EU policy on Network and Information Security &
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Valérie Andrianavaly PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on
  • Presentation posted in: General

EU policy on Network and Information Security & Critical Information Infrastructure Protection. Valérie Andrianavaly European Commission Directorate General Information Society and Media - DG INFSO - Unit A3: Internet Governance; Network and Information Security

Download Presentation

Valérie Andrianavaly

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Val rie andrianavaly

EU policy on Network and Information Security &Critical Information Infrastructure Protection

Valérie Andrianavaly

European CommissionDirectorate General Information Society and Media - DG INFSO -Unit A3: Internet Governance; Network and Information Security

[email protected]


Val rie andrianavaly

Part 1

Policy on Network and Information Security (NIS)


A comprehensive eu approach to nis

A comprehensive EU approach to NIS

International Co-operation

OECD, G8, Council of Europe, UN, ITU, ...

Economic, business and social aspects of security in Information Society

Cyber-crime, Internal security

External

security / defence

  • Electronic Signature

  • Data protection in elect. com.,

  • e-signature, e-ID and e-authentication

  • NIS & CIIP

  • Culture of security

  • ENISA

  • digital right management, biometrics, smart card, IPv6, open source software

  • Stockholm Programme

  • Framework Decision on attacks against information systems

  • Lawful interception

  • G8 CIIP

  • Data retention

  • biometrics in visas and residence permit

  • Cyber crime

  • EPCIP & Directive

  • Common Foreign and Security Policy

  • Dual use technology research

  • Crisis management

  • External security

Research and Technology

Information and Communication Technologies

FP7 - ICT and Security research; Competitiveness and Innovation Programme; …


Val rie andrianavaly

PROSECUTE

PREVENT

NETWORK &

INFO SECURITY

CYBERCRIME &

TERRORISM

Hacking

ID theft

Intrusion

Data retention

PRIVACY AND

DATA PROTECTION

PROTECT

Three angles for actions on NIS Policy


Network and information security nis the eu policy framework

Network and Information Security (NIS)The EU Policy Framework

  • 2004:Establishment of the European Network and Information Security Agency - ENISA

  • 2006:European Commission Strategy for a Secure Information Society - COM(2006)251

  • 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01]

  • 2008:Extension of ENISA’smandate and launch of a debate on increased NIS

  • Mar 2009:European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP -

  • Nov 2009:Adoption of the revised telecoms regulatory package integrating provisions on security

  • Dec 2009:Council resolution on a collaborative European approach to NIS [2009/C 321/01]

  • May 2010:Adoption of the European Digital Agenda

  • H2 2010:Commission’s proposal for a modernized NIS Policy in the EU (tentative)


Val rie andrianavaly

ENISA

  • European Network and Information Security Agency (ENISA)

    • Establishedin March 2004 for 5 years

    • Main objective: assist the Commission and the MS, and in consequence cooperate with the business community, in order to help them to enhance Network and Information Security

    • Key tasks: collect information, risk analysis; develop ‘common methodologies’; contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; contribute to international cooperation

    • Mid term evaluation in 2006 + public consultation in 2007 [COM(2007) 285]

    • Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012


Nis policy and related regulations

NIS Policy and related Regulations

  • Strategy for a Secure Information Society COM(2006)251

    • holistic approach for a comprehensive EU-wide strategy across “pillars”, related policy and regulatoryinitiatives

    • “voluntary” activities stakeholders via dialogue, partnershipandempowerment

    • reinforce ENISA’s role in implementing the policy

    • importance of “resilience” strategy for CIIP, i.e. the ability to deal with unexpected events

  • Council Resolution 2007/C 68/01 on a Strategy for a Secure Information Society in Europe of 22 March 2007

    • Endorses the key elements of the strategy, including the focus on resilience and the key role of ENISA

  • Other policy initiatives related to NIS

    • fighting against spam, spyware and malware [COM(2006)688]

    • promoting data protection by PET [COM(2007)228]

    • fighting against cyber crime [COM(2007)267]

    • new Safer Internet Programme [COM(2008) 106]


Com 2006 251 a policy strategy towards a secure information society

PARTNERSHIPgreater awareness &better understandingof the challenges

DIALOGUEstructured and multi-stakeholder

Open & inclusivemulti-stakeholderdebate

EMPOWERMENTcommitment to responsibilitiesof all actors involved

COM(2006) 251 – A policy strategy towards a secure Information Society


Network information security nis facts

Network & Information Security (NIS)Facts

  • Increasing economic and social dependency on ICT vs growing sophistication of threats

  • Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility.

  • Global interconnection vs lack of transnational cooperation

  • Operational responsibility with private sector while public policy responsibility lies with governments

  • Limited incentives for wide NIS uptake

  • Fragmentation of NIS regimes and market maturity in MS


Network and information security challenges

Network and Information SecurityChallenges

  • Make security and resilience the front line of defence of critical ICT infrastructures

  • Develop a risk management culture in the EU

  • Identify socio-economic incentives

  • Promote openness, diversity, interoperability, usability, competition

  • NIS calls for a global collaborative and operational approach

  • Build a capability and policy framework for NIS in Europe(e.g. EU early warning system)

  • Boost policy and operational cooperation (e.g. pan-European security incident exercises)


Val rie andrianavaly

Part 2

Critical Information Infrastructure Protection (CIIP)


A policy initiative on ciip motivations

A policy initiative on CIIPMotivations

  • CII are the nervous system of the Information Society

     economic and societal dimension

  • Liberalisation, deregulation and convergence

     complexity / multiplicity of players

  • Infrastructures are privately owned and operated

     accountability vs. control

  • Ensuring the stability of society and economy is governments’ primary responsibility

     governance

  • CII stretch out well beyond national borders

     globalisation

  • The level of security in any country depends on the level of security put in place outside the national borders

     sovereignty

  • National governments face very similar issues and challenges

     scale

  • The private sector is calling for harmonised rules

     market dimension


Communication on ciip com 2009 149 high level objectives scope and approach

Communication on CIIP - COM(2009)149High level objectives, scope and approach

  • High level objectives

    • Protect Europe fromlarge scale cyber attacks and disruptions

    • Promote security and resilience culture (first line of defense) & strategy

    • Tackle cyber attacks & disruptions from a systemic perspective

  • Means

    • Enhance the CIIP preparedness and response capabilityin EU

    • Promote the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures

    • Foster International cooperation, in particular on Internet stability and resilience

  • Approach

    • Build on national and private sector initiatives

    • Engage public and private sectors

    • Adopt an all-hazards approach

    • Be multilateral, open and all inclusive


Communication on ciip com 2009 149 specific objectives

Communication on CIIP COM(2009)149Specific objectives

The 5 specific objectives to be achieved:

  • Foster cooperation and exchange of good policy practices between MS

  • Develop a public-private partnership at the European level on security and resilience of CIIs

  • Enhance incident response capability in the EU

  • Promote the organisation of national and European exercises on simulated large-scale network security incidents.

  • Reinforce international cooperation on global issues, in particular on resilience and stability of Internet


Ciip policy com 2009 149 the five pillars of the ciip action plan

CIIP Policy - COM(2009)149The Five Pillars of the CIIP Action Plan

  • Preparedness and prevention

    • European Forum for MS to share information & policy practices - EFMS

    • European Public Private Partnership for Resilience EP3R

    • Baseline of capabilities and services for National/Governmental CERTs

  • Detection and response

    • Development of a European Information Sharing and Alert System – EISAS dedicated to EU citizens and SMEs

  • Mitigation and recovery

    • National contingency planning and exercises

    • Pan-European exercises on large-scale network security incidents

    • Reinforced cooperation between National/Governmental CERTs

  • International Cooperation

    • Define European priorities, principles and guidelines for the long term resilience and stability of the Internet

    • Promote the principles and guidelines at global level

    • Global cooperation on exercises on large-scale Internet incidents

  • Definition of criteria for the identification of European Critical Infrastructures in the ICT sector


Ministerial conference on ciip 27 28 april 2009 tallinn estonia presidency conclusions

Ministerial Conference on CIIP27-28 April 2009, Tallinn, Estonia Presidency conclusions

  • “There is an urgent need for Member States and all stakeholders to commit themselves to swift actionin order to enhance the level of preparedness, security and resilience of Critical Information Infrastructures throughout the European Union”

  • “The Communication by the European Commission on Critical Information Infrastructure Protection furnishes a solid basis for taking such urgent action as is necessary”

  • See the Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 at: http://www.tallinnciip.eu/doc/EU_Presidency_Conclusions_Tallinn_CIIP_Conference.pdf


Council resolution of 18 december 2009 on a collaborative european approach to nis

Council Resolution of 18 December 2009 on a collaborative European approach to NIS

  • The Council resolution invites Member States to:

    • Organise national exercises and participate to European exercises

    • Create CERTs and reinforce cooperation between national CERTs

    • Increase efforts on education, training and research programmes

    • Jointly react to cross-border incidents

  • The Council resolution invites the European Commission to:

    • Initiate an awareness raising campaign with ENISA regarding the importance of appropriate risk management

    • Identify incentives for providers of electronic communications

    • Encourage and improve multi-stakeholder models

    • Come forward with a holistic strategy on NIS including proposals for a reinforced and flexible mandate for ENISA

    • Analyse in which areas further cooperation between CERTs is called for

  • The Council resolution calls on ENISA to:

    • Support the implementation of NIS policies + CIIP Action Plan

    • Develop a framework of statistical data on the state of NISin Europe


The ciip action plan state of play of the implementation

The CIIP Action plan State of Play of the Implementation

31 March 20091st thematic workshop on EU policy dimension of vulnerability management and disclosure process (report on the web)

16 June 20091st EFMS meeting

17 June 2009 1st EP3R workshop (report on the web)

June – Sept 2009Informal consultation with MS on EU principles for Internet resilience & stability

Sept – Oct 2009Informal consultation with trade associations and individual companies on EP3R (e.g. DigitalEurope, ETNO, ETIS, Euro-IX, GSMA, EOS, BSA, Internet Security Alliance, and TechAmerica)

12-13 Nov 2009Follow-up Workshops on EFMS and EP3R

30 March 2010Third EFMS meeting

29-30 June 2010EFMS & EP3R meeting

On-goingStudies & projectsENISA activities in support to the Commission NIS/CIIP policy and CIIP Action Plan


Web sites

Web Sites

  • EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index_en.htm

  • EU policy on Critical Information Infrastructure Protection – CIIP http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm

  • Report on the public consultation “Towards a Strengthened Network and Information Security Policy in Europe” http://ec.europa.eu/information_society/policy/nis/nis_public_consultation/index_en.htm

  • The reformed Telecom Regulatory Framework - November 2009 http://ec.europa.eu/information_society/policy/ecomm/tomorrow/index_en.htm

  • Research activities and projects funded under the FP7 ICT Security:http://cordis.europa.eu/fp7/ict/security/home_en.html


Links to eu policy document

Links to EU Policy Document

  • Communication of the European Commission on a Strategy for a Secure Information Society [COM(2006)251] of 31.5.2006 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0251:FIN:EN:PDF

  • Council Resolution on a Strategy for a Secure Information Society in Europe[2007/C 68/01] of 22.03.2007http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF

  • Communication of the European Commission on Critical Information Infrastructure Protection - "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience " [COM(2009)149] of 30.3.2009http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF

  • Council Resolution on a collaborative European approach to Network and Information security [2009/C 321/01] of 18.12.2009http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:321:0001:0004:EN:PDF

  • Communication of the European Commission on Fighting spam, spyware and malicious software [COM(2006)688] http://eur-lex.europa.eu/Result.do?T1=V5&T2=2006&T3=688&RechType=RECH_naturel&Submit=Search


Eu policy on nis and ciip

EU Policy on NIS and CIIP

Thanks!


  • Login