The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018 European Union Agency for Network and Information Security
Outline 1. Cybersecurity Package 2. Why ENISA Reform? 3. The Cybersecurity Act and proposed ENISA tasks 4. Policy and R&I 5. Operational cooperation 6. Cybersecurity Certification 7. Key Developments 8. The Next Steps 2
Cybersecurity Package Commission President Juncker, State of the EU 2017: Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. [ ] Today, the Commission is proposing new tools, including a European Cybersecurity Agency to help defend us. 3
Cybersecurity Package Commission Proposal for a Cybersecurity Act: Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') COM(2017) 477 Renewed Cybersecurity Strategy: European Parliament and Council Joint Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU' (JOIN(2017) 450) Blueprint: Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (C(2017) 6100) Commission Communication Making the Most of NIS towards effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476) 4
Why ENISA Reform? Existing mandate coming to an end in June 2020 New and increasing threats in cyberspace Greater political interest in cyber issues New EU cyber legislation NIS Directive Risk of fragmentation in the Digital Single Market ENISA evaluation study for period 2013-2016 5
Why ENISA Reform? Need for enhanced role for ENISA with: A Stronger Mandate Adequate Resources Permanent Status Reformed ENISA (EU Cybersecurity Agency) 6
The Proposed Cybersecurity Act Six key objectives: 1 Increasing capabilities and preparedness at EU and MS level 2 Improving cooperation and coordination of stakeholders 3 Increasing EU level capabilities to complement MS action 4 Promoting cybersecurity awareness in the EU 5 Increasing transparency of cybersecurity assurance 6 Avoiding fragmentation of certification schemes 7
Proposed Tasks for a Stronger ENISA with a Permanent Mandate: Law and Policy Tasks Capacity Building Operational Cooperation Market and Certification Awareness Raising Research and Innovation International Cooperation 8
The Proposed Cybersecurity Act The proposal contains important new/revised tasks for ENISA: Strengthened and reinforced ENISA; substantially altered: - Role in policy development and implementation - Role in operational cooperation Blueprint - Participation in research funding programmes EU-level cybersecurity certification framework with: - A role for ENISA in the preparation of candidate schemes - Secretariat assistance provided by ENISA for the European Cybersecurity Certification Group 9
Policy and Research & Innovation ENISA involvement in the development, implementation and review of Union law and policy (Article 5): Horizontal and sectoral policy relating to cybersecurity NIS Directive implementation Special attention to electronic identity and trust services; security of electronic communications Annual report on state of implementation of legal framework Enhanced participation in research funding programmes (Article 10): Possibility to participate as a beneficiary or in the implementation of research and innovation programmes 10
Operational cooperation Enhanced operational role and involvement in the Blueprint for largescale cybersecurity incidents and crises (Article 7): ENISA to provide support to or carry out ex-post technical enquiries. ENISA to contribute to developing a cooperative response to large-scale cross border incidents or crises (Blueprint): a) aggregating reports from national sources to contribute to common situational awareness; b) ensuring efficient information flow and escalation mechanisms between CSIRTs Network, technical and political decision-makers; c) supporting technical handling of an incident/crisis, including facilitating sharing of technical solutions between Member States; d) supporting public communication around incidents/crises; e) testing the cooperation plans to respond to incidents/crises. 11
EU Cybersecurity Certification The Commission proposes a European Cybersecurity Certification framework (Article 8 and Title III) with ENISA involvement in steps 2 and 3 of the process displayed below: Commission requests ENISA ENISA drafts scheme involving all stakeholders and ECCG Commission adopts scheme by means of implementing acts MS or ECCG propose to Commission the drafting of a scheme 12
Key Aspects of Proposed Framework Key aspects of the proposed EU cybersecurity certification framework include: Addresses market fragmentation Presents a voluntary and risk-based approach Defined assurance levels (Basic, Substantial, High) Role for Member States: - Propose preparation of a candidate scheme to the Commission - Involvement through European Cybersecurity Certification Group (composed of national certification supervisory authorities) - Involved in the procedure for adoption of an implementing act Clear separation of tasks in line with Regulation (EU) 765/2008 13
Cybersecurity Package: Developments Council Conclusions of 20 th November 2017 on the Renewed Cybersecurity Strategy (JOIN(2017) 450): Welcomed the permanent mandate for ENISA, with a primary objective to: (a) support and develop cooperation between Member States; (b) increase capacities of Member States; (c) Increase confidence in a digital Europe. Stressed the need to strengthen cybersecurity certification National Parliaments subsidiarity deadline lapsed on 7 th December 2017 14
Cybersecurity Package: The Next Steps European Parliament First Reading of Cybersecurity Act: Responsible Committee in EP ITRE Committee Involvement of BUDG, IMCO, LIBE, and AFET Committees (Opinion) Vote scheduled in Committee Q3 2018 Ongoing discussions in the Council Expected Opinions from EESC and CoR EPRS European Parliamentary Research Service, 2018 15
Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu