The EU Cybersecurity Package: Implications for ENISA · 4 • Commission Proposal for a...
Transcript of The EU Cybersecurity Package: Implications for ENISA · 4 • Commission Proposal for a...
European Union Agency for Network and Information Security
The EU Cybersecurity Package: Implications for ENISADr. Steve Purser | Head of ENISA Core Operations Athens, 30th January 2018
2
1. Cybersecurity Package
2. Why ENISA Reform?
3. The “Cybersecurity Act” and proposed ENISA tasks
4. Policy and R&I
5. Operational cooperation
6. Cybersecurity Certification
7. Key Developments
8. The Next Steps
Outline
The EU Cybersecurity Package: Implications for ENISA
3
Commission President Juncker, State of the EU 2017:
“Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks.
[…]
Today, the Commission is proposing new tools, including a European Cybersecurity Agency to help defend us.”
Cybersecurity Package
The EU Cybersecurity Package: Implications for ENISA
4
• Commission Proposal for a Cybersecurity Act: Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') – COM(2017) 477
• Renewed Cybersecurity Strategy: European Parliament and Council Joint Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU' (JOIN(2017) 450)
• Blueprint: Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises – (C(2017) 6100)
• Commission Communication “Making the Most of NIS” – towards effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476)
Cybersecurity Package
The EU Cybersecurity Package: Implications for ENISA
5
• Existing mandate coming to an end in June 2020
• New and increasing threats in cyberspace
• Greater political interest in cyber issues
• New EU cyber legislation – NIS Directive
• Risk of fragmentation in the Digital Single Market
• ENISA evaluation study for period 2013-2016
Why ENISA Reform?
The EU Cybersecurity Package: Implications for ENISA
6
• Need for enhanced role for ENISA with:
Why ENISA Reform?
Adequate ResourcesPermanent Status
A Stronger Mandate
Reformed ENISA (EU Cybersecurity
Agency)
The EU Cybersecurity Package: Implications for ENISA
7
1 Increasing capabilities and preparedness at EU and MS level
2 Improving cooperation and coordination of stakeholders
3 Increasing EU level capabilities to complement MS action
4 Promoting cybersecurity awareness in the EU
5 Increasing transparency of cybersecurity assurance
6 Avoiding fragmentation of certification schemes
The Proposed “Cybersecurity Act”
Six key objectives:
The EU Cybersecurity Package: Implications for ENISA
8
Law and Policy Tasks
Proposed Tasks for a Stronger ENISA with a Permanent Mandate:
Operational Cooperation
Research and Innovation
Capacity Building
International Cooperation
Market and Certification
Awareness Raising
The EU Cybersecurity Package: Implications for ENISA
9
The proposal contains important new/revised tasks for ENISA:
• Strengthened and reinforced ENISA; substantially altered:
- Role in policy development and implementation
- Role in operational cooperation – Blueprint
- Participation in research funding programmes
• EU-level cybersecurity certification framework with:
- A role for ENISA in the preparation of candidate schemes
- Secretariat assistance provided by ENISA for the “European Cybersecurity Certification Group”
The Proposed “Cybersecurity Act”
The EU Cybersecurity Package: Implications for ENISA
10
ENISA involvement in the development, implementation and review of Union law and policy (Article 5):
• Horizontal and sectoral policy relating to cybersecurity
• NIS Directive implementation
• Special attention to electronic identity and trust services; security of electronic communications
• Annual report on state of implementation of legal framework
Enhanced participation in research funding programmes (Article 10):
• Possibility to participate as a beneficiary or in the implementation of research and innovation programmes
The EU Cybersecurity Package: Implications for ENISA
Policy and Research & Innovation
11
Enhanced operational role and involvement in the Blueprint for large-scale cybersecurity incidents and crises (Article 7):
• ENISA to provide support to or carry out ex-post technical enquiries.
• ENISA to contribute to developing a cooperative response to large-scale cross border incidents or crises (Blueprint):
a) aggregating reports from national sources to contribute to common situational awareness;
b) ensuring efficient information flow and escalation mechanisms between CSIRTs Network, technical and political decision-makers;
c) supporting technical handling of an incident/crisis, including facilitating sharing of technical solutions between Member States;
d) supporting public communication around incidents/crises;
e) testing the cooperation plans to respond to incidents/crises.
The EU Cybersecurity Package: Implications for ENISA
Operational cooperation
12
EU Cybersecurity Certification
MS or ECCG propose to Commission the drafting of a scheme
Commission requests ENISA
ENISA drafts scheme involving all stakeholders and ECCG
Commission adopts scheme by means of implementing acts
The Commission proposes a European Cybersecurity Certification framework (Article 8 and Title III) with ENISA involvement in steps 2 and 3 of the process displayed below:
The EU Cybersecurity Package: Implications for ENISA
13
Key Aspects of Proposed Framework
Key aspects of the proposed EU cybersecurity certification framework include:
• Addresses market fragmentation
• Presents a voluntary and risk-based approach
• Defined assurance levels (Basic, Substantial, High)
• Role for Member States:
- Propose preparation of a candidate scheme to the Commission
- Involvement through European Cybersecurity Certification Group (composed of national certification supervisory authorities)
- Involved in the procedure for adoption of an implementing act
• Clear separation of tasks in line with Regulation (EU) 765/2008
The EU Cybersecurity Package: Implications for ENISA
14
• Council Conclusions of 20th November 2017 on the Renewed Cybersecurity Strategy (JOIN(2017) 450):
Welcomed the permanent mandate for ENISA, with a primary objective to:
(a) support and develop cooperation between Member States;
(b) increase capacities of Member States;
(c) Increase confidence in a digital Europe.
Stressed the need to strengthen cybersecurity certification
• National Parliaments subsidiarity deadline lapsed on 7th
December 2017
Cybersecurity Package: Developments
The EU Cybersecurity Package: Implications for ENISA
15
• European Parliament First Reading of Cybersecurity Act:
Responsible Committee in EP – ITRE Committee
Involvement of BUDG, IMCO, LIBE, and AFET Committees (Opinion)
• Vote scheduled in Committee Q3 2018
• Ongoing discussions in the Council
• Expected Opinions from EESC and CoR
Cybersecurity Package: The Next Steps
EPRS | European Parliamentary Research Service, 2018
The EU Cybersecurity Package: Implications for ENISA
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you