Identity management and security Could an IdP be considered an OES? - - PowerPoint PPT Presentation

Identity management and security

Could an IdP be considered an OES? www.law.kuleuven.be/citip

2

What is an Identity provider (IdP)?

3

• C. Sullivan, E. Burger, “Blockchain, Digital Identity, E-government”, in: H. Treiblmaier, R. Beck (eds.), Business Transformation through

Blockchain, 2019, pp. 233-258, p. 241.

Proprietary IdM and PKI IdM

User Relying Party IdP Issues credential Uses credential to authenticate Verifies credential at the IdP User Relying Party IdP Issues certificate Uses certificate to authenticate Verifies certificate e.g. Facebook e.g. Belgian eID

4

Could an IdP be considered an operator of essential services or a digital service provider?

Could the NIS Directive be applicable to IdPs?

5

Operator of essential services

• Art 4 (4) NIS: Annex II + criteria of art. 5 (2) NIS
• Specific sectors, including Digital Infrastructure:
• IXPs
• DNS service providers
• TLD name registries

+ an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; + the provision of that service depends on network and information systems; and + an incident would have significant disruptive effects on the provision of that service.

What is an OES?

6

Digital Service Provider:

• Legal person that provides a digital

service: Information Society service of a type:

• online marketplace;
• online search engine; or
• cloud computing service

What is a DSP?

7

• Austria: Bundesgesetz zur Gewährleistung eines hohen Sicherheitsniveaus von

Netz- und Informationssystemen (Netz- und Informationssystemsicherheitsgesetz – NISG)

• Belgium: 7 APRIL 2019. - Wet tot vaststelling van een kader voor de beveiliging

van netwerk- en informatiesystemen van algemeen belang voor de openbare veiligheid ( changes to 1 JULI 2011. - Wet betreffende de beveiliging en de bescherming van de kritieke infrastructuren)

• Estonia: Cybersecurity Act (also important: Emergency Act)
• Germany: Gesetz zur Umsetzung der Richtlinie (EU) 2016/1148 des Europäischen

Parlaments und des Rates vom 6. Juli 2016 über Maßnahmen zur Gewährleistung eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen in der Union ( changes to BSI Gesetz, see also Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI-Kritisverordnung - BSI-KritisV))

• Netherlands: Wet van 17 oktober 2018, houdende regels ter implementatie van

richtlijn (EU) 2016/1148 (Wet beveiliging netwerk- en informatiesystemen) (& Besluit beveiliging netwerk- en informatiesystemen)

• UK: The Network and Information Systems Regulations 2018

National implementation of NIS

8

The same as in the NIS Directive:

• online marketplace,
• online search engine,
• cloud computing service
• IdP not a DSP

National implementation of DSP?

9

Austria

§3 9.„wesentlicher Dienst“ einen Dienst, der in einem der in § 2 genannten Sektoren erbracht wird und der eine wesentliche Bedeutung insbesondere für die Aufrechterhaltung des öffentlichen Gesundheitsdienstes, der öffentlichen Versorgung mit Wasser, Energie sowie lebenswichtigen Gütern, des öffentlichen Verkehrs oder die Funktionsfähigkeit öffentlicher Informations- und Kommunikationstechnologie hat und dessen Verfügbarkeit abhängig von Netz- und Informationssystemen ist;

• 10. „Betreiber wesentlicher Dienste“ eine Einrichtung mit Niederlassung in Österreich, die einen wesentlichen Dienst

erbringt;

Belgium

• art. 6 11° "aanbieder van essentiële diensten": een publieke of private entiteit die actief is in België in een van de

sectoren opgenomen in bijlage I bij deze wet, die aan de criteria bedoeld in artikel 12, § 1, voldoet en die als dusdanig is aangewezen door de sectorale overheid;

Estonia

(2) Service providers specified in subsection (1) of this section who operate in sectors set out in Annex II to Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.07.2016, pp. 1–30) are deemed to be

• perators of essential services for the purposes of said Directive.

Germany

(10) Kritische Infrastrukturen im Sinne dieses Gesetzes sind Einrichtungen, Anlagen oder Teile davon, die

• 1. den Sektoren Energie, Informationstechnik und Telekommunikation, Transport und Verkehr, Gesundheit, Wasser,

Ernährung sowie Finanz- und Versicherungswesen angehören und

• 2. von hoher Bedeutung für das Funktionieren des Gemeinwesens sind, weil durch ihren Ausfall oder ihre

Beeinträchtigung erhebliche Versorgungsengpässe oder Gefährdungen für die öffentliche Sicherheit eintreten würden.

Netherlands aanbieder van een essentiële dienst als bedoeld in artikel 4 van de NIB-richtlijn, aangewezen op grond van artikel 5,

eerste lid, onder a; Vitale aanbieder: a. aanbieder van een essentiële dienst;

• b. aanbieder van een andere dienst waarvan de continuïteit van vitaal belang is voor de Nederlandse samenleving.

UK

“operator of an essential service” (“OES”) means a person who is deemed to be designated as an operator of an essential service under regulation 8(1) or is designated as an operator of an essential service under regulation 8(3);

National implementation of OES?

10

• E.g. Estonia, Germany, Netherlands

Overlaps with critical infrastructure legislation

11

Germany

Gesetz zur Umsetzung der Richtlinie (EU) 2016/1148 des Europäischen Parlaments und des Rates vom 6. Juli 2016 über Maßnahmen zur Gewährleistung eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen in der Union BSI Gesetz Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI- Gesetz (BSI-Kritisverordnung - BSI-KritisV)) amended Based on §10 (1) BSI Gesetz

12

Germany

§2 (10) BSI Gesetz:

Critical infrastructures within the meaning of this Act are facilities, installations or parts thereof which

• 1. belong to the sectors energy, information technology and telecommunications, transport and traffic,

health, water, nutrition, finance and insurance, and

• 2. Of great importance to the functioning of the community, because their failure or impairment would

result in significant supply shortages or threats to public safety.

BSI-Kritisverordnung

§1 Critical service: a service for the general public in the sectors according to §§ 2 to 8 whose failure or impairment would lead to significant supply bottlenecks or threats to public safety. § 5 Sektor Informationstechnik und Telekommunikation Annex 4 Part 3:

Trust services Facilities to provide trust services Threshold:

• 500 000 issued qualified Certificates or

> 10 000 certificates used to authenticate publicly accessible servers (Server certificates, eg for web servers, E-mail server, cloud server (eg TLS / SSL certificates))

13

NIS Directive German BSI Gesetz appropriate and proportionate technical and

• rganisational measures to

manage the risks take appropriate organizational and technical measures to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes relevant to the functioning of their critical infrastructures. state of the art The state of the art should be adhered to appropriate to the risk Organizational and technical arrangements are appropriate if the effort involved is not disproportionate to the consequences of failure or impairment of the Critical Infrastructure concerned appropriate measures to prevent and minimise the impact of incidents see 1 notify, without undue delay, incidents having a significant impact Notification obligations: Must notify

• Disruptions […] that have resulted in the failure or significant

impairment of the functioning of their Critical Infrastructures;

• Significant disruptions […] that may result in failure or significant

disruption to the functioning of their Critical Infrastructure. Every two years: audit/test/certificates to proof meeting the requirements Provide a contact point for the critical infrastructure to the BSI

What are the obligations? - Germany

14

Netherlands

Wet beveiliging netwerk- en informatiesystemen Besluit beveiliging netwerk- en informatiesystemen

Wet gegevensverwerking en meldplicht cybersecurity

Besluit meldplicht cybersecurity

• Art. 1 WBNI vital provider:
• a. operator of an essential service;
• b. provider of another service whose continuity is vital for Dutch

society.

• Art. 2 Bbni:

OES according to NIS

• Art. 3 Bbni:

Other vital providers

15

NIS The Netherlands: Wet beveiliging netwerk- en informatiesystemen OES OES Other vital service providers appropriate and proportionate technical and organisational measures to manage the risks Take appropriate and proportionate technical and

• rganizational measures to manage the risks to the

security of their network and information systems. state of the art Given the state of the art appropriate to the risk the measures provide a level of security that is proportionate to the risks that arise. appropriate measures to prevent and minimise the impact of incidents take appropriate measures to prevent incidents which affect the security of the network and information systems used for the provision of the service in question and to confirm, as far as possible, the requirements of certain incidents, the continuity to provide that service. notify, without undue delay, incidents having a significant impact immediately reports to Our Minister:

• a. an incident with significant consequences for the

continuity of the service provided by him;

• b. a breach of network and information system

security that may have a significant impact on the continuity of the service it provides. 2 The provider of an essential service also reports an incident as referred to in the first paragraph, under a, immediately to the competent authority. 3 […] the provider of an essential service immediately reports an incident to a digital service provider to Our Minister and to the competent authority, if that incident has significant consequences for the continuity of his essential service. immediately reports to Our Minister:

• a. an incident with significant

consequences for the continuity of the service provided by him;

• b. a breach of network and

information system security that may have a significant impact on the continuity of the service it provides.

What are the obligations? – The Netherlands

16

Estonia

Cybersecurity Act Emergency Act Service provider:

• Provider of a vital service
• [List of operators/providers/

undertakings] OES: Service providers who

• perate in the sectors set
• ut in the NIS Directive

Provider of a vital service:

Legal person whose competence includes the fulfillment of:

• electricity supply;
• natural gas supply;
• liquid fuel supply;
• ensuring the operability of national roads;
• phone service;
• mobile phone service;
• data transmission service;
• digital identification and digital

signing.

• Health services
• payment services;

cash circulation.

• district heating;

ensuring the operability of local roads; water supply and sewerage.

17

NIS Estonia – Cybersecurity Act appropriate and proportionate technical and organisational measures to manage the risks (1) A service provider shall permanently apply organisational, physical and information technological security measures: 1) for preventing cyber incidents; 2) for resolving cyber incidents; 3) for preventing and mitigating an impact on the continuity of the service or the security of the system due to a cyber incident or for preventing and mitigating a possible impact on the continuity of another dependant service or the security of a system. (2) Upon the application of security measures, the service provider is required to: 1) prepare a system risk assessment […] 2) ensure the existence and timeliness of a documented system risk assessment, security regulations and description of the application of security measures; 3) ensure the monitoring of the system […] 4) take measures for reducing the impact and spread of a cyber incident […] 5) check the sufficiency and compliance of the application of security measures and document the results; 6) preserve the documents […] no less than three years […] (3) If the service provider authorises another party to administer the system or uses another party to host the system, the service provider is responsible for the application of the security measures

• f the system by the other party.

state of the art appropriate to the risk appropriate measures to prevent and minimise the impact of incidents notify, without undue delay, incidents having a significant impact (1) A service provider shall inform the Estonian Information System Authority immediately but no later than 24 hours after becoming aware of a cyber incident: 1) which has a significant impact on the security of the system or the continuity of the service; 2) a significant impact of which on the security of the system or the continuity of the service is not

• bvious but can be reasonably presumed.

What are the obligations? - Estonia

18

NIS Estonia – Emergency Act appropriate and proportionate technical and

• rganisational measures to

manage the risks

• ensure the constant application of security measures in regard to the

information systems used for the provision of the vital service and the related information assets.

• continuity risk assessment and plan of the vital service

state of the art appropriate to the risk appropriate measures to prevent and minimise the impact of incidents

• implement measures that prevent interruptions of the vital service
• ensure the capability to guarantee the continuity of and to quickly restore the

service provided notify, without undue delay, incidents having a significant impact

• immediately notify the authority of an interruption of the vital service, a risk of

an interruption, an event significantly interfering with the continuity of the vital service or an impending risk of such an event;

• participate in resolving an emergency according to the emergency response

plan;

• At request: provide the authority with information on the provision of the vital

service

• at least once every two years: organise exercise
• perform other obligations provided by legislation for ensuring the continuity of

the vital service.

• If information systems ensuring the operation of a vital service are located in

a foreign country, the provider of the vital service is also required to ensure the continuity of the vital service in a manner and by means not dependent on information systems located in foreign countries.

What are the obligations? - Estonia

19

• NIS Directive: IdPs are neither IXPs, DNS

service providers nor TLD name registries

• IdP not OES
• Critical/vital infrastructure?
• possibly, depends on national

implementation

Could an IdP be an OES?

20

• Estonia already considers it as vital

service

• Should other Member States do the

same?

IdPs that do not fall under eIDAS?

Jessica Schroers jessica.schroers@kuleuven.be KU Leuven Centre for IT & IP Law (CiTiP) - imec Sint-Michielsstraat 6, box 3443 BE-3000 Leuven, Belgium http://www.law.kuleuven.be/citip

21

Questions?

22

NIS Directive

• Art. 14 (1) […] take appropriate and proportionate technical and organisational measures to

manage the risks posed to the security of network and information systems which they use in their operations. […] Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed.

• Art. 14 (2) […] take appropriate measures to prevent and minimise the impact of incidents

affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services.

• Art. 14 (3) notify, without undue delay, the competent authority or the CSIRT of incidents

having a significant impact on the continuity of the essential services they provide. Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the notifying party subject to increased liability. Competent authority/CSIRT may in some cases also inform:

• Other affected Member State(s)
• The public

What would be the obligations?