Di­rec­tive on Se­cu­rity of Net sys­tems, the first EU-wide

The Malta Business Weekly - - FRONT PAGE -

9 May was the dead­line for the mem­ber states to trans­pose into na­tional laws the Di­rec­tive on Se­cu­rity of Net­work and In­for­ma­tion Sys­tems that en­tered into force in Au­gust 2016. The NIS Di­rec­tive is the first EU-wide leg­is­la­tion on cy­ber­se­cu­rity.

The NIS Di­rec­tive is the first EUwide leg­is­la­tion on cy­ber­se­cu­rity. The ob­jec­tive of the Di­rec­tive is to achieve evenly high level of se­cu­rity of net­work and in­for­ma­tion sys­tems across the EU, through:

Im­proved cy­ber­se­cu­rity ca­pa­bil­i­ties at na­tional level; In­creased EU-level co­op­er­a­tion; Risk management and in­ci­dent re­port­ing obli­ga­tions for op­er­a­tors of es­sen­tial ser­vices and dig­i­tal ser­vice providers.

As part of the cy­ber­se­cu­rity pack­age adopted in Septem­ber 2017, the Com­mis­sion is­sued the Com­mu­ni­ca­tion “Mak­ing the Most of the Di­rec­tive on Se­cu­rity of Net­work and In­for­ma­tion Sys­tems” to as­sist mem­ber states with guid­ance and best prac­tice ex­am­ples as well as to en­sure a har­monised trans­po­si­tion of the new rules. €18.7m are al­lo­cated from the CEF pro­gramme for cy­ber­se­cu­rity projects in­creas­ing ca­pa­bil­i­ties of the CSIRTs be­tween 2017 to 2020 (for ex­am­ple, for pur­chas­ing soft­ware tools, or cov­er­ing the costs of train­ing and ex­er­cise).

CEF fund­ing is ad­di­tion­ally be­ing opened up to other stake­hold­ers con­cerned by the NIS Di­rec­tive namely op­er­a­tors of es­sen­tial ser­vices, dig­i­tal ser­vice providers, sin­gle points of con­tact and na­tional com­pe­tent au­thor­i­ties with a fur­ther €13m be­ing avail­able to those who ap­ply un­der the next call for pro­pos­als from May to late Novem­ber this year.

Howwill mem­ber states co­op­er­ate un­der the NIS Di­rec­tive?

The NIS Di­rec­tive es­tab­lished a co­op­er­a­tion group that is chaired by the Pres­i­dency of the Coun­cil of the Euro­pean Union. The group gath­ers rep­re­sen­ta­tives of the mem­ber states, the Com­mis­sion (act­ing as sec­re­tariat) and the Euro­pean Union Agency for Net­work and In­for­ma­tion Se­cu­rity (ENISA). This co­op­er­a­tion group fa­cil­i­tates strate­gic co­op­er­a­tion and ex­change of in­for­ma­tion among mem­ber states and helps de­velop trust and con­fi­dence. The co­op­er­a­tion group has met six times to date start­ing from Fe­bru­ary 2017.

The Di­rec­tive also es­tab­lished a Net­work of the na­tional Com­puter Se­cu­rity In­ci­dent Re­sponse Teams (net­work of CSIRTs), to con­trib­ute to the de­vel­op­ment of con­fi­dence and trust be­tween the mem­ber states and to pro­mote swift and ef­fec­tive op­er­a­tional co­op­er­a­tion.

How does the co­op­er­a­tion group func­tion? What has it achieved so far?

The group is chaired by a rep­re­sen­ta­tive of the mem­ber state hold­ing the Pres­i­dency of the Coun­cil of the EU. It op­er­ates by con­sen­sus and can set up sub-groups to ex­am­ine spe­cific ques­tions re­lated to its work. The Com­mis­sion pro­vides the sec­re­tariat of the co­op­er­a­tion group.

The group works on the ba­sis of bi­en­nial work pro­grammes. Its main tasks are to steer the work of the mem­ber states in the im­ple­men­ta­tion of the Di­rec­tive, by pro­vid­ing guid­ance to the Com­puter Se­cu­rity In­ci­dent Re­sponse Teams (CSIRTs) net­work and as­sist­ing mem­ber states in ca­pac­ity build­ing, shar­ing in­for­ma­tion and best prac­tices on key is­sues, such as risks, in­ci­dents and cy­ber aware­ness.

The Co­op­er­a­tion Group has so far pro­duced, for ex­am­ple, non-bind­ing guide­lines on the se­cu­rity mea­sures and the in­ci­dent no­ti­fi­ca­tion for op­er­a­tors of es­sen­tial ser­vices.

Ev­ery one-and-a-half years the group will pro­vide a re­port as­sess­ing the ben­e­fits of the co­op­er­a­tion. The re­port will be sent to the Com­mis­sion as a con­tri­bu­tion to the re­view of the func­tion­ing of the Di­rec­tive.

How­does the CSIRTsNet­work func­tion?

The net­work is com­posed of rep­re­sen­ta­tives of the mem­ber states’ CSIRTs (Com­puter Se­cu­rity In­ci­dent Re­sponse Teams) and CERTEU (the Com­puter Emer­gency Re­sponse Team for the EU in­sti­tu­tions, agen­cies and bod­ies). The Com­mis­sion par­tic­i­pates in the CSIRTs Net­work as an ob­server. The Euro­pean Union Agency for Net­work and In­for­ma­tion (ENISA) pro­vides the sec­re­tariat, ac­tively sup­port­ing the co­op­er­a­tion among the CSIRTs.

Two years af­ter en­try into force of the NIS Di­rec­tive (by 9 Au­gust), and ev­ery 18 months there­after, the CSIRTs Net­work will pro­duce a re­port as­sess­ing the ben­e­fits of op­er­a­tional co­op­er­a­tion, in­clud­ing con­clu­sions and rec­om­men­da­tions. The re­port will be sent to the Com­mis­sion as a con­tri­bu­tion to the re­view of the func­tion­ing of the Di­rec­tive.

More in­tense co­or­di­na­tion in the net­work could be seen al­ready mid2017 dur­ing the Wan­nacry and Non-Petya ran­son­ware at­tacks.

What are op­er­a­tors of es­sen­tial ser­vices, and what will they be re­quired to do?

Op­er­a­tors of es­sen­tial ser­vices are pri­vate busi­nesses or pub­lic en­ti­ties with an im­por­tant role to pro­vide se­cu­rity in health­care, trans­port, en­ergy, bank­ing and fi­nan­cial mar­ket in­fras­truc­ture, dig­i­tal in­fras­truc­ture and wa­ter sup­ply.

Un­der the NIS Di­rec­tive, iden­ti­fied op­er­a­tors of es­sen­tial ser­vices will have to take ap­pro­pri­ate se­cu­rity mea­sures and to no­tify se­ri­ous cy­ber in­ci­dents to the rel­e­vant na­tional author­ity.

The se­cu­rity mea­sures in­clude: • Pre­vent­ing risks • Ensuring se­cu­rity of net­work and

in­for­ma­tion sys­tems • Han­dling in­ci­dents

How will mem­ber states iden­tify op­er­a­tors of es­sen­tial ser­vices?

Mem­ber states have un­til 9 Novem­ber to iden­tify the en­ti­ties that have to take ap­pro­pri­ate se­cu­rity mea­sures and to no­tify sig­nif­i­cant in­ci­dents ac­cord­ing to the fol­low­ing cri­te­ria cri­te­ria: (1) The en­tity pro­vides a ser­vice which is es­sen­tial for the main­te­nance of crit­i­cal so­ci­etal and eco­nomic ac­tiv­i­ties; (2) The pro­vi­sion of that ser­vice de­pends on net­work and in­for­ma­tion sys­tems; and (3) A se­cu­rity in­ci­dent would have sig­nif­i­cant dis­rup­tive ef­fects on the es­sen­tial ser­vice.

Which sec­tors does the Di­rec­tive cover?

The Di­rec­tive cov­ers op­er­a­tors in the fol­low­ing sec­tors: • En­ergy: elec­tric­ity, oil and gas • Trans­port: air, rail, wa­ter and

road • Bank­ing: credit in­sti­tu­tions • Fi­nan­cial mar­ket in­fra­struc­tures: trad­ing venues, cen­tral coun­ter­par­ties • Health: health­care set­tings • Wa­ter: drink­ing wa­ter sup­ply and

dis­tri­bu­tion • Dig­i­tal in­fras­truc­ture: in­ter­net ex­change points, do­main name sys­tem ser­vice providers, top level do­main name reg­istries

What kind of in­ci­dents should be no­ti­fied by the op­er­a­tors of es­sen­tial ser­vices?

The Di­rec­tive does not de­fine thresh­old of what is a sig­nif­i­cant in­ci­dent re­quir­ing no­ti­fi­ca­tion to the rel­e­vant na­tional author­ity.

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.