Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
European Union Agency for Network and Information Security
Update on the implementation of the NIS Directive
Paraskevi Kasse| Network and Information Security Officer
2
• Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level).
• Status: ADOPTED July 2016.
Deadline for transposition: 9 May 2018 (21 months).
• Provisions:
• Improved cybersecurity capabilities at national level
• Increased EU-level cooperation
• Obligations for operators of essential services (OES)
• Obligations for digital service providers (DSP)
NIS Directive
3
NISD Timeline
Date entry into force + … Milestone
August 2016 - Entry into force
February 2017 6 months Cooperation Group begins tasks
August 2017 12 monthsAdoption of implementing on security andnotification requirements for DSPs
February 2018 18 monthsCooperation Group establishes workprogramme
May 2018 21 months Transposition into national law
November 2018 27 monthsMember States to identify operators ofessential services
May 201933 months (i.e. 1 year after transposition)
Commission report assessing the consistencyof Member States' identification of operatorsof essential services
May 202157 months(i.e. 3 years after transposition)
Commission review of the functioning of theDirective, with a particular focus on strategicand operational cooperation, as well as thescope in relation to operators of essentialservices and digital service providers
4
NIS Directive
5
Commonalities
• Security measures
• Incident notification
DSPs & OESs Obligations
• Implementing Acts • Light touch approach• Medium & Large enterprises
• Identification criteria
• Audit
Differences
6
• Implementing act (https://ec.europa.eu/info/law/better-
regulation/initiatives/ares-2017-4460501_en)
• Substantial impact of an incident
• Security measures:
• security of systems and facilities
• incident handling
• business continuity management
• monitoring, auditing and testing
• compliance with international standards
DSPs obligations
77
OES obligations
Cooperation Group
Identification Criteria
DE
Security Measures FR
Incident reporting NL
Cross-border Interdependencies
EE
ENISA
EC
Identification Criteria for
OES
Security Measures for
OES
Incident Reporting for
OES
Cross border Interdepend-
encies
8
OES Identification criteria – MS 2016 Overview
9
Security Measures for OES
10
Incident Reporting for OES:the process
11
Cross border interdependencies: Proof of concept
12
• SOPex
• CSIRTs Network Meeting: Sophia, end of March
CSIRTs Network
• Low engagement of MSs
• Diverse views regarding theapproaches & thresholdsdefinitions
• Different securityrequirements stemming fromother regulations e.g GDPR
• Active support withfacilitation, surveys and stocktakings and reports
• Engage private sector toharmonize and gainknowledge
• Build trust amongst themembers of the CG and theCSIRTs network
13
Challenges vs Key success factors
1414
ENISA’s role in the NISD
01 Assist MS and the EU Commission
02 Participate in the EU NIS Cooperation Group
03 Secretariat for CSIRTs Network
04Elaborate advices and guidelines regarding standardization in NIS security
05 Organize exercises
ENISA’s activities 2018
Stocktaking and recommendations onsecurity measures, incident reporting audit frameworks
More technical reports:• Mapping of OES Security Requirements to Specific Sectors
(Energy, Transport, etc …)• Dependencies of OES on DSPs in Healthcare, Finance &
Aviation sectors.• …
Contributing to the Cooperation GroupSupporting policy discussions, engagement and dialogue
with stakeholdersEstablishing working relations with industry working
groups
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you