Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission 4 October 2017
The umbrella strategy EU Cybersecurity Strategy: An Open, Safe and Secure Cyberspace Digital Agenda for Europe Justice and Home Affairs EU Foreign and Security Policy 1. Cyber resilience - NIS Directive (capabilities, cooperation, risk management, incident reporting) - Raising awareness 2. Reduce cybercrime 3. Cyber defence policy and capabilities 5. International cyberspace policy 4. Industrial and technological resources: NIS platform; H2020 Fundamental rights apply both in physical and digital world Cybersecurity depends on and contributes to protecting fundamental rights Access for all Democratic and efficient multi-stakeholder governance Cybersecurity is a shared responsibility 2
The NIS Directive: from proposal to transposition 21 months after entry into force for transposition into national laws (9 May 2018) Additional 6 months to identify Operators of essential services (9 Nov 2018) 6 July 2016 Entry into force 20 days After publication in OJ Transposition Final Adoption 7 Dec 2015 Sixth informal trialogue February 2013 Political Agreement EC proposal COM (2013)48) 3
06 July 2016 First comprehensive EU cybersecurity legislation adopted! 4
The NIS Directive: objectives Increased national cybersecurity capabilities EU level cooperation Security & Notification requirements Boosting the overall cybersecurity in Europe
Capabilities All MS to have in place NIS National strategy NIS competent national authority Computer Security Incident Response Team (CSIRT) 6
National NIS strategies Strategic objectives, priorities & governance framework Identification of measures on preparedness, response & recovery Cooperation methods between the public and private sectors Awareness raising, training and education Research & development plans related to NIS Strategy Risk assessment plan List of actors involved in the strategy implementation 7
National competent authorities National competent authority One Multiple Cover(s) the sectors referred to in Annex II & III Its role may be assigned to an existing authority 8
Single Point of contact Coordination at national level in case there are different competent authorities Single Point of Contact Liaison function to ensure cross-border cooperation with other Member States and with the Cooperation Group and the CSIRTs network Reports annually to the Cooperation Group on the notifications received within Member State Forwarding of notification to single points of contact of other affected MSs (upon request) 9
CSIRTs - Computer Security Incident Response Teams Tasks: - Monitoring incidents at nat.level; One or more CSIRT? Within competent authority or not? - Providing early warning, alerts & dissemination of relevant information; - Responding to incidents; -Providing dynamic risks and incident analysis & situational awareness; Compliance with the requirements set up in Annex I (1) -Participation in the CSIRT network, etc. 10
Cooperation Cooperation Group what: strategic cooperation who: MSs; EC (secretariat), ENISA CSIRT network what: operational cooperation who: national CSIRTs; CERT-EU; ENISA (secretariat) 11
Cooperation Group - Tasks 12
CSIRTs Network - Tasks Exchange info on CSIRTs services, operations & capabilities Exchange info on individual incidents (on request & voluntary) Discuss lessons learnt from NIS exercises Discuss individual CSIRT issues (on request) Identify coordinated response to incidents (on request & voluntary) Tasks Guidelines on Operational cooperation Support cross-border incident handling (voluntary) Inform Cooperation Group & seek guidance Explore further forms of operational cooperation Report as input to EC review every 1,5 yrs 13
Security and notification requirements Categories of Operators Operators of essential Services (Annex II) Digital Service Providers (Annex III) 14
Operators of essential services Energy Electricity Gas - Oil Transport Air Rail Water Road Banking Credit institutions Financial market infrastructure Health care settings Including hospitals and private clinics Water Drinking water supply and distribution Digital infrastructure Internet exchange points - Domain name system service providers - Top level domain name registers 15
Digital Services Providers (DSPs) Online market places Cloud computing services Search engines 16
Security requirements MSs shall ensure that Operators of Essential Services and Digital Service Providers adopt security requirements to: Prevent risks Technical and organisational measures that are appropriate & proportionate to the risk. Ensure NIS The measures should ensure a level of NIS security appropriate to the risks. Handle Incidents The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.
Notification requirements MSs shall ensure notifications without undue delay to the competent authority or to the CSIRT. Operators of Essential services Add Your Title "incidents having a significant impact on the continuity of the essential services they provide.[...]" Digital Services providers "any incident having a substantial impact on the provision of a service as referred to in Annex III that they offer within the Union"
Identification of operators of essential services
Identification process in 6 steps 1. Does the entity belong to a sector/subsector & correspond to the type covered by Annex II Directive? YES NO NIS Directive doesn't apply 2. Is a lex specialis applicable? NO YES NIS Directive doesn't not apply 20
Identification process in 6 steps 3. Is the operator providing an essential service within the meaning of the Directive? List of essential services YES NO NIS Directive doesn't apply 4. Does the service depend on network and information systems? YES NO NIS Directive doesn't apply 21
Identification process in 6 steps 5. Would a cyber incident have a significant disruptive effect? Cross-sectoral factors (specified in the Directive) number of users relying on the services dependency of other essential sectors on the service impact that incidents could have on economy and societal activities or public safety possible geographic spread importance of the entity for maintaining a sufficient level of the service Sector-specific factors (not specified - examples) Energy: volume or proportion of national power generated Transport: proportion of national traffic volume & number of operations per year Health: number of patients under the provider s care per year. YES NO NIS Directive doesn't apply 22
Identification process in 6 steps 6. Is the operator concerned providing essential services in other Member States? YES NO Mandatory consultation with the MS(s) concerned Adoption of national measures (e.g. list of operators of essential services, policy and legal measures). 23
Voluntary notifications Entities falling outside the scope of the Directive may notify incidents having a significant impact on the continuity of the services they provide on a voluntary basis.
Communication on 'Making the most of NIS: towards the effective implementation of the NIS Directive
Communication on 'Making the most of NIS-towards the effective implementation of the NIS Directive Communication: Core elements of the Communication Presenting key conclusions of the analysis of the issues covered in the Annex, which are seen as important points of reference and potential inspiration from the point of view of the transposition into national law. Accompanied by an Annex with practical suggestions Based on -good practices and recommendations issued by ENISA -Examples from Member States -Interpretation of Directive's provisions and of how they would work in practice 26
Key messages of the Communication Put in place comprehensive and ambitious national strategies Ensure effective and adequately resourced national CSIRTs Ensure effectiveness of implementation and enforcement Align the national approaches on Operators of Essential Services Extend the scope of the NIS Directive to additional sectors, e.g. public administration 27
Thank you for your attention!