Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Similar documents
ENISA s Position on the NIS Directive

Directive on Security of Network and Information Systems

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Directive on security of network and information systems (NIS): State of Play

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

NIS-Directive and Smart Grids

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

Network and Information Security Directive

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Cybersecurity & Digital Privacy in the Energy sector

European Union Agency for Network and Information Security

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Cybersecurity Strategy of the Republic of Cyprus

CEF Telecom Calls: CEF-TC : Cyber Security TZAFALIAS ARISTOTELIS POLICY OFFICER DG CONNECT

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

The Role of the Data Protection Officer

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

ENISA EU Threat Landscape

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Securing Europe's Information Society

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Package of initiatives on Cybersecurity

Cyber Security in Europe

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The NIS Directive and Cybersecurity in

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 18 May 2018

EU policy on Network and Information Security & Critical Information Infrastructures Protection

European Directives and reglements for Information security

Regulating Cyber: the UK s plans for the NIS Directive

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Committee on Civil Liberties, Justice and Home Affairs

Discussion on MS contribution to the WP2018

Call for Expressions of Interest

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

NIS Standardisation ENISA view

Security and resilience in Information Society: the European approach

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Critical Infrastructure Protection & Resilience Europe / Asia. Conference Discussion Reviews

Data Processing Agreement

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

ENISA Cooperation in the EU / NIS Directive

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

QUESTION / CLARIFICATION

A comprehensive approach on personal data protection in the European Union

6056/17 MK/ec 1 DG D 2B

Valérie Andrianavaly European Commission DG INFSO-A3

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

MOTION FOR A RESOLUTION

Cyber Security in Europe and CEER s new PEER initiative

Go West! Political, legal and operational aspects of cooperation between Europol and the United States

10007/16 MP/mj 1 DG D 2B

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 26 September 2008 (30.09) (OR. fr) 13567/08 LIMITE ENFOPOL 170 CRIMORG 150

10025/16 MP/mj 1 DG D 2B

Sector Vision for the Future of Reference Standards

Committee on the Internal Market and Consumer Protection

Data Processing Clauses

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

Breach Notification Form

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

13303/17 CB/ek 1 DGE 2B

Data Leak Protection legal framework and managing the challenges of a security breach

Requirements on new data protection regulations and current changing needs from the view of the EDPS

European Cybersecurity PPP European Cyber Security Organisation - ECSO

Shaping the Cyber Security R&D Agenda in Europe, Horizon 2020

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

This Webcast Will Begin Shortly

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

Cybersecurity Package

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

UN General Assembly Resolution 68/243 GEORGIA. General appreciation of the issues of information security

DECISION OF THE EUROPEAN CENTRAL BANK

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

SAT for eid [EIRA extension]

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Data Breach Notification: what EU law means for your information security strategy

CNPD Course: Data Protection Basics

Critical Infrastructure Protection in the European Union

Resolution: Advancing the National Preparedness for Cyber Security

National Communications Authority

Achieving Global Cyber Security Through Collaboration

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Italian government CERT: INITIAL RESULTS

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

NEWSFLASH GDPR N 8 - New Data Protection Obligations

European Transport Policy: ITS in action ITS Action Plan Directive 2010/40/EU

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

COMMISSION IMPLEMENTING DECISION (EU)

Transcription:

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know Aristotelis Tzafalias Programme Officer, Trust and Security DG Communications Networks, Content and Technology

Proposal for a Directive on NIS A general overview What should every CISO know? Articles 14, 15 and 16 State of play What should ever CISO really know? What happens next? What can I do in the meantime? What else is going on? What do I gain from the NIS Directive?

Capabilities: Common NIS requirements at national level NIS strategy and cooperation plan NIS competent authority Computer Emergency Response Team (CERT) Proposal for a Directive on NIS Key elements (1/3)

Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU Key elements (2/3) Cooperation: NIS competent authorities to cooperate within a network at EU level Early warnings and coordinated response Capacity building NIS exercises at EU level ENISA to assist

Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU Key elements (3/3) Risk management and incident reporting for: Energy electricity, gas and oil Credit institutions and stock exchanges Transport air, maritime, rail Healthcare Internet enablers Public administrations

Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU What should every CISO know? Article 14 Security requirements and incident notification Article 15 Implementation and enforcement Article 16 Standardisation

Article 14 Security requirements and incident notification Paragraph 1 Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.

Article 14 Security requirements and incident notification Paragraph 3 Member States shall ensure that public administrations and market operators notify to the competent authority incidents having a significant impact on the security of the core services they provide. Paragraph 4 The requirements under paragraphs 1 and 2 apply to all market operators providing services within the European Union.

Article 14 Security requirements and incident notification Paragraph 4 The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.

Article 15 Implementation and Enforcement Paragraph 1 Member States shall ensure that the competent authorities have all the powers necessary to investigate cases of noncompliance of public administrations or market operators with their obligations under Article 14 (1) and the effects thereof on the security of networks and information systems.

Article 15 Implementation and Enforcement Paragraph 2 Member States shall ensure that the competent authorities have the power to require market operators and public administrations to: a) provide information needed to assess the security of their networks and information systems, including documented security policies; b) undergo a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority

Article 15 Implementation and Enforcement Paragraph 3 Member States shall ensure that competent authorities have the power to issue binding instructions to market operators and public administrations. Paragraph 4 The competent authorities shall notify incidents of a suspected serious criminal nature to law enforcement authorities. Paragraph 5 The competent authorities shall work in close cooperation with personal data protection authorities when addressing incidents resulting in personal data breaches.

Article 16 Standardisation Paragraph 1 To ensure convergent implementation of Article 14(1), Member States shall encourage the use of standards and/or specifications relevant to networks and information security. Paragraph 2 The Commission shall draw up, by means of implementing acts a list of the standards referred to in paragraph 1. The list shall be published in the Official Journal of the European Union.

Proposal for NIS Directive State of play, legislative process 1/2 Council European Council Oct 2013: NIS essential for completion of Digital Single Market by 2015 Progress Report was adopted at Telecom Council December 5, 2013; Telecom Council June 6, 2014 European Parliament Lead committee IMCO (ITRE and LIBE associated) voted on draft legislative resolution in January 2014 Plenary vote took place in March 2014

Proposal for NIS Directive State of play, legislative process 2/2 On-going trilogues between Council, EP, Commission (Operational) Cooperation between Member States Scope (internet enablers) Goal: political agreement by end 2015 Goal: adoption Q1 2016 (under NL presidency)

Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU What should every CISO really know? What happens next? New standards? What else is going on?

Proposal for a Directive on Network and Information Security (NIS) What happens next?

Proposal for a Directive on Network and Information Security (NIS) Standards http://xkcd.com/927/

Proposal for a Directive on Network and Information Security (NIS) What else is going on? DG FISMA: European Financial Stability and Integration Review, April 2015 - SWD(2015) 98 final Prepared by the Directorate-General for Financial Stability, Financial Services, and Capital Markets Union (DG FISMA) Chapter 6. Special Focus on Cyber Security Risks in the Financial Sector ENISA: Network and Information Security in the Finance Sector, December 2014 Regulatory landscape and Industry priorities Other: Responsible Disclosure, "cyber" stress-tests,

Proposal for a Directive on Network and Information Security (NIS) What do I gain? Business Environment: Improved national and EU-wide awareness and preparedness for cyber security threats. Government: improved government/regulatory institutional support. Supply chain: Better cyber security risk management across supply chain. Harmonization

Questions? CNECT-H4@ec.europa.eu Draft H2020 SC7 Digital Security 2016-17: https://ec.europa.eu/programmes/horizon2020/en/d raft-work-programmes-2016-17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback