Andrea SERVIDAEuropean Commission

DG INFSO.A3Andrea.Servida@ec.europa.eu

Update on EU policy on Network and Update on EU policy on Network and Information Security & Critical Information Security & Critical

Information Infrastructures ProtectionInformation Infrastructures Protection

Brussels 15 February 2011Brussels 15 February 2011

• COM(2001) 298 final - Network and Information Security: Proposal for A European Policy Approach

Network and information security is defined as “the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems”

Network and information security (NIS)Network and information security (NIS)

• Increasing economic and social dependency on ICT vs growing sophistication of threats

• Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility.

• Global interconnection vs lack of transnational cooperation

• Operational responsibility with private sector while public policy responsibility lies with governments

• Limited incentives for wide NIS uptake

• Fragmentation of NIS regimes and market maturity in MS

Network & Information Security (NIS)Facts

• Make security and resilience the frontline of defence of critical ICT infrastructures (e.g. importance of preventative approaches & measures)

• Develop a risk management culture in the EU

• Identify socio-economic incentives

• Promote openness, diversity, interoperability, usability, competition

• NIS calls for a global collaborative and operational approach

• Build a capability and policy framework for NIS in Europe (e.g. EU early warning system)

• Boost policy and operational cooperation (e.g. pan-European security incident exercises)

Network and Information Security (NIS)Challenges

Online trust and security

identity theft privacy concernscybercrime spam

low trust = low useEuropean Network and Information Security Agency

Computer Emergency Response Teams

Cybercrime centre

A Digital Agenda for Europe-COM(2010)245A Digital Agenda for Europe-COM(2010)245

KA 6 (28)NIS Policy

1

2

3

ENISA

EU institutions CERT

ToolBox

38 – Network of CERTs by 2012

33 – EU cyber-security

preparedness

39 – MS Simulation

exercises as of 2010

Regulation for mandate and duration

ENISA …………………………EFMS ………………………….EP3R ………………………..Observer in Cyberstorm .EPCIIP ………………………..CIIP ConferenceExpert Group

32 –Cooperation on cybersecurity

41 – National alert platforms

by 2012

30 – EU platform by

2012

31 – Create European

Cybercrime center

CybercrimeCybersecurity preparedness

37 –Dialogue and self-

regulation minors

36 – Support for reporting

of illegal content

40 –Harmful content

hotlines and awareness campaigns

Safety and privacy of online content

and services

Overview of Pillar 3 “Trust and Security”

35 – Implementation

of privacy and personal data

protection

34 – Explore extension of

personal data breach

notification

INFSO CdF

HOME CdF

Others COM CdF

Commission action

Member States action

KA 7 (29)– Measures on cyberattacks

KA 6 (28)

Network and Information Security (NIS)Network and Information Security (NIS) The EU Policy FrameworkThe EU Policy Framework

• 2004: Establishment of ENISA• 2006: European Commission Strategy for a Secure Information

Society - COM(2006)251• 2007: Council Resolution on a Strategy for a Secure Information

Society in Europe [2007/C 68/01]• 2008: Extension of ENISA’s mandate and launch of a

debate on increased NIS• Mar 2009: European Commission’s proposal for an Action Plan

on Critical Information Infrastructure Protection - CIIP - • Nov 2009: Adoption of the revised telecoms regulatory package

integrating provisions on security• Dec 2009: Council Resolution on a collaborative European

approach to NIS [2009/C 321/01]

• Dec 2009: EESC Opinion on the Communication on CIIP • May 2010: Adoption of the Digital Agenda for Europe

[COM/2010/0245]• Sep 2010: Proposal to reform ENISA [COM(2010) 521 final]

Communication on CIIP - Communication on CIIP - COM(2009)149COM(2009)149 Objectives and scopeObjectives and scope

• High level objectives– Protect Europe from large scale cyber attacks

and disruptions – Promote security and resilience culture (first

line of defence) & strategy

• Means / Scope– Enhance the CIIP preparedness and response

capability in EU– Promote adoption of consistent preventive,

detection, emergency and recovery measures

CIIP Policy - CIIP Policy - COM(2009)149COM(2009)149 The Five Pillars of the CIIP Action PlanThe Five Pillars of the CIIP Action Plan

1. Preparedness and prevention– European Forum for MS to share information & policy practices - EFMS– European Public Private Partnership for Resilience EP3R– Baseline of capabilities and services for National/Governmental CERTs

2. Detection and response– Development of a European Information Sharing and Alert System –

EISAS dedicated to EU citizens and SMEs

3. Mitigation and recovery– National contingency planning and exercises– Pan-European exercises on large-scale network security incidents– Reinforced cooperation between National/Governmental CERTs

4. International Cooperation– Define European priorities, principles and guidelines for the long term

resilience and stability of the Internet– Promote the principles and guidelines at global level– Global cooperation on exercises on large-scale Internet incidents

5. Definition of criteria for the identification of European Critical Infrastructures in the ICT sector

Council Resolution of 18 December 2009 Council Resolution of 18 December 2009 on a collaborative European approach to NISon a collaborative European approach to NIS

• The Council Resolution invites Member States to:– Organise national exercises and participate to European exercises– Create CERTs and reinforce cooperation between national CERTs– Increase efforts on education, training and research programmes– Jointly react to cross-border incidents

• The Council Resolution invites the European Commission to:– Initiate an awareness raising campaign with ENISA regarding the

importance of appropriate risk management– Identify incentives for providers of electronic communications– Encourage and improve multi-stakeholder models– Come forward with a holistic strategy on NIS including proposals

for a reinforced and flexible mandate for ENISA– Analyse in which areas further cooperation between CERTs is called

for

• The Council Resolution calls on ENISA to:– Support the implementation of NIS policies + CIIP Action Plan– Develop a framework of statistical data on the state of NIS

in Europe

The CIIP Action plan The CIIP Action plan State of Play of the ImplementationState of Play of the Implementation

• European Forum for Member States – EFMS - To share information & policy practices and define strategic objectives and priorities

– Long term resilience and stability of the Internet– Criteria to identify European Critical Information

Infrastructures– Long term strategy on pan-European exercises

• European Public Private Partnership for Resilience - EP3R– Objectives, principles and structure– Three working groups established in Nov 2010

• 1st Pan-European exercises on large-scale network security incidents organised on 4th of November 2011

• Cooperation between National/Governmental CERTs– Identification of baseline of capabilities and services

• International Cooperation– Promote resilience and stability of Internet at global level– Global cooperation on exercises

DAE trust and security actions and CIIP pillarsDAE trust and security actions and CIIP pillars

• Established in March 2004 for 5 years• Main objective: assist the Commission and the MS,

and in consequence cooperate with the business community, in order to help them to meet the requirements of NIS

• Key tasks: collect information, risk analysis; develop ‘common methodologies’; track the development of standards contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; advice the Commission on research; contribute to international cooperation

• Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012

European Network and Information European Network and Information Security Agency (ENISA)Security Agency (ENISA)

WS1 : ENISA as facilitator for improving cooperationWPK 1.1: Supporting Member States in implementing article 13aWPK 1.2 : Preparing the Next Pan-European ExerciseWPK 1.3: Reinforcing CERTs in the Member StatesWPK 1.4: Support CERT (co)operation on European levelWPK 1.5: Good practice for CERTs to address NIS aspects of cybercrime

WS2 : ENISA as competence centre for securing current & future technologies

WPK 2.1: Security & Privacy of Future Internet TechnologiesWPK 2.2: Interdependencies and InterconnectionWPK 2.3: Secure architectures & technologiesWPK 2.4: Early warning for NIS

WS3 : ENISA as promoter of privacy & trustWPK 3.1: Identifying and promoting economically efficient approaches to

information securityWPK 3.2: Deploying privacy & trust in operational environmentsWPK 3.3: Supporting the review and implementation of the ePrivacy

Directive (2002/58/EC) WPK 3.4: European Cyber Security Awareness Month

ENISA – Work programme 2011ENISA – Work programme 2011

• 30 September 2010: Adoption by the Commission of its proposal for a

Regulation concerning ENISA

• Main objectives of the proposal: To reinforce and modernise the mandate of ENISA To extend it with five years

• Option 3 is the preferred policy option among the five options considered in the impact assessment => Expansion of functions currently defined for ENISA

and adding law enforcement and privacy protection agencies as fully fledged stakeholders

• Proposal based on Art. 114 TFUE

The proposal to modernise ENISAThe proposal to modernise ENISACOM(2010) 521 finalCOM(2010) 521 final

• Compared to the current Regulation, key changes introduced by the proposal to help ENISA carry out its missions More flexibility, adaptability and capability to

focus Better alignment with the EU regulatory process Interface with fight against cybercrime Strengthened governance structure Simplification of procedures Possibility to extend mandate of Executive

Director Gradual increase of resources

The proposal to modernise ENISAThe proposal to modernise ENISACOM(2010) 521 finalCOM(2010) 521 final

A Triple Play for a modernised ENISAA Triple Play for a modernised ENISACOM(2010) 521 final COM(2010) 521 final

Knowing betterAssist MS and EU Institutions in collecting, analysing and disseminating NIS data(regularly assess NIS in Europe)

Cooperating betterFacilitate cooperation, dialogue and exchange of good practice among public and private stakeholders(risk management, awareness,security of products, networks and services, etc)

Working betterProvide assistance, supportand expertise to the Member States and the European institutions and bodies(cross border issues, detectionand response capability, Exercises, etc.)

ENISA in the EU contextENISA in the EU context

EU-U.S. WG on Cybersecurity and Cybercrime EU-U.S. WG on Cybersecurity and Cybercrime Priority areasPriority areas

1. Public – Private Partnerships (PPP)2. Cyber Incident Management3. Awareness Raising4. Cybercrime

Outreach to other regions or countriesTo share approaches, avoid duplication of effort, facilitate a joint approach in international fora

EU-U.S. WG on Cybersecurity and CybercrimeEU-U.S. WG on Cybersecurity and Cybercrime Public-Private PartnershipPublic-Private Partnership

“This area would focus on providing a coherent environment for cooperation between the public and private sector in the EU and the U.S.This area would also include a focus on the protection and resilience of critical information infrastructures from a cybersecurity perspective including enhancing the security of and reducing the cyber risk to networked industrial control systems.”

EU-U.S. WG on Cybersecurity and CybercrimeEU-U.S. WG on Cybersecurity and Cybercrime Cyber Incident ManagementCyber Incident Management

“This area would focus on cyber incident response and enhanced collaboration between national/governmental computer security incident response teams (CSIRT) in Europe and the US. Cybersecurity exercises, to include regional exercises and a possible synchronized trans-continental exercise in 2012/2013, would also be included to evaluate incident management processes. ”

EU-U.S. WG on Cybersecurity and CybercrimeEU-U.S. WG on Cybersecurity and Cybercrime Awareness raisingAwareness raising

“This area would focus on a sustained effort to raise awareness about cybersecurity and related cybercrime issues with key stakeholders in member states and in the US. This area would focus on developing coordinated activities with respect to awareness raising to enhance efficacy and increase impact.”

EU-U.S. WG on Cybersecurity and Cybercrime EU-U.S. WG on Cybersecurity and Cybercrime CybercrimeCybercrime

“This area would also focus on continued relationships building and cooperation among law enforcement partners. In addition, this may address child exploitation online.”

Web SitesWeb Sites

• A Digital Agenda for Europe http://ec.europa.eu/information_society/digital-agenda/index_en.htm

• Commission to boost Europe's defences against cyber-attacks http://ec.europa.eu/information_society/newsroom/cf/itemlongdetail.cfm?item_id=6190

• EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index_en.htm

• EU policy on Critical Information Infrastructure Protection – CIIP http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm

• The reformed Telecom Regulatory Framework - November 2009 http://ec.europa.eu/information_society/policy/ecomm/tomorrow/index_en.htm

EU Policy on NIS and CIIPEU Policy on NIS and CIIP

Thanks!