)

Committee on the Internal Market and Consumer Protection

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

DATA PROCESSING TERMS

Call for Expressions of Interest

Security and resilience in Information Society: the European approach

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Data Breach Notification: what EU law means for your information security strategy

Legislative Framework

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Package of initiatives on Cybersecurity

13543/17 PhL/at 1 DG G 3 B

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

ehealth Ministerial Conference 2013 Dublin May 2013 Irish Presidency Declaration

Market Surveillance Action Plan

The Digitalisation of Finance

European Code of Conduct on Data Centre Energy Efficiency

Promoting Global Cybersecurity

Version 1/2018. GDPR Processor Security Controls

Cybersecurity Considerations for GDPR

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA

Protecting Critical Information Infrastructure in times of increasing cyber conflict

COUNCIL OF THE EUROPEAN UNION. Brussels, 28 January 2003 (OR. en) 15723/02 TELECOM 78 JAI 307 PESC 593

Updates to the NIST Cybersecurity Framework

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Securing Europe s IoT Devices and Services

COMMISSION IMPLEMENTING DECISION (EU)

National Communications Authority

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Transcription:

Cybersecurity Policy in the EU: The Network and Information Security Directive - Security for the data in the cloud

Microsoft Commitment to Cybersecurity Security at the heart of our products and services Massive global telemetry Secure development practices Industry leadership

Developing Cybersecurity Policy Framework Core principles driving our approach Physical Network Host security Application Identity Client Data Cyber risk management principles for evaluating proposed frameworks Risk-based Outcome-focused Prioritized Practicable Privacy-respecting Globally relevant

Timeline of adoption Estimated in October 2014 NIS Directive Published February 2013 Parliament Position Adopted March 2014 Second Trialogue Council Negotiations COREPER Mandate 30 October 2014 7 November 2014 11 November 2014 Parliament Position Adopted Final Agreement Accepted for Q1 2015 Telecom Council 27 November 2014 24 Months for Implementation Member States are at different levels and expected to adopt the Directive at different speeds

Network and Information Security Directive Significant improvements put forward by the Parliament Microsoft believes regulation plays a critical role in the realm of cybersecurity & welcomes the Commission initiative. Open discussion with industry Focus on risk management Focus on critical infrastructure (reduction of scope) Introduction of single point of contact Removal of Delegated Acts Focus on risk management & prioritization central to the success of the Directive. Questions remained: Are public administrations included? How will Member States cooperate? How to preserve voluntary exchange of information? How to best make use of international standards? How to ensure maximum harmonization across the EU, globally and with other legislative proposals?

Key Issues Still Under Negotiation Based on our understanding of the Council discussions in October 2014 Operator Incident Reporting Cooperation Standardization A public or private entity referred to in Annex II, which provides an essential service in the fields of digital Internet infrastructure and service platforms, energy, transport, banking, stock exchanges, health, and water supply. Fulfils the criteria of: depends heavily on NIS; an incident to the NIS of the service having serious disruptive effects on the provision of that essential service or on public safety; service platforms shall also fulfil the criterion that a large number of market participants rely on the entity for their trading/ economic activities; each MS shall identify their own. Member States shall provide for a reporting scheme pursuant to which operators shall notify without undue delay to the competent authority incidents having a significant impact on the continuity of the essential services they provide. Focus of the discussion definitions: significant, undue delay, essential. Split between those wanting stronger operational cooperation and those pushing for informal cooperation (rely on existing CERT-CERT exchanges) To promote convergent implementation of Article 14(1) and 14(1a) Member States shall, without prejudice to technological neutrality, encourage the use of European or internationally accepted standards and/or specifications relevant to networks and information security.

Core Requirements for Technology Providers Based on our understanding of the Council discussions in October 2014 Incident Reporting Public Warning Security Baseline Audits Sanctions Only significant incidents reportable. Definition includes: number of users affected by the disruption of the essential service; Duration of the incident; geographical spread with regard to the area affected by the incident. After consultation between the competent authority and the operator concerned, the single point of contact may inform the public, or require the operators to do so, about individual incidents, where public awareness is necessary to prevent an incident or deal with an ongoing incident. Operator required to take appropriate and proportionate, sectorspecific technical and organisational measures to manage the risks posed to networks and information security of systems which they control and use in their operations. NCAs have necessary means to assess operators compliance Operators to provide information needed to assess security of their NIS, including security policies ; Operators to undergo a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority. Member States to determine sanctions that are effective, proportionate and dissuasive

Potential Challenges with Current Direction Making the perfect be the enemy of the good Broad regulatory scope + minimum harmonization = uneven cybersecurity patchwork for Europe Broad regulatory scope + limited security resources = less security. Broad regulatory scope + incident reporting = data protection concerns

What does it mean for European cybersecurity Harmonization will be critical Opportunity Lost: Lowest Common Denominator Rising Baselines: stronger risk management, analysis, readiness, response, and cross-border collaboration Common Operational Understanding: Building on baselines to include sharing of strategic assessments and enhanced publicprivate cooperation. Optimum scenario: EU cybersecurity shield

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback