EU policy on Network and Information Security &
1 / 21

- PowerPoint PPT Presentation

  • Uploaded on

EU policy on Network and Information Security & Critical Information Infrastructure Protection. Valérie Andrianavaly European Commission Directorate General Information Society and Media - DG INFSO - Unit A3: Internet Governance; Network and Information Security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - astrid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Val rie andrianavaly

EU policy on Network and Information Security &Critical Information Infrastructure Protection

Valérie Andrianavaly

European CommissionDirectorate General Information Society and Media - DG INFSO -Unit A3: Internet Governance; Network and Information Security

Val rie andrianavaly

Part 1

Policy on Network and Information Security (NIS)

A comprehensive eu approach to nis
A comprehensive EU approach to NIS

International Co-operation

OECD, G8, Council of Europe, UN, ITU, ...

Economic, business and social aspects of security in Information Society

Cyber-crime, Internal security


security / defence

  • Electronic Signature

  • Data protection in elect. com.,

  • e-signature, e-ID and e-authentication

  • NIS & CIIP

  • Culture of security


  • digital right management, biometrics, smart card, IPv6, open source software

  • Stockholm Programme

  • Framework Decision on attacks against information systems

  • Lawful interception

  • G8 CIIP

  • Data retention

  • biometrics in visas and residence permit

  • Cyber crime

  • EPCIP & Directive

  • Common Foreign and Security Policy

  • Dual use technology research

  • Crisis management

  • External security

Research and Technology

Information and Communication Technologies

FP7 - ICT and Security research; Competitiveness and Innovation Programme; …

Val rie andrianavaly








ID theft


Data retention




Three angles for actions on NIS Policy

Network and information security nis the eu policy framework
Network and Information Security (NIS)The EU Policy Framework

  • 2004: Establishment of the European Network and Information Security Agency - ENISA

  • 2006: European Commission Strategy for a Secure Information Society - COM(2006)251

  • 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01]

  • 2008: Extension of ENISA’smandate and launch of a debate on increased NIS

  • Mar 2009: European Commission’s proposal for an Action Plan on Critical Information Infrastructure Protection - CIIP -

  • Nov 2009: Adoption of the revised telecoms regulatory package integrating provisions on security

  • Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01]

  • May 2010: Adoption of the European Digital Agenda

  • H2 2010: Commission’s proposal for a modernized NIS Policy in the EU (tentative)

Val rie andrianavaly


  • European Network and Information Security Agency (ENISA)

    • Establishedin March 2004 for 5 years

    • Main objective: assist the Commission and the MS, and in consequence cooperate with the business community, in order to help them to enhance Network and Information Security

    • Key tasks: collect information, risk analysis; develop ‘common methodologies’; contribute to raising awareness; promote ‘best practices’ and ‘methods of alert’; enhance cooperation between stakeholders; assist Commission and MS in dialogue with industry; contribute to international cooperation

    • Mid term evaluation in 2006 + public consultation in 2007 [COM(2007) 285]

    • Extension for 3 years [EP and Council Regulation n. 1007/2008 of 24/09/2008] until 13/03/2012

Nis policy and related regulations
NIS Policy and related Regulations

  • Strategy for a Secure Information Society COM(2006)251

    • holistic approach for a comprehensive EU-wide strategy across “pillars”, related policy and regulatoryinitiatives

    • “voluntary” activities stakeholders via dialogue, partnershipandempowerment

    • reinforce ENISA’s role in implementing the policy

    • importance of “resilience” strategy for CIIP, i.e. the ability to deal with unexpected events

  • Council Resolution 2007/C 68/01 on a Strategy for a Secure Information Society in Europe of 22 March 2007

    • Endorses the key elements of the strategy, including the focus on resilience and the key role of ENISA

  • Other policy initiatives related to NIS

    • fighting against spam, spyware and malware [COM(2006)688]

    • promoting data protection by PET [COM(2007)228]

    • fighting against cyber crime [COM(2007)267]

    • new Safer Internet Programme [COM(2008) 106]

Com 2006 251 a policy strategy towards a secure information society

PARTNERSHIPgreater awareness &better understandingof the challenges

DIALOGUEstructured and multi-stakeholder

Open & inclusivemulti-stakeholderdebate

EMPOWERMENTcommitment to responsibilitiesof all actors involved

COM(2006) 251 – A policy strategy towards a secure Information Society

Network information security nis facts
Network & Information Security (NIS)Facts

  • Increasing economic and social dependency on ICT vs growing sophistication of threats

  • Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility.

  • Global interconnection vs lack of transnational cooperation

  • Operational responsibility with private sector while public policy responsibility lies with governments

  • Limited incentives for wide NIS uptake

  • Fragmentation of NIS regimes and market maturity in MS

Network and information security challenges
Network and Information SecurityChallenges

  • Make security and resilience the front line of defence of critical ICT infrastructures

  • Develop a risk management culture in the EU

  • Identify socio-economic incentives

  • Promote openness, diversity, interoperability, usability, competition

  • NIS calls for a global collaborative and operational approach

  • Build a capability and policy framework for NIS in Europe(e.g. EU early warning system)

  • Boost policy and operational cooperation (e.g. pan-European security incident exercises)

Val rie andrianavaly

Part 2

Critical Information Infrastructure Protection (CIIP)

A policy initiative on ciip motivations
A policy initiative on CIIPMotivations

  • CII are the nervous system of the Information Society

     economic and societal dimension

  • Liberalisation, deregulation and convergence

     complexity / multiplicity of players

  • Infrastructures are privately owned and operated

     accountability vs. control

  • Ensuring the stability of society and economy is governments’ primary responsibility

     governance

  • CII stretch out well beyond national borders

     globalisation

  • The level of security in any country depends on the level of security put in place outside the national borders

     sovereignty

  • National governments face very similar issues and challenges

     scale

  • The private sector is calling for harmonised rules

     market dimension

Communication on ciip com 2009 149 high level objectives scope and approach
Communication on CIIP - COM(2009)149High level objectives, scope and approach

  • High level objectives

    • Protect Europe fromlarge scale cyber attacks and disruptions

    • Promote security and resilience culture (first line of defense) & strategy

    • Tackle cyber attacks & disruptions from a systemic perspective

  • Means

    • Enhance the CIIP preparedness and response capabilityin EU

    • Promote the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures

    • Foster International cooperation, in particular on Internet stability and resilience

  • Approach

    • Build on national and private sector initiatives

    • Engage public and private sectors

    • Adopt an all-hazards approach

    • Be multilateral, open and all inclusive

Communication on ciip com 2009 149 specific objectives
Communication on CIIP COM(2009)149Specific objectives

The 5 specific objectives to be achieved:

  • Foster cooperation and exchange of good policy practices between MS

  • Develop a public-private partnership at the European level on security and resilience of CIIs

  • Enhance incident response capability in the EU

  • Promote the organisation of national and European exercises on simulated large-scale network security incidents.

  • Reinforce international cooperation on global issues, in particular on resilience and stability of Internet

Ciip policy com 2009 149 the five pillars of the ciip action plan
CIIP Policy - COM(2009)149The Five Pillars of the CIIP Action Plan

  • Preparedness and prevention

    • European Forum for MS to share information & policy practices - EFMS

    • European Public Private Partnership for Resilience EP3R

    • Baseline of capabilities and services for National/Governmental CERTs

  • Detection and response

    • Development of a European Information Sharing and Alert System – EISAS dedicated to EU citizens and SMEs

  • Mitigation and recovery

    • National contingency planning and exercises

    • Pan-European exercises on large-scale network security incidents

    • Reinforced cooperation between National/Governmental CERTs

  • International Cooperation

    • Define European priorities, principles and guidelines for the long term resilience and stability of the Internet

    • Promote the principles and guidelines at global level

    • Global cooperation on exercises on large-scale Internet incidents

  • Definition of criteria for the identification of European Critical Infrastructures in the ICT sector

Ministerial conference on ciip 27 28 april 2009 tallinn estonia presidency conclusions
Ministerial Conference on CIIP27-28 April 2009, Tallinn, Estonia Presidency conclusions

  • “There is an urgent need for Member States and all stakeholders to commit themselves to swift actionin order to enhance the level of preparedness, security and resilience of Critical Information Infrastructures throughout the European Union”

  • “The Communication by the European Commission on Critical Information Infrastructure Protection furnishes a solid basis for taking such urgent action as is necessary”

  • See the Presidency Conclusions of the Ministerial Conference on CIIP Tallinn (EE), 27-28 April 2009 at:

Council resolution of 18 december 2009 on a collaborative european approach to nis
Council Resolution of 18 December 2009 on a collaborative European approach to NIS

  • The Council resolution invites Member States to:

    • Organise national exercises and participate to European exercises

    • Create CERTs and reinforce cooperation between national CERTs

    • Increase efforts on education, training and research programmes

    • Jointly react to cross-border incidents

  • The Council resolution invites the European Commission to:

    • Initiate an awareness raising campaign with ENISA regarding the importance of appropriate risk management

    • Identify incentives for providers of electronic communications

    • Encourage and improve multi-stakeholder models

    • Come forward with a holistic strategy on NIS including proposals for a reinforced and flexible mandate for ENISA

    • Analyse in which areas further cooperation between CERTs is called for

  • The Council resolution calls on ENISA to:

    • Support the implementation of NIS policies + CIIP Action Plan

    • Develop a framework of statistical data on the state of NISin Europe

The ciip action plan state of play of the implementation
The CIIP Action plan State of Play of the Implementation

31 March 2009 1st thematic workshop on EU policy dimension of vulnerability management and disclosure process (report on the web)

16 June 2009 1st EFMS meeting

17 June 2009 1st EP3R workshop (report on the web)

June – Sept 2009 Informal consultation with MS on EU principles for Internet resilience & stability

Sept – Oct 2009 Informal consultation with trade associations and individual companies on EP3R (e.g. DigitalEurope, ETNO, ETIS, Euro-IX, GSMA, EOS, BSA, Internet Security Alliance, and TechAmerica)

12-13 Nov 2009 Follow-up Workshops on EFMS and EP3R

30 March 2010 Third EFMS meeting

29-30 June 2010 EFMS & EP3R meeting

On-going Studies & projects ENISA activities in support to the Commission NIS/CIIP policy and CIIP Action Plan

Web sites
Web Sites

  • EU policy on promoting a secure Information Society

  • EU policy on Critical Information Infrastructure Protection – CIIP

  • Report on the public consultation “Towards a Strengthened Network and Information Security Policy in Europe”

  • The reformed Telecom Regulatory Framework - November 2009

  • Research activities and projects funded under the FP7 ICT Security:

Links to eu policy document
Links to EU Policy Document

  • Communication of the European Commission on a Strategy for a Secure Information Society [COM(2006)251] of 31.5.2006

  • Council Resolution on a Strategy for a Secure Information Society in Europe[2007/C 68/01] of 22.03.2007

  • Communication of the European Commission on Critical Information Infrastructure Protection - "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience " [COM(2009)149] of 30.3.2009

  • Council Resolution on a collaborative European approach to Network and Information security [2009/C 321/01] of 18.12.2009

  • Communication of the European Commission on Fighting spam, spyware and malicious software [COM(2006)688]