Cybersecurity Package

Similar documents
Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Cybersecurity & Digital Privacy in the Energy sector

Package of initiatives on Cybersecurity

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

13967/16 MK/mj 1 DG D 2B

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Directive on security of network and information systems (NIS): State of Play

ENISA s Position on the NIS Directive

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

ENISA EU Threat Landscape

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Cyber Security Beyond 2020

EU policy on Network and Information Security & Critical Information Infrastructures Protection

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)

This document corrects document COM(2017)477 final of

Horizon 2020 Security

NIS Standardisation ENISA view

Cyber Security in Europe

European Union Agency for Network and Information Security

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Discussion on MS contribution to the WP2018

Securing Europe's Information Society

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Directive on Security of Network and Information Systems

The NIS Directive and Cybersecurity in

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

H2020 WP Cybersecurity PPP topics

Security and resilience in Information Society: the European approach

Policies in the Quantum era

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

The Digitalisation of Finance

POSITION PAPER. Initial position on the EU cybersecurity package OCTOBER 2017

Committee on the Internal Market and Consumer Protection

Call for Expressions of Interest

Network and Information Security Directive

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

10025/16 MP/mj 1 DG D 2B

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Position Paper of the ASD Civil Aviation Cybersecurity Taskforce

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Commonwealth Cyber Declaration

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Valérie Andrianavaly European Commission DG INFSO-A3

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2018/0328(COD)

European Directives and reglements for Information security

ENISA Cooperation in the EU / NIS Directive

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Achieving Global Cyber Security Through Collaboration

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

Security Aspects of Trust Services Providers

Secure Societies Work Programme Call

14965/17 MK/ec 1 DG D 2B

National Policy and Guiding Principles

eidas Regulation (EU) 910/2014 eidas implementation State of Play

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cyber Security Strategy

EISAS Enhanced Roadmap 2012

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Between 1981 and 1983, I worked as a research assistant and for the following two years, I ran a Software Development Department.

Joint FIEEC-ZVEI Position on Cybersecurity

Provisional Translation

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

Cyber Security in Europe and CEER s new PEER initiative

14435/17 MK/ec 1 DGD2B

Securing Europe s IoT Devices and Services

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Regulating Cyber: the UK s plans for the NIS Directive

European Cybersecurity in Public Private Partnership

MOTION FOR A RESOLUTION

Mozilla position paper on the legislative proposal for an EU Cybersecurity Act

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

H2020 & THE FRENCH SECURITY RESEARCH

ehealth Network ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

United4Health session Regulatory Framework Trends & Updates. Nicole Denjoy COCIR Secretary General Wed. 7 May 2014, Berlin (Germany)

GENERIC CONTROL SYSTEM ARCHITECTURE FOR CRITICAL INFRASTRUCTURE PROTECTION

The Network and Information Security Directive - ENISA's contribution

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

10496/18 MC/sl 1 DGD 2

10007/16 MP/mj 1 DG D 2B

Society, the economy and the state depend on information and communications technology (ICT).

Report to the Storting (white paper) No. 38

DG GROW meeting with Member States in preparation of Space Strategy 8 th July Working document#1: Vision and Goals

The European Platform in Network and Information Security (NIS) Fabio Martinelli

Transcription:

Cybersecurity Package Highlights of key initiatives Domenico Ferrara Policy officer @ DG CONNECT Brussels, 12 December 2017 1

2013-2017: Evolving threat landscape Proliferation of (poorly secured) IoT devices Blurring lines between state and non-state actors Hybrid attacks on western democracies Fake news Evolving cybercrime business models Cyber espionage on the rise Dependence on foreign security technologies Persisting critical infrastructure vulnerabilities Attempts to promote new internet governance model Vulnerabilities of third countries

Building strong cybersecurity for the EU: Resilience, Deterrence and Defence From reactive to pro-active and cross-policy approach bringing various work streams together to build EU's strategic cybersecurity autonomy Improving resilience and response by boosting capabilities (technology/skills), ensuring the right structures are in place and EU cybersecurity single market functions well Stepping up work to detect, trace and hold accountable those responsible for cyber attacks Strengthening international cooperation on cybersecurity and developing cyber defence capabilities Involving all key actors - the EU, Member States, industry and individuals to give cybersecurity priority it deserves 3

Building EU Resilience to cyber attacks Creating effective EU cyber deterrence Strengthening international cooperation on cybersecurity Cybersecurity Act Reformed ENISA Identifying malicious actors Promoting global cyber stability and contributing to Europe's strategic autonomy in cyberspace EU cybersecurity Certification Framework Stepping up the law enforcement response Advancing EU cyber dialogues Communication NIS Directive Implementation Stepping up public-private cooperation against cybercrime Modernising export controls, including for critical cybersurveillance technologies Recommendation Rapid emergency response Blueprint & Cybersecurity Emergency Response Fund Stepping up political and diplomatic response Continue rights-based capacity building model Cybersecurity competence network with a European Cybersecurity Research and Competence Centre Building cybersecurity deterrence through the Member States' defence capabilities Deepen EU-NATO cooperation on cybersecurity, hybrid threats and defence Building strong EU cyber skills base, improving cyber hygiene and awareness 4

EU Cybersecurity Act Towards a reformed EU Cybersecurity Agency and reinforcing the cybersecurity single market in the EU 5

ENISA Towards an EU Cybersecurity Agency fit for current and future challenges 6

Why to review ENISA now? ENISA Regulation Regulation (EU) No 526/2013 (art. 32) The Commission has to conduct an evaluation of the agency by June 2018 and to assess the possible need to modify its mandate, which will come to an end in 2020. Cybersecurity landscape New threats, new legislation (NIS Directive), need for increased EU cooperation, coordination and capacity to face cyber challenges 7

What's new with the new proposal? Focused Mandate Adequate Resources Permanent Status EU Cybersecurity Agency 8

Promote the use of certification & contribute to the cybersecurity certification framework Increase cybersecurity capabilities at Union level to complement MSs action Mandate and objectives Contribute to high Cybersecurity Be an independent centre of expertise Assist EU Institutions and MSs in policy development &implementation Support capacity building & preparedness Promote cooperation &coordination at Union level Promote high level of awareness of citizens & businesses 9

Development Policy&Law Implementation Review horizontal cybersecurity policy&law sectoral policy with cyber angle electronic identity and trust services security of electronic communications NIS Directive other Union cyber policy&law electronic identity and trust services security of electronic communications Annual report on the state of implementation of legal framework ENISA Advises & Contributes 10

Capacity building CSIRTs Development, national Strategies, support to Cooperation Group Facilitate Establishment & development Sectoral ISACs Trainings, Knowledge, Expertise Support development & Review of Union strategies 11

Operational cooperation (1/2) CSIRT Network Ongoing cooperation Secretariat Analysis vulnerabilities artefacts incidents Advice to improve capabilities Technical Assistance Regular EU Cybersecurity Technical Situation Report Annual cybersecurity exercise 12

Operational cooperation (2/2) Significant Incidents&Crises Provide support to or carry out an ex-post technical enquiry Contribute to develop a cooperative response to large-scale crossborder incidents or crises (Blueprint): a) aggregating reports from national sources to contribute to common situational awareness; b) ensuring the efficient information flow and escalation mechanisms between the CSIRTs Network and the technical and political decisionmakers; c) supporting the technical handling of an incident or crisis, including facilitating the sharing of technical solutions between Member States; d) supporting public communication around the incident or crisis; e) testing the cooperation plans to respond to such incidents or crises. 13

Market Cybersecurity Certification Framework Standardisation Market Observatory preparing candidate European cybersecurity certification schemes assist the Commission in providing the secretariat to the European Cybersecurity Certification Group guidelines and developing good practices concerning the cybersecurity requirements of ICT products and services facilitate establishment & take-up of EU & international standards for risk management and for the security of ICT products &services advice and guidelines related to the security requirements for OES and DSPs, as well as regarding already existing standards (NIS-D art. 19) analyses on trends of cybersecurity market (demand and supply sides) 14

Knowledge, information & awareness Long term strategic analyses of cyber threats& incidents Analyses of emerging technologies Knowledge One stop shop portal of information from EU institutions, Agencies and bodies Information Hub Compiling reports to provide guidance after big incidents Provide guidance on good practices for individual users Regular campaigns Awareness Raising 15

R&I, International cooperation R&I International Advice on research needs &priorities Participate, if delegated by Commission, in implementation of R&I programmes or as beneficiary observer in the organisation of international exercises facilitating, upon request of Commission, the exchange of best practices providing, upon request, the Commission with expertise 16

ICT cybersecurity certification Towards a true cybersecurity single market in the EU

The issue The digitalisation of our society generates greater need for cyber secure products and services Cybersecurity certification plays an important role in increasing trust of digital products and services Current landscape emergence of separate national initiatives lacking mutual recognition (e.g. France, UK, Germany, Netherlands, Italy) SOG-IS MRA successful but limited membership (13 MSs) costs and duration not suitable for all market needs

Our proposal A voluntary European cybersecurity certification framework. to enable the creation of tailored EU cybersecurity certification schemes for ICT products and services that are valid across the EU

ENISA Consults Industry, Standardisation Bodies, other stakeholders European Commission Requests ENISA to prepare Candidate Scheme ENISA Prepares candidate scheme ENISA Transmits candidate scheme to the European Commission European Commission Adopts Candidate Scheme European Cybersecurity Certification Scheme European Cybersecurity Certification Group (MSs) Advises ENISA and may propose the preparation of a scheme to the Commission Overview Establishment of an EU Cybersecurity Certification Scheme

Core elements (i) One EU Cybersecurity Certification Framework, many schemes. Tailored schemes specifying: i. scope - product/service category ii. evaluation criteria and security requirements iii. assurance level Resulting Certificates from European schemes are valid across all Member States. Once a European scheme has been established: Member States cannot introduce new national schemes with same scope Existing national schemes covering same product/service cease to produce effects Existing certificates from national schemes are valid until expire date The use of EU certificates remains voluntary, unless otherwise specified in European Union law. The specified requirements of the scheme shall not contradict any applicable legal requirements, in particular requirements emanating from harmonised Union legislation. 21

Core elements (ii) National Authorities and the European Cybersecurity Certification Group (ECCG) MSs will appoint a national certification supervisory authority. In their territory, each authority shall: supervise the activities of conformity assessment bodies (CAB) and the compliance of the certificates issued by CABs be independent of the entities they supervise. handle complaints on certificates issued by CABs withdraw certificates that are not compliant and impose penalties participate in the new European Cybersecurity Certification Group The Group has the following tasks: advises the Commission and assists ENISA in the preparation of EU schemes proposes to the Commission that it requests ENISA to prepare a EU scheme adopt opinions addressed to the Commission relating to the maintenance and review of existing EU schemes the Commission chairs the Group and provides the secretariat with the assistance of ENISA 22

Core elements (iii) National Accreditation Bodies (NABs) & Conformity Assessment Bodies (CABs) European cybersecurity certificates are normally issued by CABs accredited by a National Accreditation Body (NAB) Reg. 765/2008 Accreditation shall be issued for a maximum of five years NABs can revoke accreditation of CABs Member States notify the Commission of the accredited CABs for each EU scheme In justified cases a European scheme may provide that a certificates can only be issued by a public body such as: - a national certification supervisory authority - a body accredited as a CAB - a body established under national laws, meeting the requirements according to ISO/IEC 17065:2012. 23

Example of an EU Cybersecurity Certification Scheme 1/3 Elements of the Scheme (incl. prod category, assurance level) an EU Certification Scheme Specifies Evaluation process Product Requirements By reference to EU / International Standards/ tech specs Applies Assess conformity to National Certification Supervisory Authority Supervises Conformity Assessment Body (Eval. Facility) Accredits National Accreditation Body 1. Evaluates (applies evaluation process to assess product's conformity with requirements) 2. Certifies conformity 4. Certificate is recognised by Scheme Governance EU Product Certification Procedure Member State

Example of an EU Cybersecurity Certification Scheme 2/3 Elements of the Scheme (incl. prod category, assurance level) an EU Certification Scheme Specifies Evaluation process Product Requirements By reference to EU / International Standards/ tech specs Applies Assesses conformity to National Certification Supervisory Authority 1. Evaluates (applies evaluation process to assess product's conformity with requirements) 2. Certifies conformity 3. Certificate is recognised by Scheme Governance EU Product Certification Procedure Member State

Example of an EU Cybersecurity Certification Scheme 3/3 Elements of the Scheme (incl. prod category, assurance level) an EU Certification Scheme Specifies Evaluation process Product Requirements By reference to EU / International Standards/ tech specs Applies Assesses conformity to National Certification Supervisory Authority Supervises 2. Provides Evaluation Report Conformity Assessment Body (Eval. Facility) Accredits National Accreditation Body 1. Evaluates (applies evaluation process to assess product's conformity with requirements) 3. Certifies 4. Certificate is recognised by Scheme Governance EU Product Certification Procedure Member State

Benefits for citizens/end users NOW FUTURE Difficult to distinguish between more and less secure products/services more information on the security properties of product/services ahead of purchase Co-existence of schemes makes comparison difficult end-users (OES) refrain from buying certified products/services Greater incentive for OES to buy certified products/service Increased cyber resilience of critical infrastructures As end-users of digital solutions, governments would rely on an institutional framework to identify and express priority areas needing ICT security certification.

For vendors/providers The possibility to obtain cybersecurity certificates that are valid across the EU would: Generate higher incentive to certify and enhance the quality of digital products/services Enhance competitiveness through reduced time and cost of certification Help gain access to market segments where certification is required Contribute to promote a chain of trust between vendors and end-users For SMEs and new business Elimination of a potential market-entry barrier

NIS Communication Making the most of NIS Towards an effective implementation of the Directive

Key messages of the NIS Communication Put in place comprehensive and ambitious national strategies Ensure effective and adequately resourced national CSIRTs Ensure effectiveness of implementation and enforcement Align the national approaches on Operators of Essential Extend the scope of the NIS Directive to additional sectors, e.g. public administration 30

Blueprint Resilience through crisis management and rapid emergency response

Recommendation: Coordinated response to large-scale cybersecurity incidents and crises Establish an EU Cybersecurity Crisis Response Framework standard operating procedures information sharing and cooperation protocols "integrating the objectives and modalities of cooperation presented in the Blueprint following the guiding principles described therein". Ensure that National Crisis Management mechanisms adequately address cybersecurity incident response as well as provide necessary procedures for cooperation at EU level within the context of the EU Framework. Develop and adopt a common taxonomy and template for situational reports describing the technical causes and impacts of cybersecurity incidents. Test in the context of the CyberEurope exercises organised by ENISA. CyberEurope 2018 presents a first such opportunity.

Blueprint Cooperation at all levels Technical Incident handling during a cybersecurity crisis. Monitoring and surveillance of incident including continuous analysis of threats and risk. Operational Preparing decision-making at the political level. Coordinate the management of the cybersecurity crisis (as appropriate). Assess the consequences and impact at EU level and propose possible mitigating actions. Political / Strategic Strategic and political management of both cyber and non-cyber aspects of the crisis including measures under the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities

A cybersecurity competence network with a European Cybersecurity Research and Competence Centre Reinforcing EU's cybersecurity technologic capabilities and skills

Idea in a nutshell MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre European Cybersecurity Research and Competence network & Centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre Builds on the work of Member States and the cppp to: Stimulate development and deployment of technology in cybersecurity Give impetus to innovation and competitiveness of the EU industry on the global scene in the development of nextgeneration digital technologies (AI, quantum computing, block chain, secure digital identities) Support industry through testing and simulation to underpin the cybersecurity certification MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre Complement skills development efforts at EU and national level In the second phase - stimulate synergies between civilian and defence markets 35 that share common challenges

Thank you for your attention!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback