Directive on security of network and information systems (NIS): State of Play

Similar documents
Directive on Security of Network and Information Systems

NIS-Directive and Smart Grids

The NIS Directive and Cybersecurity in

Network and Information Security Directive

ENISA s Position on the NIS Directive

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Cyber Security in Europe

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity Strategy of the Republic of Cyprus

ENISA EU Threat Landscape

Regulating Cyber: the UK s plans for the NIS Directive

Package of initiatives on Cybersecurity

Cybersecurity & Digital Privacy in the Energy sector

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

13967/16 MK/mj 1 DG D 2B

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Discussion on MS contribution to the WP2018

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

European Union Agency for Network and Information Security

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

The Network and Information Security Directive - ENISA's contribution

EU policy on Network and Information Security & Critical Information Infrastructures Protection

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

European Directives and reglements for Information security

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Securing Europe's Information Society

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Call for Expressions of Interest

ENISA Cooperation in the EU / NIS Directive

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Cybersecurity Package

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Cyber Security Beyond 2020

NIS Directive development The Incident Notification Framework

10025/16 MP/mj 1 DG D 2B

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

EISAS Enhanced Roadmap 2012

Security and resilience in Information Society: the European approach

National Policy and Guiding Principles

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Legislative Framework

Critical Infrastructure Protection in the European Union

Valérie Andrianavaly European Commission DG INFSO-A3

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

Council of the European Union Brussels, 14 September 2017 (OR. en)

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

ISACA National Cyber Security Conference 8 December 2017, National Bank of Romania

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Bradford J. Willke. 19 September 2007

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

CEF Telecom Calls: CEF-TC : Cyber Security TZAFALIAS ARISTOTELIS POLICY OFFICER DG CONNECT

Cyber Security in Europe and CEER s new PEER initiative

A comprehensive approach on personal data protection in the European Union

Secure Societies Work Programme Call

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

EU Code of Conduct on Data Centre Energy Efficiency

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Committee on Civil Liberties, Justice and Home Affairs

Shaping the Cyber Security R&D Agenda in Europe, Horizon 2020

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

Panel 1 National CSIRT Experience

H2020 WP Cybersecurity PPP topics

Google Cloud & the General Data Protection Regulation (GDPR)

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

10007/16 MP/mj 1 DG D 2B

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)

Promoting Global Cybersecurity

INDEPENDENT COMMUNICATIONS AUTHORITY OF SOUTH AFRICA(ICASA) CYBERSECURITY PRESENTATION AT SAIGF. 28 th November 2018

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

The SPARKS Project Motivation, Objectives and Results

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

About Issues in Building the National Strategy for Cybersecurity in Vietnam

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

H2020 Opportunities in the Area of Security and Critical Infrastructure Protection

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

NIS Standardisation ENISA view

Commonwealth Cyber Declaration

Implementation Strategy for Cybersecurity Workshop ITU 2016

ehealth Network ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

WELCOME ISO/IEC 27001:2017 Information Briefing

Transcription:

Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission 4 October 2017

The umbrella strategy EU Cybersecurity Strategy: An Open, Safe and Secure Cyberspace Digital Agenda for Europe Justice and Home Affairs EU Foreign and Security Policy 1. Cyber resilience - NIS Directive (capabilities, cooperation, risk management, incident reporting) - Raising awareness 2. Reduce cybercrime 3. Cyber defence policy and capabilities 5. International cyberspace policy 4. Industrial and technological resources: NIS platform; H2020 Fundamental rights apply both in physical and digital world Cybersecurity depends on and contributes to protecting fundamental rights Access for all Democratic and efficient multi-stakeholder governance Cybersecurity is a shared responsibility 2

The NIS Directive: from proposal to transposition 21 months after entry into force for transposition into national laws (9 May 2018) Additional 6 months to identify Operators of essential services (9 Nov 2018) 6 July 2016 Entry into force 20 days After publication in OJ Transposition Final Adoption 7 Dec 2015 Sixth informal trialogue February 2013 Political Agreement EC proposal COM (2013)48) 3

06 July 2016 First comprehensive EU cybersecurity legislation adopted! 4

The NIS Directive: objectives Increased national cybersecurity capabilities EU level cooperation Security & Notification requirements Boosting the overall cybersecurity in Europe

Capabilities All MS to have in place NIS National strategy NIS competent national authority Computer Security Incident Response Team (CSIRT) 6

National NIS strategies Strategic objectives, priorities & governance framework Identification of measures on preparedness, response & recovery Cooperation methods between the public and private sectors Awareness raising, training and education Research & development plans related to NIS Strategy Risk assessment plan List of actors involved in the strategy implementation 7

National competent authorities National competent authority One Multiple Cover(s) the sectors referred to in Annex II & III Its role may be assigned to an existing authority 8

Single Point of contact Coordination at national level in case there are different competent authorities Single Point of Contact Liaison function to ensure cross-border cooperation with other Member States and with the Cooperation Group and the CSIRTs network Reports annually to the Cooperation Group on the notifications received within Member State Forwarding of notification to single points of contact of other affected MSs (upon request) 9

CSIRTs - Computer Security Incident Response Teams Tasks: - Monitoring incidents at nat.level; One or more CSIRT? Within competent authority or not? - Providing early warning, alerts & dissemination of relevant information; - Responding to incidents; -Providing dynamic risks and incident analysis & situational awareness; Compliance with the requirements set up in Annex I (1) -Participation in the CSIRT network, etc. 10

Cooperation Cooperation Group what: strategic cooperation who: MSs; EC (secretariat), ENISA CSIRT network what: operational cooperation who: national CSIRTs; CERT-EU; ENISA (secretariat) 11

Cooperation Group - Tasks 12

CSIRTs Network - Tasks Exchange info on CSIRTs services, operations & capabilities Exchange info on individual incidents (on request & voluntary) Discuss lessons learnt from NIS exercises Discuss individual CSIRT issues (on request) Identify coordinated response to incidents (on request & voluntary) Tasks Guidelines on Operational cooperation Support cross-border incident handling (voluntary) Inform Cooperation Group & seek guidance Explore further forms of operational cooperation Report as input to EC review every 1,5 yrs 13

Security and notification requirements Categories of Operators Operators of essential Services (Annex II) Digital Service Providers (Annex III) 14

Operators of essential services Energy Electricity Gas - Oil Transport Air Rail Water Road Banking Credit institutions Financial market infrastructure Health care settings Including hospitals and private clinics Water Drinking water supply and distribution Digital infrastructure Internet exchange points - Domain name system service providers - Top level domain name registers 15

Digital Services Providers (DSPs) Online market places Cloud computing services Search engines 16

Security requirements MSs shall ensure that Operators of Essential Services and Digital Service Providers adopt security requirements to: Prevent risks Technical and organisational measures that are appropriate & proportionate to the risk. Ensure NIS The measures should ensure a level of NIS security appropriate to the risks. Handle Incidents The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

Notification requirements MSs shall ensure notifications without undue delay to the competent authority or to the CSIRT. Operators of Essential services Add Your Title "incidents having a significant impact on the continuity of the essential services they provide.[...]" Digital Services providers "any incident having a substantial impact on the provision of a service as referred to in Annex III that they offer within the Union"

Identification of operators of essential services

Identification process in 6 steps 1. Does the entity belong to a sector/subsector & correspond to the type covered by Annex II Directive? YES NO NIS Directive doesn't apply 2. Is a lex specialis applicable? NO YES NIS Directive doesn't not apply 20

Identification process in 6 steps 3. Is the operator providing an essential service within the meaning of the Directive? List of essential services YES NO NIS Directive doesn't apply 4. Does the service depend on network and information systems? YES NO NIS Directive doesn't apply 21

Identification process in 6 steps 5. Would a cyber incident have a significant disruptive effect? Cross-sectoral factors (specified in the Directive) number of users relying on the services dependency of other essential sectors on the service impact that incidents could have on economy and societal activities or public safety possible geographic spread importance of the entity for maintaining a sufficient level of the service Sector-specific factors (not specified - examples) Energy: volume or proportion of national power generated Transport: proportion of national traffic volume & number of operations per year Health: number of patients under the provider s care per year. YES NO NIS Directive doesn't apply 22

Identification process in 6 steps 6. Is the operator concerned providing essential services in other Member States? YES NO Mandatory consultation with the MS(s) concerned Adoption of national measures (e.g. list of operators of essential services, policy and legal measures). 23

Voluntary notifications Entities falling outside the scope of the Directive may notify incidents having a significant impact on the continuity of the services they provide on a voluntary basis.

Communication on 'Making the most of NIS: towards the effective implementation of the NIS Directive

Communication on 'Making the most of NIS-towards the effective implementation of the NIS Directive Communication: Core elements of the Communication Presenting key conclusions of the analysis of the issues covered in the Annex, which are seen as important points of reference and potential inspiration from the point of view of the transposition into national law. Accompanied by an Annex with practical suggestions Based on -good practices and recommendations issued by ENISA -Examples from Member States -Interpretation of Directive's provisions and of how they would work in practice 26

Key messages of the Communication Put in place comprehensive and ambitious national strategies Ensure effective and adequately resourced national CSIRTs Ensure effectiveness of implementation and enforcement Align the national approaches on Operators of Essential Services Extend the scope of the NIS Directive to additional sectors, e.g. public administration 27

Thank you for your attention!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback