EU - Network and Information Security (NIS) Directive George - - PowerPoint PPT Presentation

eu network and information security nis directive
SMART_READER_LITE
LIVE PREVIEW

EU - Network and Information Security (NIS) Directive George - - PowerPoint PPT Presentation

Sep 09, 2023 93 likes •291 views

EU - Network and Information Security (NIS) Directive George Michaelides Commissioner of Electronic Communications and Postal Regulation http://www.ocecpr.org.cy 22 nd November 2016 1 Overview Cybersecurity Facts European Cybersecurity

slide-1
SLIDE 1

1

EU - Network and Information Security (NIS) Directive

George Michaelides

Commissioner of Electronic Communications and Postal Regulation http://www.ocecpr.org.cy

22nd November 2016

slide-2
SLIDE 2

Overview

  • Cybersecurity Facts
  • European Cybersecurity Strategy
  • The Objectives
  • MS Capability Requirements
  • NIS Scope
  • NIS Requirements
  • National CSIRT
  • Coverage
  • Activities
  • Incident Management
  • Way Forward / Timeline

2

slide-3
SLIDE 3

Cybersecurity Facts

3 Percentage cost for external consequences Information loss 39% Business disruption 35% Revenue loss 21% Equipment damages 4% Other 2% (source Ponemon Institute 2015) Size of Data Breach Average total cost of breach < 10.000 $2.1 million 10.000 – 25.000 $3.0 million 25.000 – 50.000 $5.0 million > 50.000 $6.7 million (source Ponemon Institute 2016) Vulnerabilities

  • 2015
  • 2014

Scanned Websites with Vulnerabilities 78% 76% Percentage of Which Were Critical 15% 20% Browser Vulnerabilities 879 639 Web Attacks Blocked per Day ~1 million 496,657 Websites Found with Malware 1 in 3,172 1 in 1,126 (source Symantec 2016) Industry

  • 2015
  • 2014

Finance, Insurance & Real Estate 35% 20% Services 22% 20% Manufacturing 14% 13% Transportation 13% 9% Wholesale 9% 10% Top 10 Industries Targeted in Spear-Phishing Attacks (source Symantec 2016)

Global economic cost

  • f over $445B

(Source Mcafee)

10% probability of a major CII breakdown in the next 10 years

(Source WEF)

slide-4
SLIDE 4

European Cybersecurity Strategy

4

Cybercrime Network and Information Security (NIS) Cyberdefence

NIS Directive

Electronic communications Framework Dirs 2009/140/EC, 2009/136/EC, Framework 21/2002, Art.13a,b

  • Pers. Data Prot. 58/2002/EC Art.4

REGULATION EU 611/2013 Notification of personal data breaches

European Cybersecurity Strategy

Technological Resources – Cooperation with industry and academia European Policy - International cooperation on Cybersecurity

Digital Agenda Europe Electronic Communications Framework

Digital Agenda for Europe REGULATION EU526/2013-European Union Union Agency for Net. & Inf. Security (ENISA)

slide-5
SLIDE 5

OCECPR Role and Responsibilities

5

Cybersecurity Strategy of the Republic of Cyprus [Coordination]

  • National Level

Cyber Risk Assessment

  • Crisis Management
  • CSIRTs/CERTs
  • Gov. / National
  • Awareness

Cy Cybercrime Center of Excellence – 3CE

Network and Information Security (NIS) [Implementation]

Business Continuity, Contingency Plans (Electronic Com. Providers) Notifications:

  • Availability of networks /

infrastructures,

  • Personal data breaches

CIIP–Critical Information Infrastructure Protection

slide-6
SLIDE 6

The Objectives

6

Boosting Cyber Security in Europe

Increased National Cyber Security Capabilities EU Level Cooperation Risk Management and Reporting

slide-7
SLIDE 7

Member States (MS) Capability Requirements

7

National NIS / Cybersecurity Strategy NIS Competent National Authority National CSIRT

National Cyber Security Capability

slide-8
SLIDE 8

Scope of NIS

  • The entity provides a service which is essential for the

maintenance of critical societal / economic activities

  • The provision of that service depends on network and

information systems

  • A NIS incident would have significant disruptive effects on the

provision of the essential service Operators of Essential Services

  • Online marketplaces
  • Online search engines
  • Cloud computing services

Digital Service Providers

8

slide-9
SLIDE 9

Security Requirements

  • Organisational measures that are

appropriate and proportionate to the risk

Prevent Risks

  • The measures should ensure a level of

NIS appropriate to the risks

Ensure NIS

  • The measures should prevent and

minimise the impact of incidents on the IT systems used to provide the services

Handle Incidents

9

slide-10
SLIDE 10

Notification Requirements

  • Incidents having a significant

impact on the continuity of the essential services they provide

Operators of Essential Services

  • Incidents having a substantial

impact on the provision of a service

Digital Services Providers

10

slide-11
SLIDE 11

Notification Requirements

11

Parameter OES DSP Number of users affected / relying in the service

✔ ✔

Impact – Economic and Societal

✔ ✔

Geographic spread

✔ ✔

Duration of disruption

✔ ✔

Extent of the disruption to the functioning of the service

Importance of the entity for maintaining a sufficient level of service

Impact - Safety

Market share (e.g. proportion of national power generated)

Dependency of other essential sectors on the service

OES: Operators of Essential Services DSP: Digital Service Providers

slide-12
SLIDE 12

NIS Cooperation Requirements

12

Cooperation Group

  • Strategic cooperation

between Members States (NIS Authorities), EC, ENISA

CSIRT Network

  • Operational

cooperation between National CSIRTs, EU-CSIRT, EU, ENISA

slide-13
SLIDE 13

13

“The protection of all critical information infrastructures of the state and the operation of information and communication technologies with the necessary levels

  • f security, for the benefit of every

citizen, the economy and the country”

Electricity Natural Gas/Oil Water supply Transport Public Health Financial Sector Public Sector/Security Services Electronic Communications

Cyprus National Cybersecurity Strategy Vision

National CSIRT – Sector Coverage

slide-14
SLIDE 14

National CSIRT – Areas of activities

Cybersecurity Strategy of the Republic

  • f Cyprus

14

  • Incident Monitoring
  • Incident Response
  • Incident Analysis
  • EC awareness on incident

handling process etc.

Incident Management

  • Early warning, alerts,

announcements, etc.

  • General awreness regarding

incidents (public/media) etc.

Communication

  • Cooperation with NIS

Authority

  • Mutual assistance with
  • ther national CSIRTs
  • Exchange non-classified

information

  • Participation in exercises

etc.

Cooperation

slide-15
SLIDE 15

National CSIRT Functions – Incident Management

Detection Classification Analysis Containment Eradication Recovery Continuous Improvement

15

slide-16
SLIDE 16

NIS Authority and National CSIRT

16

Operators of Essential Services (~50) Energy, Water, Transport, Health, Banking, Financial, Digital Infrastructure Digital Service Providers (<10) Cloud Computing Services, Online Marketplaces, Search Engines

National Cybersecurity Strategy European Cybersecurity Strategy National Collaboration International Collaboration Cooperation Group CSIRT Network Cyber Crisis Management Operational Coordination

Supervision

slide-17
SLIDE 17

Implementation Timeline

Cybersecurity Strategy of the Republic

  • f Cyprus

17

Aug Aug 2016 – NIS Directive entry into force

1

Feb 2017 – Cooperation Group begins NIS Directive tasks

2

Feb 2018 – Cooperation Group establishes work programme

4

Nov 2018 – MS to identify

  • perators of essential services

6

May 2018 – Transposition into national law

5

Aug August 2017 – Adoption of implementing acts on requirements for DSPs

3

slide-18
SLIDE 18

18

Thank you