International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

Similar documents
Current developments in Germany and Europe

ENISA s Position on the NIS Directive

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

NIS-Directive and Smart Grids

Directive on security of network and information systems (NIS): State of Play

Cybersecurity Strategy of the Republic of Cyprus

A comprehensive approach on personal data protection in the European Union

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Requirements on new data protection regulations and current changing needs from the view of the EDPS

Cybersecurity & Digital Privacy in the Energy sector

Package of initiatives on Cybersecurity

U.S. Private-sector Privacy Certification

The NIS Directive and Cybersecurity in

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Directive on Security of Network and Information Systems

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

National Policy and Guiding Principles

Security of Critical Information Infrastructure: Legal Issues

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

ENISA Cooperation in the EU / NIS Directive

UCOP ITS Systemwide CISO Office Systemwide IT Policy

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Call for Expressions of Interest

Cyber Security in Europe

European Union Agency for Network and Information Security

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017


General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Draft Resolution for Committee Consideration and Recommendation

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

KISH REMARKS APEC CBPR NOV 1 CYBER CONFERENCE KEIO Page 1 of 5 Revised 11/10/2016

ENISA EU Threat Landscape

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

13967/16 MK/mj 1 DG D 2B

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

The Role of the Data Protection Officer

Critical Information Infrastructure Protection Law

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Data Breach Notification: what EU law means for your information security strategy

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

H2020 Opportunities in the Area of Security and Critical Infrastructure Protection

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

The Federal Council s Basic Strategy. for Critical Infrastructure Protection

NATIONAL PROGRAMME Chapter 15 Telecommunication and Post. Telecommunication and Post

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

CYBERSECURITY LEGISLATION IT OUT!

Network and Information Security Directive

Cyber Security in Europe and CEER s new PEER initiative

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Security Challenges with ITS : A law enforcement view

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Market Surveillance Action Plan

Legal and Regulatory Developments for Privacy and Security

Bradford J. Willke. 19 September 2007

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Legal, Ethical, and Professional Issues in Information Security

Laws and Regulations & Data Governance

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Protecting Critical Information Infrastructure in times of increasing cyber conflict

Promoting Global Cybersecurity

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

Section I. GENERAL PROVISIONS

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

5 th Meeting of the European Heritage Legal Forum. Wolfgang Karl Göhner

DAkkS Who we are. Attesting competence, Assuring quality, Creating confidence.

Cybersecurity eit. Software. Certification. Industrial Security Embedded System

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

eidas Regulation (EU) 910/2014 eidas implementation State of Play

The NIST Cybersecurity Framework

Cybersecurity in Higher Ed

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

eidas Regulation eid and assurance levels Outcome of eias study

GDPR - Are you ready?

EU policy on Network and Information Security & Critical Information Infrastructures Protection

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 18 May 2018

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

EUROPEAN PLATFORMS AND INITIATIVES FOR C-ITS DEPLOYMENT

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

NIS Standardisation ENISA view

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Security Aspects of Trust Services Providers

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

EU data security and privacy trends

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

Technology and data privacy Global perspectives

European Standards- preparation, approval and role of CEN. Ashok Ganesh Deputy Director - Standards

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK

2014 Luxury & Fashion Industry Conference for Multinationals

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Transcription:

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018 Dr. Dennis-Kenji Kipker University of Bremen Washington DC, 10.04.2018 Gefördert vom FKZ: 16KIS0213 bis 16KIS0216 Slide 1

International Legal Regulation of Cybersecurity Germany and European Union German IT Security Act (2015) EU Network and Information Security Directive (2016) Outlook: EU Cybersecurity Act (2018) Slide 2

The German IT-Security Act (IT-SiG, 2015): Amending act ( Artikelgesetz ), no codification Amended various existing laws, including: Act on the Federal Office for Information Security (BSIG) Atomic Energy Act (AtG) Energy Industry Act (EnWG) Telemedia Act (TMG) Telecommunications Act (TKG) Act on the Federal Criminal Police Office (BKAG) IT-SiG entered into force on 25 July, 2015 The German IT-Security Act (2015) Mainly, but not exclusively referring to Critical Infrastructures Energy, information technology, telecommunication, transport, traffic, health, water, food, finance and insurance + relevance of failure consequences E.g. includes a general extension of power of the BSI according to Sec. 7 BSIG (warnings), Sec. 7a BSIG (examination of IT security) Slide 3

EU Network and Information Security Directive (2016) IT-security regulation on the European level: No codification: numerous individual regulations, different legally binding nature Depending on the respective business or infrastructure sector Example: Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eidas) The European Network and Information Security Directive (NIS Directive, 2016): NIS as key factor for a functioning community and economy of the EU Long term legislative procedure: 2/2013 (first proposal by EC) 8/2016 (entry into force) Key element of the EU Cybersecurity Strategy Art. 288 TFEU: Directive Regulation National implementing act needed, Germany: Slightly amended regulations of the IT-SiG Minimum harmonisation NIS Directive designed as global approach [ ] covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators of essential services and digital service providers Slide 4

Slide 5

EU Cybersecurity Act (2018) Outlook: New EU Cybersecurity Act (announced for 2018): Part of the newly announced EU Cybersecurity Strategy, September 2017 Protecting not only Critical Infrastructues + Digital Service Providers, but also the digital interior market in general Comprehensive reorganisation of ENISA Stronger exchange of information among IT-security authorities of the member states New European IT-security certification: Making certification easier, cheaper, and transnational due to EU wide recognition of Member State certification Legislative procedure: LIBE (European Parliament Committee on Civil Liberties, Justice and Home Affairs) and IMCO (Committee on the Internal Market and Consumer Protection) (draft) reports issued, picking up on the CEN-CENELEC position paper and the role of standards in the future cybersecurity certification framework, referencing to international and EU standards September 2018: EP plenary voting Slide 6

International Legal Regulation of Cybersecurity Russia Russian Cybersecurity Doctrine (2000, 2016) New Russian Cybersecurity Law (2018) Slide 7

Russian Cybersecurity Doctrine (2000, 2016) Russian Cybersecurity Doctrine (2000, 2016): 1 st Cybersecurity Doctrine in 2000: Did not even mention the Internet 2 nd Cybersecurity Doctrine in 2016: Goal: Protection of the national interests of the Russian Federation in cyberspace Generally not focused on economic, but mostly on political and military interests Closely linked to the National Security Strategy of the Russian Federation Effective cybersecurity also includes: Strengthening of the military, safeguarding digital weapon systems, protection of the national interests of Russian allies Slide 8

New Russian Cybersecurity Law (2018): New Russian Cybersecurity Law (2018) Federal Law on Security of Critical Russian Information Infrastructure (entry into force: 01/01/2018) Foundation of a nationwide IT-security system with the aims of detection, prevention and elimination of cybersecurity risks Duties comparable to German IT-SiG and to EU NIS Directive Technical and organisational measures Duties to report to competent Russian authorities Register of important IT-infrastructure objects Definition of Critical Information Infrastructure: Public institutions, legal entities, and companies in different sectors: health, science, transport, communication, energy, finance, defense, mining, chemical industry broader than IT-SiG Slide 9

International Legal Regulation of Cybersecurity China Cybersecurity Law (2016) Measures on Security Review of Network Products and Services (2017) Slide 10

Chinese Cybersecurity Law (2016): Double focus: Network security and data protection Chinese Cybersecurity Law (2016) Difference to German and EU law: IT-security and data protection are separated (e.g. EU NIS Directive/EU GDPR), China: holistic approach to ITregulation Network security: Chinese networks should be in a stable and reliable state of work, measures should be taken against intrusions, destruction or the unlawful use of network resources TOM, risk assessment, real name registration, information exchange, certification, education, best practices, IT-security representatives, emergency response plans, severe penalties Data protection: Protection of personal information, which allows identification of individuals Confidentiality, earmarking principle, informed consent for data use, regulation of privacy breaches, rights of persons concerned Chinese data protection level below GDPR BCR possibly apply Slide 11

Measures on Security Review of Network Products (2017) Measures on Security Review of Network Products + Services (2017): Basis: Artt. 24, 25 of the Chinese National Security Law; Artt. 23, 35 of the Chinese Cybersecurity Law Goal: Improvement of security and controllability of IT-network products and services Measure: Cybersecurity Review for key products, which affect national security and public interest Responsibility: Cyberspace Administration of China (CAC), Cybersecurity Review Committee, Cybersecurity Review Expert Committee, third parties/companies Process: Intense collaboration between companies and authorities, laboratory tests, site inspections, online-surveillance, background supervision Importance: Certified products will be given priority in Chinese market; products which failed will not be used in China Slide 12

International Legal Regulation of Cybersecurity United States Cybersecurity National Security Action Plan (2016) Cybersecurity Information Sharing Act (2015) Slide 13

IT-security regulation in the U.S.: IT-security regulation in the U.S. Cybersecurity National Security Action Plan (CNAP, 2016): Measure and strategies for protection against cyberattacks Variety of sector specific regulations concerning IT-security on national level as well as in the federal states Self regulation of the private sector is also promoted by the authorities Examples of sector specific laws on national level: Health Insurance Portability and Accountability Act (HIPAA, 1996): Data security of electronically stored medical data Financial Services Modernization Act (Gramm-Leach-Bliley Act, 1999): Data security of financial institutions Federal Information Security Management Act (FISMA, 2002): Secure data processing of Federal Authorities Cybersecurity Information Sharing Act (CISA, 2015): Information exchange about data security between government and companies Insufficient IT-security measures of companies may by sanctioned by the Federal Trade Commission (FTC) Slide 14

International Legal Regulation of Cybersecurity International Legal Regulation of Cybersecurity Conclusion + Outlook Slide 15

Conclusion + Outlook Conclusion + Outlook: Many different approaches for cybersecurity on international level during the recent years: hot topic Germany and Europe: Addressing cybersecurity issues as uniform approach on from the scratch Current technical challenges force national states to promote cybersecurity regulation, e.g. Japan with a new legislative approach especially for IoT-devices Cybersecurity not only as legal, but also as a task for international standardization: Technical concretization of legal cybersecurity requirements Support to a consistent interpretation of (newly announced) legal provisions Means to conduct a transnational cybersecurity certification Slide 16

Dr. Dennis-Kenji Kipker Scientific Managing Director University of Bremen Universitätsallee GW1 28359 Bremen Tel.: +49 421 218 66049 Mail: kipker@uni-bremen.de Visit our website: www.itskritis.de Follow us on Twitter: @itskritis Slide 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback