Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know Aristotelis Tzafalias Programme Officer, Trust and Security DG Communications Networks, Content and Technology
Proposal for a Directive on NIS A general overview What should every CISO know? Articles 14, 15 and 16 State of play What should ever CISO really know? What happens next? What can I do in the meantime? What else is going on? What do I gain from the NIS Directive?
Capabilities: Common NIS requirements at national level NIS strategy and cooperation plan NIS competent authority Computer Emergency Response Team (CERT) Proposal for a Directive on NIS Key elements (1/3)
Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU Key elements (2/3) Cooperation: NIS competent authorities to cooperate within a network at EU level Early warnings and coordinated response Capacity building NIS exercises at EU level ENISA to assist
Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU Key elements (3/3) Risk management and incident reporting for: Energy electricity, gas and oil Credit institutions and stock exchanges Transport air, maritime, rail Healthcare Internet enablers Public administrations
Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU What should every CISO know? Article 14 Security requirements and incident notification Article 15 Implementation and enforcement Article 16 Standardisation
Article 14 Security requirements and incident notification Paragraph 1 Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.
Article 14 Security requirements and incident notification Paragraph 3 Member States shall ensure that public administrations and market operators notify to the competent authority incidents having a significant impact on the security of the core services they provide. Paragraph 4 The requirements under paragraphs 1 and 2 apply to all market operators providing services within the European Union.
Article 14 Security requirements and incident notification Paragraph 4 The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken in accordance with this paragraph.
Article 15 Implementation and Enforcement Paragraph 1 Member States shall ensure that the competent authorities have all the powers necessary to investigate cases of noncompliance of public administrations or market operators with their obligations under Article 14 (1) and the effects thereof on the security of networks and information systems.
Article 15 Implementation and Enforcement Paragraph 2 Member States shall ensure that the competent authorities have the power to require market operators and public administrations to: a) provide information needed to assess the security of their networks and information systems, including documented security policies; b) undergo a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority
Article 15 Implementation and Enforcement Paragraph 3 Member States shall ensure that competent authorities have the power to issue binding instructions to market operators and public administrations. Paragraph 4 The competent authorities shall notify incidents of a suspected serious criminal nature to law enforcement authorities. Paragraph 5 The competent authorities shall work in close cooperation with personal data protection authorities when addressing incidents resulting in personal data breaches.
Article 16 Standardisation Paragraph 1 To ensure convergent implementation of Article 14(1), Member States shall encourage the use of standards and/or specifications relevant to networks and information security. Paragraph 2 The Commission shall draw up, by means of implementing acts a list of the standards referred to in paragraph 1. The list shall be published in the Official Journal of the European Union.
Proposal for NIS Directive State of play, legislative process 1/2 Council European Council Oct 2013: NIS essential for completion of Digital Single Market by 2015 Progress Report was adopted at Telecom Council December 5, 2013; Telecom Council June 6, 2014 European Parliament Lead committee IMCO (ITRE and LIBE associated) voted on draft legislative resolution in January 2014 Plenary vote took place in March 2014
Proposal for NIS Directive State of play, legislative process 2/2 On-going trilogues between Council, EP, Commission (Operational) Cooperation between Member States Scope (internet enablers) Goal: political agreement by end 2015 Goal: adoption Q1 2016 (under NL presidency)
Proposal for a Directive on Network and Information Security (NIS) Article 114 TFEU What should every CISO really know? What happens next? New standards? What else is going on?
Proposal for a Directive on Network and Information Security (NIS) What happens next?
Proposal for a Directive on Network and Information Security (NIS) Standards http://xkcd.com/927/
Proposal for a Directive on Network and Information Security (NIS) What else is going on? DG FISMA: European Financial Stability and Integration Review, April 2015 - SWD(2015) 98 final Prepared by the Directorate-General for Financial Stability, Financial Services, and Capital Markets Union (DG FISMA) Chapter 6. Special Focus on Cyber Security Risks in the Financial Sector ENISA: Network and Information Security in the Finance Sector, December 2014 Regulatory landscape and Industry priorities Other: Responsible Disclosure, "cyber" stress-tests,
Proposal for a Directive on Network and Information Security (NIS) What do I gain? Business Environment: Improved national and EU-wide awareness and preparedness for cyber security threats. Government: improved government/regulatory institutional support. Supply chain: Better cyber security risk management across supply chain. Harmonization
Questions? CNECT-H4@ec.europa.eu Draft H2020 SC7 Digital Security 2016-17: https://ec.europa.eu/programmes/horizon2020/en/d raft-work-programmes-2016-17