European Union Agency for Network and Information Security

Update on the implementation of the NIS Directive

Paraskevi Kasse| Network and Information Security Officer

2

• Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level).

• Status: ADOPTED July 2016.

Deadline for transposition: 9 May 2018 (21 months).

• Provisions:

• Improved cybersecurity capabilities at national level

• Increased EU-level cooperation

• Obligations for operators of essential services (OES)

• Obligations for digital service providers (DSP)

NIS Directive

3

NISD Timeline

Date entry into force + … Milestone

August 2016 - Entry into force

February 2017 6 months Cooperation Group begins tasks

August 2017 12 monthsAdoption of implementing on security andnotification requirements for DSPs

February 2018 18 monthsCooperation Group establishes workprogramme

May 2018 21 months Transposition into national law

November 2018 27 monthsMember States to identify operators ofessential services

May 201933 months (i.e. 1 year after transposition)

Commission report assessing the consistencyof Member States' identification of operatorsof essential services

May 202157 months(i.e. 3 years after transposition)

Commission review of the functioning of theDirective, with a particular focus on strategicand operational cooperation, as well as thescope in relation to operators of essentialservices and digital service providers

4

NIS Directive

5

Commonalities

• Security measures

• Incident notification

DSPs & OESs Obligations

• Implementing Acts • Light touch approach• Medium & Large enterprises

• Identification criteria

• Audit

Differences

6

• Implementing act (https://ec.europa.eu/info/law/better-

regulation/initiatives/ares-2017-4460501_en)

• Substantial impact of an incident

• Security measures:

• security of systems and facilities

• incident handling

• business continuity management

• monitoring, auditing and testing

• compliance with international standards

DSPs obligations

77

OES obligations

Cooperation Group

Identification Criteria

DE

Security Measures FR

Incident reporting NL

Cross-border Interdependencies

EE

ENISA

EC

Identification Criteria for

OES

Security Measures for

OES

Incident Reporting for

OES

Cross border Interdepend-

encies

8

OES Identification criteria – MS 2016 Overview

9

Security Measures for OES

10

Incident Reporting for OES:the process

11

Cross border interdependencies: Proof of concept

12

• SOPex

• CSIRTs Network Meeting: Sophia, end of March

CSIRTs Network

• Low engagement of MSs

• Diverse views regarding theapproaches & thresholdsdefinitions

• Different securityrequirements stemming fromother regulations e.g GDPR

• Active support withfacilitation, surveys and stocktakings and reports

• Engage private sector toharmonize and gainknowledge

• Build trust amongst themembers of the CG and theCSIRTs network

13

Challenges vs Key success factors

1414

ENISA’s role in the NISD

01 Assist MS and the EU Commission

02 Participate in the EU NIS Cooperation Group

03 Secretariat for CSIRTs Network

04Elaborate advices and guidelines regarding standardization in NIS security

05 Organize exercises

ENISA’s activities 2018

Stocktaking and recommendations onsecurity measures, incident reporting audit frameworks

More technical reports:• Mapping of OES Security Requirements to Specific Sectors

(Energy, Transport, etc …)• Dependencies of OES on DSPs in Healthcare, Finance &

Aviation sectors.• …

Contributing to the Cooperation GroupSupporting policy discussions, engagement and dialogue

with stakeholdersEstablishing working relations with industry working

groups

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you