EU Cybersecurity Strategy and Commission Proposal for a Directive on

Network and Information Security

LIBE, EP

Brussels, 20 February 2013

Paul Timmers,Director for Sustainable & Secure Society DG Communications Networks, Content and Technology

Cybersecurity The need for further EU action

• Economic and social benefits of the digital world and open Internet

• Risks, incidents and cybercrime on the rise

• Cross-border/global issue

• Insufficient preparedness and cooperation across the EU

• Previous initiatives: DAE, CIIP policy, EFMS, EP3R, Internal Security Strategy,European Security Strategy, EP resolutions and reports, FoP on cyber comprehensive vision needed

•Principles and values guiding EU activities

•Strengthen security and resilience of network and information systems

•Step up fight against cybercrime

•Address cyber defence and develop an EU international cyberspace policy

•Roles and responsibilities

EU Cybersecurity Strategy

EU Cybersecurity StrategyStrengthen security and resilience of network and

information systems

Security of the supply chain; integrated market for security solutions

Foster R&D

PPPs

Fighting botnets, security of ICS and Smart grids

Awareness raising

• European Cybercrime Centre Programme Board (ENISA, EUROJUST, etc)

• Support to enhance national capabilities to investigate and combat cybercrime

• Encourage swift implementation of Cybercrime directives (including current proposal)

EU Cybersecurity strategyStep up fight against cybercrime

• Capability development (detection, response, recovery)

• Synergies and dialogue between civilian and military players

• Member States, EEAS, EDA to cooperate

EU Cybersecurity strategyAddress cyberdefence

Strengthen international cooperation Promote human rights and free trade

Global norms of behaviour in cyberspace Capacity building in third countries

EU Cybersecurity Strategy Develop EU International cyberspace policy

Proposal for a Directive on Network and Information Security (NIS) – Article 114 TFEU

PREPAREDNESSNational capabilities

A high level of NIS and smooth functioning of the internal market

A CULTURE OF NIS ACROSS SECTORS NIS risk management and Public-Private cooperation

EU-LEVEL COOPERATIONcomparable capabilities and mutual trust

Common NIS requirements at national level

National NIS strategy and cooperation plan

National competent authority

Computer Emergency Response Team (CERT)

Proposal for a Directive on Network and Information Security (NIS)

Key elements (1/5)

Network of NIS competent authorities at EU level

Early warnings and coordinated response (via secureinfrastructure)

Capacity building and peer reviews

NIS exercises at EU level

ENISA to assist

Proposal for a Directive on Network and Information Security (NIS) – Article 114 TFEU

Key elements (2/5)

Early warnings on risks and incidents:(a) grow rapidly or may grow rapidly in scale;(b) exceed or may exceed national response capacity;(c) affect or may affect more than one Member State.

When relevant, also to inform the European Cybercrime Centre

Coordinated response – on the basis of the European NIS cooperation plan

Proposal for a Directive on Network and Information Security (NIS) – Article 114 TFEU

Key elements (3/5)

• Extension of telecom framework directive scheme - Risk management and incident reporting to competent authorities for: Energy – electricity and gas Credit institutions and stock exchanges Transport – air, maritime, rail Healthcare Enablers of key Internet services Public administrations

Complementarity with Directive on European Critical Infrastructure – 2008/114/EC

Proposal for a Directive on Network and Information Security (NIS) – Article 114 TFEU

Key elements (4/5)

• Risk management Dynamic process No mandated standards Only proportionate measures

• Incident reporting Only incidents with significant impact on core services Guarantees for business (confidentiality rules and recital on vulnerabilities)

Proposal for a Directive on Network and Information Security (NIS) – Article 114 TFEU

Key elements (5/5)

EU Cybersecurity StrategyFostering R&D

•Follow-up in Council (respective configurations; TTE CWG for NIS Directive; FoP to steer) and in the European Parliament

•Implementation report of the Strategy (early 2014) + Annual Conference on Cybersecurity

EU Cybersecurity Strategy Roadmap

Thanks!

• Digital Agenda for Europe: http://ec.europa.eu/digital-agenda/

• Trust and Security: http://ec.europa.eu/digital-agenda/en/our-goals/pillar-iii-trust-security

• Cybersecurity: http://ec.europa.eu/digital-agenda/en/cybersecurity

• Digital Futures: https://ec.europa.eu/digital-agenda/en/digital-futures-objectives-and-scope

• Help up improve our analysis and measurement: http://ec.europa.eu/digital-agenda/en/help-us-improve-our-analysis-measurement

Useful links

• Commission proposal for a Directive on Network and Information Security: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1666

• Impact Assessment: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1669

• Cybersecurity Strategy of the European Union: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667

• Press release: http://europa.eu/rapid/press-release_IP-13-94_en.htm

• MEMO: http://europa.eu/rapid/press-release_MEMO-13-71_en.htm

Useful links