NIS Directive development The Incident Notification Framework

Similar documents
The Network and Information Security Directive - ENISA's contribution

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Network and Information Security Directive

The NIS Directive and Cybersecurity in

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Discussion on MS contribution to the WP2018

Securing Europe s IoT Devices and Services

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

Directive on security of network and information systems (NIS): State of Play

ENISA Cooperation in the EU / NIS Directive

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Technical guidelines implementing eidas

Directive on Security of Network and Information Systems

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

ENISA s Position on the NIS Directive

European Union Agency for Network and Information Security

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

NIS-Directive and Smart Grids

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

IoT and Smart Infrastructure efforts in ENISA

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

Regulating Cyber: the UK s plans for the NIS Directive

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

NIS Standardisation ENISA view

Securing Europe's Information Society

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

Cyber Security Beyond 2020

The Digitalisation of Finance

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Cyber Security in Europe and CEER s new PEER initiative

European Union Agency for Network and Information Security

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Call for Expressions of Interest

Security Aspects of Trust Services Providers

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Cybersecurity Strategy of the Republic of Cyprus

Cybersecurity & Digital Privacy in the Energy sector

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

General Framework for Secure IoT Systems

EISAS Enhanced Roadmap 2012

Minutes of National Laison Officer s Meeting,

ehealth action in the EU

Package of initiatives on Cybersecurity

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

Response to the Security of Network and Information Systems Public Consultation Compiled on behalf of the UK Computing Research Committee, UKCRC.

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Cyber Security in Europe

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

ENISA EU Threat Landscape

Critical Infrastructure Protection in the European Union

Οnline privacy tools for the general public. European Union Agency for Network and Information Security 1

NYDFS Cybersecurity Regulations

Altius IT Policy Collection Compliance and Standards Matrix

H2020 WP Cybersecurity PPP topics

CSIRT capacity building Andrea Dufkova CSIRT-relations, COD1 NLO meeting Athens June 8. European Union Agency for Network and Information Security

Improving recognition of ICT security standards Recommendations for the Member States for the conformance to NIS Directive

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

The Simple Guide to GDPR Data Protection: Considerations for and File Sharing

European Cybersecurity cppp and ECSO. org.eu

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Council of the European Union Brussels, 14 September 2017 (OR. en)

ECSC Brief Razvan GAVRILA NIS Expert. European Union Agency for Network and Information Security

Current developments in Germany and Europe

Business Continuity Management

ISA99 - Industrial Automation and Controls Systems Security

Legislative Framework

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

13967/16 MK/mj 1 DG D 2B

ICB Industry Consultation Body

Starting from the basics: cybersecurity awareness campaigns in the electricity and energy sector

COMPANION FINAL EVENT 14 TH & 15 TH September 2016

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

National Policy and Guiding Principles

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Shaping the Cyber Security R&D Agenda in Europe, Horizon 2020

Submission of information in the public consultation on potential candidates for substitution under the Biocidal Products Regulation

Strategy for information security in Sweden

Data Processing Clauses

eidas Regulation eid and assurance levels Outcome of eias study

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Our agenda. The basics

ENISA CE2014 After Action Report

H Work programme SC7 Secure Societies. October 2017, Trondheim

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Committee on the Internal Market and Consumer Protection

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Transcription:

NIS Directive development The Incident Notification Framework Dan Tofan #certcon 30.10.2017 Bucharest European Union Agency for Network and Information Security

Topics 01 NISD Short Intro 02 The incident notification/reporting (IN/IR) process 03 Types of incidents in scope 04 How to determine significant incidents 05 Overall Findings 2

1. The NIS Directive (EU 2016/1148) Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level). Status: ADOPTED August 2016. Deadline for transposition: 9 May 2018 (21 months). Provisions: 1. Improved cybersecurity capabilities at national level 2. Increased EU-level cooperation 3. Obligations for operators of essential services (OES) 4. Obligations for digital service providers (DSP) 3

The Network and Information Security Directive 4

NISD Co-operation Group & ENISA EC Cooperation Group Identification Criteria Expert group - DE Security Measures Expert group - FR Incident reporting Expert group NL Cross-border Interdependencies Expert group - EE Study on Identification Criteria for OES Study on Security Measures for OES ENISA Study on Incident Reporting for OES Study on Cross border Interdependencies 5

OES Identification MS responsabilities: - Identify the essential services that are critical for societal and economic activities. - Determine what could be a significant disruptive effect for the candidate OES. - Identify essential services within the operators. - Review and update list every two years. Findings: - Some have gone beyond NISD and included:food, public and legal order, civil administration, chemical and nuclear industry and space & research; 6

Security Measures (SM) for OESs 7

2. The Incid. Notification Process 8

2. The Incid. Notification Process Some requirements: The IN requirements apply only to OES using NIS (computer systems). Significant incidents that affect the continuity of the essential services provided must be reported without undue delay. Other MS must be informed in case of cross border impact. OES can follow up for info that can support the handling. Public can be informed in case needed. 9

3. Types of incidents in scope Several concepts and definitions must be taken into account to define the scope: Incident, NIS, security of NIS, adverse effect, significant impact, continuity. Any incident affecting the availability, authenticity, integrity or confidentiality of networks and information systems used in the provision of the essential services, which has a significant impact on the continuity of the essential services. - P.S: CONTINUITY!= AVAILABILITY 10

3. Types of incidents in scope Safety related incidents NISD REPORTABLE INCIDENTS - OES Other crises Incidents Reportable Under Other EU Regulations (GDPR, TELECOM, eidas etc.) 11

3. Types of incidents in scope - ENERGY 12

3. Types of incidents in scope - TRANSPORT 13

3. Types of incidents in scope - BANKING Sept. 19 2012, the websites of Bank of America (BAC), JPMorgan Chase (JPM), Wells Fargo (WFC), U.S. Bank (USB) and PNC Bank have all suffered day-long slowdowns and been sporadically unreachable for many customers. 14

3. Types of incidents in scope - HEALTH 15

4. How to determine significant incidents - Art. 14 (4) contains parameters to be used for determining impact: - (a) the number of users affected by the disruption of the essential service (relying on the service); - (b) the duration of the incident; - (c) the geographical spread (area affected by the incident); - Other parameters can to be considered also; inspiration comes from art. 6 (but you can also add yours ): - interdependencies on other OES sectors; - Socio-economic impact; - The market share of that entity; - Existence of alternative means of service provision. P.S: Significance related to the overall impact, not to the impact perceived through an IT perspective! 16

5. Important findings - A GREAT responsibility comes at MS level, that have to converge fundamentally different industries; - All industries are different! There is no one-size-fits-all solution! - Traditional industries already have IR (and SM) schemes in place, mostly focused on safety, but cyber is not excluded; - Sectorial experience/knowledge is crucial in approaching a sector; some have a history that goes beyond Internet ages; - IN: Significance should be related to the overall impact of the incident, not to the impact perceived through an IT perspective; - SM: Mature OES already have them in place. 17

Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 dan.tofan@enisa.europa.eu info@enisa.europa.eu www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback