The Security of Network and Information Systems Directive

Slides:



Advertisements
Similar presentations
The Agency for Cooperation of Energy Regulators (ACER) – UK Government views Sue Harrison Head of European Energy Markets 13 February 2008 EPP-ED Public.
Advertisements

Regulators’ Code July Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.
EU SME policy The “Small Business Act” for Europe and its Review
Enforcement of REACH in the UK Richard Hawkins Environment Agency
Options for Regulation and the Impact of Regulation on the Marketplace 29 November 2005 Alan Kent
1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.
David Halldearn, ERGEG Conference on Implementing the 3 rd Package 11 th December 2008 Implementating the 3rd Package: An ERGEG Consultation paper.
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
The New EMC Directive 2004/108/EC and the DTI transposition Brian Jones and Peter Howick.
Peter Defranceschi ICLEI - Local Governments for Sustainability An Introduction European Commission GPP Training Toolkit.
© Grant Thornton UK LLP. All rights reserved. Review of Partnership Working Vale of Glamorgan Council Final Report- July 2008.
GLA REVIEW The Government’s Proposals for Additional Powers for the Mayor of London and London Assembly.
IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.
Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
Health and Safety Executive Health and Safety Executive Competent Authority & Data Reporting HSE/DECC Consultation Events - Spring 2014 EU Offshore Directive.
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.1 Steps in the Licensing Process Geoff Vaughan University.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
FAQs about the new regulatory framework Lucy Rhodes
Regional Policy EU Cohesion Policy 2014 – 2020 Proposals from the European Commission.
Quality Assuring Deliverers of Education and Training for the Nuclear Sector Jo Tipa Operations Director National Skills Academy for Nuclear.
OFFICIAL – SENSITIVE English Language Requirement for Public Sector Workers Draft Code of Practice Consultation.
© Allen & Overy 2015 Transparency in your supply chains Impact of the Modern Slavery Act 11 November 2015.
Madrid Forum 6-7 November 2008 Implementating the 3rd Energy Package: An ERGEG Consultation paper Lord Mogg, ERGEG chairman.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
ISACA Ireland Cyber Security Policy 9 February 2016.
Michael Schmoeltzer Member of ERGEG Gas Working Group GIE Annual Conference, 6/7 May 2009, Groningen ACER & ENTSOG and their interaction.
Better regulation in the Commission Jonathon Stoodley Head of Unit C.1 Evaluation, Regulatory Fitness and Performance Secretariat General of the European.
Regulatory framework Julie Swan Associate Director, Regulatory Policy and Vocational Qualification Policy.
Deconstructing the EU NIS Directive: model, architecture, interfaces, expressions Tony Rutkowski, 08.
DG Enterprise and Industry European Commission Standardisation Aspects of ICT and e-Business Antonio Conte Unit D4 - ICT for Competitiveness and Innovation.
September Background LACORS scheme published in 2004 to Address concerns about inconsistency of risking between authorities Rationalise existing.
ISO Certification Consultancy Information regarding various International management systems and certification consultancy offered by Punyam Management.
Draft Decision on the Reset of Prices for Electricity Distribution Businesses Presentation to Market Analysts 19 July 2011.
Marek Stavinoha Legal officer DG MOVE A4 European Commission
Session 3 General RIA Training 6–8 July 2009 EuropeAid/125317/D/SER/TR
Nuclear and Treaty Law Section Office of Legal Affairs
French Port Cybersecurity Initiative
Microsoft 365 Get help with regulatory compliance
About the NIS directive
GDPR Awareness and Training Workshop
General Data Protection Regulation (GDPR
Nuclear and Treaty Law Section Office of Legal Affairs
EU Competences Tamara Ćapeta 2016.
GDPR support January GDPR support January 2018.
INTRODUCTION TO GDPR 19/09/2018.
Introduction to GDPR 09/11/2018.
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
Telco related activities in ENISA
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
G.D.P.R General Data Protection Regulations
Preparations for post-2020 Impact Assessment European Commission Directorate General for Regional and Urban Policy Unit DGA Policy.
IAEA General Conference Regulatory Cooperation Forum Regulatory Approach Prescriptive vs Performance Based David Senior Executive Director -
Trust and Security Unit
Institutional changes The role of Bilateral Oversight Boards
The role of the ECCP (1) The involvement of all relevant stakeholders – public authorities, economic and social partners and civil society bodies – at.
Detecting, reporting & investigating data breaches under GDPR
Governing the risk of GDPR compliance
Ofcom’s role in cyber security
Securing free and fair European elections
GPP Training Toolkit An Introduction European Commission
Strategic Environmental Assessment (SEA)
The European Union response to cyber threats
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
Jacques LAURELUT GTE First Annual Work Programme Consultation
Outline Background: development of the Commission’s position
Consumer Conversations and Aged Care Standards
Implementation Business Case
Industrial Emissions Directive Targeted stakeholder survey
Presentation transcript:

The Security of Network and Information Systems Directive Public Consultation

What is the NIS Directive? The Directive on Security of Network and Information Systems (‘the NIS Directive’) was adopted by the European Parliament in July 2016 and represents the first EU-wide legislation on cyber security. Requires designated essential service operators to implement security measures to manage the risks to the network and information systems used to deliver essential services, and to report incidents affecting the continuity of such services. Similar but lighter requirements will be placed on certain Digital Service Providers Member States have until 9 May 2018 to implement the NIS Directive.

Who is in scope? Essential Services in the following sectors: Water, Energy, Transport, Health, Digital Infrastructure (TLDs, IXPs, DNS) Banking and Finance excluded under UK proposals (similar legislation already applies in the UK). The civil nuclear sector is also not in scope. Digital Service Providers Online Marketplaces, Search Engines, Cloud Service Providers (with 50 or more staff and/or a turnover of €10m a year) IXPs = Internet Exchange Points, DNS = Domain Name Services, TLD = Top Level Domain

Public consultation The Government welcomes views from industry on the implementation proposals set out in the consultation document. Important we get these right. Cyber security threat is increasing for businesses across the economy. It is especially important that our essential services operators effectively manage the risks to their network and information systems. Loss of an essential service or Digital Service Provider would likely have a significant disruptive effect for both individual businesses and UK plc as a whole. Want to find the correct balance between safeguarding the security of our essential services and digital service providers, whilst avoiding undue burdens on business.

Public consultation (cont.) UK Government (DCMS) launched a public consultation on 8 August, setting out the proposed approach to implementation of the NIS Directive. The consultation closes on 30 September, and covers all aspects of implementation: Essential Services and Identification Thresholds National Framework Security Requirements Incident Reporting Digital Service Providers Penalties

What about the EU referendum result? Cyber security remains a top priority for the Government. It is important to safeguard the network and information security of our essential services, irrespective of EU Membership. It is therefore the UK Government’s intention to keep the framework established by the NIS Directive, and the associated legislative requirements, after the UK has left the EU.

NIS - the detail There are six key aspects of implementation on which we are seeking your views. However, in this presentation we will be focusing only on two: Digital Service Providers Penalties

Digital Service Providers (Definitions) Online marketplaces - a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods and services. Online search engines -a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found. Cloud computing services - any company that offers: ‘Infrastructure as a Service’ (IaaS); ‘Platform as a Service’ (PaaS); Business to Business ‘Software as as Service’ (SaaS). Can share ENISA’s draft thinking. Entertainment DSPs out of scope for UK.

Digital Service Providers (Definitions) Our aim is to: Make it clear for companies whether they are in scope or not Only incorporates companies where a service failure would negatively impact on other businesses Want to work with you to improve the definitions. Need to be workable and legally enforceable Can share ENISA’s draft thinking.

Digital Service Providers (Definitions) Question: Are Digital Service Providers easily able to identify themselves using these criteria? Question: Would using these definitions create any unfair competitive advantage or disadvantage for Digital Service Providers within scope? Can share ENISA’s draft thinking.

Digital Service Providers (Security Measures) DSPs must identify, and take appropriate and proportionate technical and organisational measures, to manage the risks posed to their security of network and information systems. Propose to follow a principles and guidance approach to security measures for Digital Service Providers, with the guidance closely linked to that provided by the European Network and Information Security Agency (ENISA). Compliance with European guidelines will be a requirement for access to the Single Market, therefore the Government will aim to ensure that the UK’s guidance is a close to ENISA’s guidance as possible. EU Act setting exact provisions for DSPs not yet published. Expect first draft any time now.

Digital Service Providers (Security Measures) proportionate security measures in place to protect services and systems from cyber-attack or systems failure; appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage incidents; capabilities to minimise the impacts of a cyber security incidents on the delivery of services including the restoration of those services; capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, services; measures in place are, where possible, compatible or comparable to internationally recognised cyber security standards.

Digital Service Providers (Security Measures) Question: Are these principles reasonable? Question: If NO, Why Not? Can you suggest revised principles that would enable important incidents to be reported? Question: What would be the impact on your business in applying these principles? Question: Do you have an alternative preferred approach?

Digital Service Providers (Incident Reporting) The Government is proposing that companies must report an incident “without undue delay and as soon as possible, at a maximum no later than 72 hours after having become aware of it.” Question: Would this incident reporting timeframe place an undue burden on your business or operations? Question: Do you wish to take part in the proposed targeted consultation exercise once the security and incident reporting thresholds have become clearer? Targeted consultation to take place once we know once the details of what the EU are proposing in their Act are clearer.

Penalties Penalties provided for in national legislation should be effective, proportionate and dissuasive. Given the potential high impact of a loss of an ‘essential service’, including possible loss of life and/or major economic loss to an associated industry or region, the Government believes the NIS Directive should set a high bar for the maximum level of penalty. Therefore propose to adopt the same penalty regime being implemented for the General Data Protection Regulation (GDPR), which has been widely recognised as a likely effective regime. This will also provide consistency in the Government’s regulatory approach towards overall cyber security.

Penalties (cont.) The Government proposes to have two bands of penalties under the NIS Directive: Band one - set at a maximum €10m or 2% of global turnover - for lesser offences, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority. Band two - set at a maximum of €20m or 4% (whichever is greater) - for failure to implement appropriate and proportionate security measures.

Penalties (cont.) Question: Do you consider the proposed penalty regime to be proportionate to the risk of disruptions to operators of essential services? Question: Do you believe that the proposed penalty regime will achieve the outcome of ensuring operators take action to ensure they have the resources, skills, systems and processes in place to ensure the security of their network and information systems? Question: If you answered NO to either of these two questions, please explain how the penalty regime could be amended to address your concerns.

What next? Public consultation closes - 30 September 2017 Publish Government Response - November 2017 Publish Updated Impact Assessment - November 2017 Review draft legislation – September - December 2017 Parliamentary clearance & prepare guidance - Winter 2017 to Spring 2018 Comes into force - May 2018

Stuart Peters Head of EU Cyber Security Regulatory Policy 4th Floor, 100 Parliament Street, London SW1A 2BQ stuart.peters@culture.gov.uk | 020 7211 ​6769​ | 07926 964308 @dcms /dcmsgovuk | www.gov.uk/dcms

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.