New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Similar documents
ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Cybersecurity Package

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

ENISA Cooperation in the EU / NIS Directive

ENISA s Position on the NIS Directive

Discussion on MS contribution to the WP2018

Network and Information Security Directive

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

The NIS Directive and Cybersecurity in

Securing Europe s IoT Devices and Services

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

ENISA EU Threat Landscape

Technical guidelines implementing eidas

NIS Standardisation ENISA view

The Network and Information Security Directive - ENISA's contribution

Directive on Security of Network and Information Systems

Cyber Security Beyond 2020

Directive on security of network and information systems (NIS): State of Play

Package of initiatives on Cybersecurity

The Digitalisation of Finance

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

European Union Agency for Network and Information Security

13967/16 MK/mj 1 DG D 2B

Cybersecurity & Digital Privacy in the Energy sector

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

EUROPEAN ACCREDITATION LEGAL FRAMEWORK

Security Aspects of Trust Services Providers

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Cyber Security in Europe

Securing Europe's Information Society

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Call for Expressions of Interest

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

This document corrects document COM(2017)477 final of

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

EISAS Enhanced Roadmap 2012

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)

Regulating Cyber: the UK s plans for the NIS Directive

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

European Directives and reglements for Information security

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

eidas Regulation (EU) 910/2014 eidas implementation State of Play

NIS Directive development The Incident Notification Framework

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Cyber Security in Europe and CEER s new PEER initiative

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Valérie Andrianavaly European Commission DG INFSO-A3

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Joint FIEEC-ZVEI Position on Cybersecurity

Committee on the Internal Market and Consumer Protection

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Security and resilience in Information Society: the European approach

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Cyber security Act Certification part. 1st of March 20018

Future-Proof Security & Privacy in IoT

H2020 WP Cybersecurity PPP topics

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

NIS-Directive and Smart Grids

Mozilla position paper on the legislative proposal for an EU Cybersecurity Act

ARTICLE 29 DATA PROTECTION WORKING PARTY

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

POSITION PAPER. Initial position on the EU cybersecurity package OCTOBER 2017

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

WORK PROGRAMME 2015 INCLUDING MULTI-ANNUAL PLANNING

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2018/0328(COD)

General Data Protection Regulation (GDPR)

Belgrade Serbia November 2010 Jan Coenraads,

SAT for eid [EIRA extension]

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Overview of ICT certification laboratories FINAL V1.1 JANUARY European Union Agency For Network and Information Security

INDEPENDENT COMMUNICATIONS AUTHORITY OF SOUTH AFRICA(ICASA) CYBERSECURITY PRESENTATION AT SAIGF. 28 th November 2018

FOR QTSPs BASED ON STANDARDS

Standardization mandate addressed to CEN, CENELEC and ETSI in the field of Information Society Standardization

Horizon 2020 Security

Google Cloud & the General Data Protection Regulation (GDPR)

Conformity assessment

CEF Telecom Calls: CEF-TC : Cyber Security TZAFALIAS ARISTOTELIS POLICY OFFICER DG CONNECT

Transcription:

in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017 European Union Agency for Network and Information Security

Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM in policy implementation Harmonisation across EU EXPERTISE Recommendations Independent Advice 2

EU Policy Context eidas Regulation NIS Directive EU Cyber Security Strategy (COM) Strengthening Europe's Cyber Resilience System (COM) General Data Protection Regulation Telecom Package article 13 a, art. 4 3

The NIS Directive National Cyber Security Strategies Cloud Computing Services Online Marketplaces Digital Service Providers Strategic Cooperation Network Incident Reporting Security Requirements Operators of Essential Services Transport Energy Healthcare Banking and Financial market infrastructures Search Engines Tactical/Operational CSIRT Network Digital Infrastructure 4

National Cyber Security Strategies (NCSS) 25 NCSS in EU; a few under development Different maturity levels CIIP - key subject in NCSSs PPPs - limited success so far Overlaps in mandates Assessment of NCSS is an issue 5

Certification if ICT products Defining Certification formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards and the issuing of a certificate indicating conformance * Security certification of products has been traditionally dominated by common criteria Within EU - SOG-IS MRA is the dominant player in common criteria certification Currently 13 Member States and 1 EFTA country - Multiple national and sectorial initiatives focused on security certification *EC COM(2017) 477 final 6

ICT security certification within EU policy context Network and Information Security Directive EU Cybersecurity Strategy General Data Protection Regulation eidas Regulation Payment Services Directive 2 Digital Single Market Strategy Strengthening Europe s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry Proposal for a Regulation on Privacy and Electronic Communications 7

A view from the semiconductor industry on product certification An ongoing joint initiative of: Infineon NXP STMicroelectronics ENISA to define European Baseline Requirements An EU Trust Label A reference framework and associated label would ensure appropriate levels of security for products and services, leading to a common level playing field for industry Challenges Standardization and certification A policy framework to ensure minimal security for connected devices (to be defined by COM) EU security standards commensurate with market needs Security processes and services: reliable security processes and services; support industry to implement security in their products Security requirements : Mandatory staged requirements for security and privacy in IoT Economic dimensions: a level playing field for cybersecurity and good security practices 8

Features of an EU certification framework ICT Security Certification Producers ICT Security Certification Consumers Industry Member States ECIL Group Avoid fragmentation caused by national ICT security certification initiatives Promote mutual recognition Simplify procedures, reduce the time and cost of deployment of IT products and services Improve competitiveness and quality of European products and services Give users more confidence in ICT products and services they purchase 9

Tentative policy approaches * *as of 27.04.2017 Option 0 - Do nothing: No EU policy initiative or action baseline scenario Option 1 - Soft law approach: Commission to encourage and support national or industry initiatives Option 2 - Extension of SOGIS agreement: Legislative proposal making MS participation to the SOG-IS agreement mandatory Option 3 - European certification & labelling framework: EUwide framework with its own scope, functioning and governance rules 10

Draft Cybersecurity Act 11

EU Cybersecurity Certification Framework One EU Cybersecurity Certification Framework, many schemes. Tailored schemes specifying: scope - product/service category evaluation criteria and security requirements assurance level Resulting Certificates from European schemes are valid across all Member States. Once a European scheme has been established: Member States cannot introduce new national schemes with same scope Existing national schemes covering same product/service cease to produce effects Existing certificates from national schemes are valid until expire date The use of EU certificates remains voluntary, unless otherwise specified in European Union law. The specified requirements of the scheme shall not contradict any applicable legal requirements, in particular requirements emanating from harmonised Union legislation 12

EU certification framework 13

National Certification Supervisory Authorities supervise the activities of conformity assessment bodies (CAB) and the compliance of the certificates issued by CABs be independent of the entities they supervise. handle complaints on certificates issued by CABs withdraw certificates that are not compliant and impose penalties participate in the new European Cybersecurity Certification Group 14

European Cybersecurity Certification Group Composed of national certification supervisory authorities Advise and assist the Commission, assist, advise and cooperate with ENISA Propose to Commission that it requests the Agency to prepare a scheme Adopts opinions addressed to the Commission relating to the maintenance and review of existing EU schemes Chair: Commission Secretariat assistance: ENISA 15

EU certification framework 16

Envisaged assurance levels Assurance level basic: limited degree of confidence in the claimed or asserted cybersec qualities Assurance level substantial: limited degree of confidence in the claimed or asserted cybersec qualities Assurance level high: high degree of confidence in the claimed or asserted cybersec qualities 17

Key elements of the framework Detailed specification of cybersec requirements against which ICT products will be evaluated One or more assurance levels Specific evaluation criteria and methods used Information to be supplied to CABs Conditions to use marks and labels Mechanisms to demonstrate continual compliance as appropriate Conditions to grant maintenance and extension of a certificate Consequences of non-conformity 18

New ENISA! Focused Mandate Adequate Resources Permanent Status EU Cybersecurity Agency 19

Mandate and objectives Promote the use of certification & contribute to the cybersecurity certification framework Be an independent centre of expertise Increase cybersecurity capabilities at Union level to complement MSs action Contribute to high Cybersecurity Assist EU Institutions and MSs in policy development &implementation Support capacity building & preparedness Promote cooperation &coordination at Union level Promote high level of awareness of citizens & businesses 20

Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback