European Union Agency for Network and Information Security

The EU Cybersecurity Package: Implications for ENISADr. Steve Purser | Head of ENISA Core Operations Athens, 30th January 2018

2

1. Cybersecurity Package

2. Why ENISA Reform?

3. The “Cybersecurity Act” and proposed ENISA tasks

4. Policy and R&I

5. Operational cooperation

6. Cybersecurity Certification

7. Key Developments

8. The Next Steps

Outline

The EU Cybersecurity Package: Implications for ENISA

3

Commission President Juncker, State of the EU 2017:

“Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks.

[…]

Today, the Commission is proposing new tools, including a European Cybersecurity Agency to help defend us.”

Cybersecurity Package

The EU Cybersecurity Package: Implications for ENISA

4

• Commission Proposal for a Cybersecurity Act: Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') – COM(2017) 477

• Renewed Cybersecurity Strategy: European Parliament and Council Joint Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU' (JOIN(2017) 450)

• Blueprint: Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises – (C(2017) 6100)

• Commission Communication “Making the Most of NIS” – towards effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476)

Cybersecurity Package

The EU Cybersecurity Package: Implications for ENISA

5

• Existing mandate coming to an end in June 2020

• New and increasing threats in cyberspace

• Greater political interest in cyber issues

• New EU cyber legislation – NIS Directive

• Risk of fragmentation in the Digital Single Market

• ENISA evaluation study for period 2013-2016

Why ENISA Reform?

The EU Cybersecurity Package: Implications for ENISA

6

• Need for enhanced role for ENISA with:

Why ENISA Reform?

Adequate ResourcesPermanent Status

A Stronger Mandate

Reformed ENISA (EU Cybersecurity

Agency)

The EU Cybersecurity Package: Implications for ENISA

7

1 Increasing capabilities and preparedness at EU and MS level

2 Improving cooperation and coordination of stakeholders

3 Increasing EU level capabilities to complement MS action

4 Promoting cybersecurity awareness in the EU

5 Increasing transparency of cybersecurity assurance

6 Avoiding fragmentation of certification schemes

The Proposed “Cybersecurity Act”

Six key objectives:

The EU Cybersecurity Package: Implications for ENISA

8

Law and Policy Tasks

Proposed Tasks for a Stronger ENISA with a Permanent Mandate:

Operational Cooperation

Research and Innovation

Capacity Building

International Cooperation

Market and Certification

Awareness Raising

The EU Cybersecurity Package: Implications for ENISA

9

The proposal contains important new/revised tasks for ENISA:

• Strengthened and reinforced ENISA; substantially altered:

- Role in policy development and implementation

- Role in operational cooperation – Blueprint

- Participation in research funding programmes

• EU-level cybersecurity certification framework with:

- A role for ENISA in the preparation of candidate schemes

- Secretariat assistance provided by ENISA for the “European Cybersecurity Certification Group”

The Proposed “Cybersecurity Act”

The EU Cybersecurity Package: Implications for ENISA

10

ENISA involvement in the development, implementation and review of Union law and policy (Article 5):

• Horizontal and sectoral policy relating to cybersecurity

• NIS Directive implementation

• Special attention to electronic identity and trust services; security of electronic communications

• Annual report on state of implementation of legal framework

Enhanced participation in research funding programmes (Article 10):

• Possibility to participate as a beneficiary or in the implementation of research and innovation programmes

The EU Cybersecurity Package: Implications for ENISA

Policy and Research & Innovation

11

Enhanced operational role and involvement in the Blueprint for large-scale cybersecurity incidents and crises (Article 7):

• ENISA to provide support to or carry out ex-post technical enquiries.

• ENISA to contribute to developing a cooperative response to large-scale cross border incidents or crises (Blueprint):

a) aggregating reports from national sources to contribute to common situational awareness;

b) ensuring efficient information flow and escalation mechanisms between CSIRTs Network, technical and political decision-makers;

c) supporting technical handling of an incident/crisis, including facilitating sharing of technical solutions between Member States;

d) supporting public communication around incidents/crises;

e) testing the cooperation plans to respond to incidents/crises.

The EU Cybersecurity Package: Implications for ENISA

Operational cooperation

12

EU Cybersecurity Certification

MS or ECCG propose to Commission the drafting of a scheme

Commission requests ENISA

ENISA drafts scheme involving all stakeholders and ECCG

Commission adopts scheme by means of implementing acts

The Commission proposes a European Cybersecurity Certification framework (Article 8 and Title III) with ENISA involvement in steps 2 and 3 of the process displayed below:

The EU Cybersecurity Package: Implications for ENISA

13

Key Aspects of Proposed Framework

Key aspects of the proposed EU cybersecurity certification framework include:

• Addresses market fragmentation

• Presents a voluntary and risk-based approach

• Defined assurance levels (Basic, Substantial, High)

• Role for Member States:

- Propose preparation of a candidate scheme to the Commission

- Involvement through European Cybersecurity Certification Group (composed of national certification supervisory authorities)

- Involved in the procedure for adoption of an implementing act

• Clear separation of tasks in line with Regulation (EU) 765/2008

The EU Cybersecurity Package: Implications for ENISA

14

• Council Conclusions of 20th November 2017 on the Renewed Cybersecurity Strategy (JOIN(2017) 450):

Welcomed the permanent mandate for ENISA, with a primary objective to:

(a) support and develop cooperation between Member States;

(b) increase capacities of Member States;

(c) Increase confidence in a digital Europe.

Stressed the need to strengthen cybersecurity certification

• National Parliaments subsidiarity deadline lapsed on 7th

December 2017

Cybersecurity Package: Developments

The EU Cybersecurity Package: Implications for ENISA

15

• European Parliament First Reading of Cybersecurity Act:

Responsible Committee in EP – ITRE Committee

Involvement of BUDG, IMCO, LIBE, and AFET Committees (Opinion)

• Vote scheduled in Committee Q3 2018

• Ongoing discussions in the Council

• Expected Opinions from EESC and CoR

Cybersecurity Package: The Next Steps

EPRS | European Parliamentary Research Service, 2018

The EU Cybersecurity Package: Implications for ENISA

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you