Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deconstructing the EU NIS Directive: model, architecture, interfaces, expressions Tony Rutkowski, 08.

Published byMilo Tucker Modified over 9 years ago

Similar presentations

Presentation on theme: "Deconstructing the EU NIS Directive: model, architecture, interfaces, expressions Tony Rutkowski, 08."— Presentation transcript:

1 Deconstructing the EU NIS Directive: model, architecture, interfaces, expressions Tony Rutkowski, mailto:tony@yaanatech.commailto:tony@yaanatech.com 08 Feb 2016 Copyright © Yaana Technologies LLC 2016 ETSI Doc. CYBER(16)006023r1

2 EU NIS Directive Chap. I: Scope, purposes, and application Chap. II: National frameworks on Network and Information Security; incident response team Chap. III: Cooperation among authorities Chap. IV: Essential services operator defensive measures and threat sharing Chap. IVa: Digital service provider defensive measures and threat sharing Chap. IVb: Standardisation Chap. V: Implementation Annexes. I, II, III: Response team requirements, essential sectors and digital services enumerations 08 Feb 2016 2

3 EU NIS Directive Cirrus Word Cloud Display 08 Feb 2016 3

4 EU NIS (Network and Information Security) Directive Tentative agreement on same date as U.S. Cybersecurity Act of 2015 – 18 Dec 2015 Basics – lays down obligations for all 28 Member States to adopt a national NIS strategy – creates a cooperation group in order to support and facilitate strategic cooperation and the exchange of information among Member States and develop trust and confidence amongst them – creates a CSIRTs ("Computer Security Incident Response Team") network in order to contribute to developing confidence and trust between Member States and to promote swift and effective operational cooperation – establishes security and notification requirements for operators of essential services – establishes security and notification requirements for digital service providers – lays down obligations for Member States to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of networks and information systems Creates a trifurcation Applies to » operators of essential services in energy, transport, banking, financial services, healthcare and other critical industry segments » Providers of digital services Does not apply to providers of public communication networks or publicly available electronic communication services or Trust Services Includes sharing information on risks and incidents,” especially including notification of personal data breaches Member States should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks Member States can “take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences” Encourages closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues; might be helpful to draft harmonised standards 08 Feb 2016 4

5 EUROPEAN UNION MEMBER STATE EU NIS Directive Entity Ontology 08 Feb 2016 5 PUBLIC OR PRIVATE ENTITY OPERATORS OF ESSENTIAL SERVICES PURSUANT TO ART. 14 2 and 2ac + ANNEX II COMPETENT AUTHORITY EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY 1. Energy 2. Transport 3. Banking 4. Financial market infrastructures 5. Health sector 6. Drinking water supply and distribution 7. Digital Infrastructure 1. Energy 2. Transport 3. Banking 4. Financial market infrastructures 5. Health sector 6. Drinking water supply and distribution 7. Digital Infrastructure QUALIFIED AUDITOR COOPERATION GROUP EUROPEAN COMMISSION COMPUTER SECURITY INCIDENT RESPONSE TEAM NETWORK AND INFORMATION SECURITY COMMITTEE DIGITAL SERVICE PROVIDERS PURSUANT TO ART. 15a 2 + ANNEX III 1.Online marketplace 2. 3.Online search engine 4.Cloud computing service 1.Online marketplace 2. 3.Online search engine 4.Cloud computing service PUBLIC ELECTRONIC COMMUNICATION NETWORKS OR PUBLICLY AVAILABLE ELECTRONIC COMMUNICATION SERVICE PROVIDERS UNDER EU DIRECTIVE 2002/21/EC REPRESENTATIVE FOR A DIGITAL SERVICE PROVIDER OTHERS NOT IDENTIFIED PUBLIC THIRD PARTY MICRO AND SMALL ENTERPRISES TRUST SERVICE PROVIDERS UNDER = excluded from the Directive

6 Other Members DIGITAL SERVICE PROVIDERS [OR REPRESENTATIVE] ESSENTIAL SERVICES PROVIDERS EU NIS Directive architecture & interfaces COMPETENT AUTHORITY OR COMPUTER SECURITY INCIDENT RESPONSE TEAM defensive measures cyber security risks incidents Monitor & defend information system interfaces ESP-CA/CSIRT 08 Feb 2016 6 PUBLIC ELECTRONIC COMMUNICATION NETWORKS OR PUBLICLY AVAILABLE ELECTRONIC COMMUNICATION SERVICE OR TRUST PROVIDERS CA/ CSIRT OTHER ENTITIES VOLUNTARY NOTIFICATION Privacy processing* Monitor & defend information system Privacy processing* Monitor & defend information system Privacy processing* Monitor & defend information system Privacy processing* Voluntary Required CA/ CSIRT DSP-CA/CSIRT PECN-CA/CSIRT Other-CA/CSIRT CA/CSIRT-CA/CSIRT *Processing of personal data pursuant to this Directive shall be carried out in accordance with Directive 95/46/EC; processing of personal data by Union institutions and bodies pursuant to this Directive shall be carried out in accordance with Regulation (EC) No 45/2001 [Article 1a] Public Other Members CA/ CSIRT CA/CSIRT-CA/CSIRT CA/CSIRT-PUBLIC

7 EU NIS Directive information exchange expressions 08 Feb 2016 7 Defensive measures information Related to risks (static) to resist, at a given level of confidence, any action that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by or accessible via that network and information systems (Art. 3) to manage the risks posed to the security of networks and information systems …to ensure a level of security of networks and information systems appropriate to the risk presented to prevent and minimise the impact of incidents affecting the security of the networks and information systems (Arts. 14, 15) Related to incident handling (dynamic) All procedures supporting the detection, analysis, containment and response to an incident (Art. 3) Cyber security risk Information Any reasonably identifiable circumstance or event having a potential adverse effect on the security of networks and information systems (Arts. 3, 8) Incident information Any event having an actual adverse effect on the security of networks and information systems Nature of the notified incidents, such as the types of security breaches (Art. 8a 3c – recital) Information that could support the effective handling of the incident (Art. 14 2a) Enable the competent authority or the CSIRT to determine the cross-border effect impact of the incident (Art. 14 2.), including (a) the number of users affected by the disruption of the essential service; (b) the duration of the incident; (c) the geographical spread with regard to the area affected by the incident Other parameters for operators of essential service (Arts. 1, 2, 14)

8 EU NIS Directive Timeline – first year actions Entry intoforceOne Year6 months Art. 8a 5. the first draft implementing act to the Committee Art. 20a 1. Cooperation Group and the CSIRTs Network shall begin to perform their tasks set out respectively in Articles 8a(3) and 8b(3) Art. 20a 2. Member States shall ensure appropriate representation in the Cooperation Group and the CSIRTs Network. Art. 8a 5. the first draft implementing act to the Committee Art. 20a 1. Cooperation Group and the CSIRTs Network shall begin to perform their tasks set out respectively in Articles 8a(3) and 8b(3) Art. 20a 2. Member States shall ensure appropriate representation in the Cooperation Group and the CSIRTs Network. 08 Feb 2016 8 Art. 22. 20 days after publication Relative 1 day: Article 21 2. They shall apply those measures [Member States shall adopt and publish, by 21 months after the date of entry into force of this Directive at the latest, the laws, regulations and administrative provisions necessary to comply with this Directive] from one day after the date referred to in paragraph 1. 2 months: Article 5 3. The national NIS strategy shall be communicated to the Commission within three months from its adoption. 6 months: Article 3a 1. By (6 months after the date referred to in article 21(1)), for each subsector referred to in Annex II, Member States shall identify the operators of essential services with an establishment on their territory. 3 years: Art. 20 2. Commission shall periodically review the functioning of this Directive and report to the European Parliament and to the Council… The first report shall be submitted no later than three years after the date referred to in Article 21(1) Art. 15a 4, [4a]. Commission shall be empowered to adopt implementing acts in accordance with Article 19(3) further specifying the elements referred to in paragraph 1 [2] Art. 20 1. Commission shall submit a report to the European Parliament and to Council …assessing the consistency of the approach taken by Member States in the identification of the operators of essential services Article 6 4ab. The single point of contact shall submit a summary report to the cooperation group on the notifications received… Art. 15a 4, [4a]. Commission shall be empowered to adopt implementing acts in accordance with Article 19(3) further specifying the elements referred to in paragraph 1 [2] Art. 20 1. Commission shall submit a report to the European Parliament and to Council …assessing the consistency of the approach taken by Member States in the identification of the operators of essential services Article 6 4ab. The single point of contact shall submit a summary report to the cooperation group on the notifications received…

9 EU NIS Directive timeline – actions after the first year 21 months Art. 8a 3. The cooperation group shall…establish a work programme on actions to be undertaken to implement the objectives and tasks. 18 months 08 Feb 2016 9 Recurring Art. 6 4ab: Once a year, the single point of contact shall submit a summary report to the cooperation group on the notifications received, including the number of notifications and the nature of notified incidents, and the action taken in accordance with article 14(2), 14(2ac) and 15a(2). Art. 8a 4. As input to the Commission's periodic review of the functioning of this Directive, the cooperation group shall every one and a half years produce a report assessing the experience gained with the strategic cooperation pursued under this Article. Art. 8b 4. As input to the Commission's periodic review of the functioning of this Directive, the CSIRTs network shall every one and a half years produce a report assessing the experience gained with the operational cooperation, including conclusions and recommendations, pursued under this article. That report shall also be submitted to the cooperation group. Art. 8a 3. The cooperation group shall have the following tasks: a. by 18 months after entry into force and every two years thereafter, establish a work programme on actions to be undertaken to implement the objectives and tasks, which shall be consistent with the objectives of this Directive. Art. 21 1. Member States shall adopt and publish, …at the latest, the laws, regulations and administrative provisions necessary to comply with this Directive. 2 years3 years4 years5 years6 years7 years

10 EU NIS Directive significant challenges What standardized information exchange models, architectures, interfaces, and information expressions will be adopted among Members and interoperate with major partners? How do the various identified member entities co-exist at national, regional, and global levels and fit into the NIS Directive model and architecture? – Competent Authorities – Computer Security Incident Response Teams How do the various identified private sector entities co-exist at national, regional, and global levels and fit into the NIS Directive model and architecture? – How do Public Electronic Communication Networks or Publicly Available Electronic Communication Service Providers under EU DIRECTIVE 2002/21/EC and Trust Providers? – How do Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) fit into the NIS Directive model and architecture? How do consistent technical specifications get developed and applied? – Cyber security information exchange expressions – Privacy filtering How are virtualised infrastructures and services such as NFV, SDN, MEC to be treated? 08 Feb 2016 10

Download ppt "Deconstructing the EU NIS Directive: model, architecture, interfaces, expressions Tony Rutkowski, 08."

Similar presentations

PUBLISH NOTIFY / TAKE COMMENTS ANSWER ENQUIRIES Notification Obligations 1.Statement on Implementation 2.Notification of Technical Regulations or Conformity.

PUBLISH NOTIFY / TAKE COMMENTS ANSWER ENQUIRIES Notification Obligations 1.Statement on Implementation 2.Notification of Technical Regulations or Conformity.
WTO, Trade and Environment Division

WTO, Trade and Environment Division
EDUCATION Directive 2002/14/EC of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community.

EDUCATION Directive 2002/14/EC of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community.
Implementing the SET-plan proposed Energy Efficiency Directive The proposed Directive establishes a common framework for promoting energy efficiency in.

Implementing the SET-plan proposed Energy Efficiency Directive The proposed Directive establishes a common framework for promoting energy efficiency in.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.

1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.
Www.enisa.europa.eu European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.

European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
The European Railway Agency in development

The European Railway Agency in development
Eurostat Coverage of Security Issues Pascal Jacques ESTAT B0 Local Informatics Security Officer.

Eurostat Coverage of Security Issues Pascal Jacques ESTAT B0 Local Informatics Security Officer.
ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.

ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.
Isdefe ISXXXX-090000-1XX 5.10.2010 Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
Terezia Sinkova EFSA The new EU Food Safety Agency.

Terezia Sinkova EFSA The new EU Food Safety Agency.
Implementation of EU Electronic Communication Directives.

Implementation of EU Electronic Communication Directives.
Regulatory requirements in the current programming period Funchal, 18 November 2010.

Regulatory requirements in the current programming period Funchal, 18 November 2010.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
ENTERPRISE AND INDUSTRY DIRECTORATE GENERAL European Commission 1 PECAs David Eardley DG Enterprise and Industry European Commission Tel: 032 (2) 296 5446.

ENTERPRISE AND INDUSTRY DIRECTORATE GENERAL European Commission 1 PECAs David Eardley DG Enterprise and Industry European Commission Tel: 032 (2)
E UROPEAN B LOOD D IRECTIVE. D ISCLAIMER I have no official status as a spokesperson for the EU, EC, or Member States I present a personal view of the.

E UROPEAN B LOOD D IRECTIVE. D ISCLAIMER I have no official status as a spokesperson for the EU, EC, or Member States I present a personal view of the.
CARTAGENA PROTOCOL ON BIOSAFETY NDA- DEAT BILATERAL MEETING 1 August 2003 Presenter : M. Mbengashe.

CARTAGENA PROTOCOL ON BIOSAFETY NDA- DEAT BILATERAL MEETING 1 August 2003 Presenter : M. Mbengashe.
Overview of Issues and Interests in Standards and Interoperability Mary Saunders Chief, Standards Services Division NIST.

Overview of Issues and Interests in Standards and Interoperability Mary Saunders Chief, Standards Services Division NIST.
Spectrum authorisation under new EU package Roger Stewart Radiocommunications Agency Head of licensing policy unit.

Spectrum authorisation under new EU package Roger Stewart Radiocommunications Agency Head of licensing policy unit.

Similar presentations

Ads by Google