Developing a risk management culture: a Regulatory perspective 2nd ISACA Athens Chapter Conference Andrea SERVIDA European Commission Directorate General Communications Networks, Content and Technology - DG CONNECTED Task Force "Legislation Team (eIDAS)" andrea.servida@ec.europa.eu Risk management in: • Past EU NIS & CIIP policies (2001 – 2011) • The e-communication market regulation (2009) • The proposed eIDAS Regulation (2012) • The forthcoming legislative proposal on NIS (2013) towards a "true security risk management market" Risk management in past EU policies on NIS & CIIP Main Initiatives on NIS & CIIP at EU level • Establishment of ENISA - Regulation (EC) No 460/2004 • The Strategy for a Secure Information Society (COM(2006)251) • The Commission Communication on Critical Information Infrastructure protection (COM(2009) 149) proposing an Action Plan • Trust and Security chapter of the Digital Agenda for Europe (COM(2010)245) • The proposal to modernise ENISA (COM(2010)521) • The second Commission Communication on CIIP of March 2011 'Achievements and next steps: towards global cyber-security’ (COM(2011) 163) • The revised Regulatory Framework for electronic communications – new security provisions including security breaches notifications (Art. 13 a and b) The overall policy approach • Focus on prevention, resilience and preparedness (complementary to fighting cyber crime) • Take into account the civilian & economic stakeholders’ role and capability (role of private sector & the governance challenge) • Make security and resilience the frontline of defence • Adopt an all-hazards approach • Develop a risk management culture in the EU • Focus on the role socio-economic incentives • Promote openness, diversity, interoperability, usability, competition as inherent security safeguards • Boost a global collaborative policy and operational cooperation across the EU, in particular on CIIP Some examples NIS policy 2001 • Develop a security culture in the EU • Awareness as the mechanism to "understand" the risks • Promote market oriented security standards & certification Strategy for a secure Information Society (2006) • Trusted framework for collection of security incident data • Private sector to "involve the insurance sector in developing appropriate risk management tools and methods to tackle ICT-related risks and foster a culture of risk management in organisations and business (in particular in SMEs)." Some examples (2) CIIP policy of 2009 and 2011 • National and EU contingency plans • "Internet resilience and stability principles": Good risk management "Good risk management by both the public and private sector is critical to internet resilience. All stakeholders have a role to play in ensuring that risks are understood, measured and mitigated against appropriately. Good risk management includes, but is not limited to, being aware of societal dependencies on the Internet; ensuring responsibility and accountability of each stakeholder for the effects of its action on the stability and resilience of the Internet; putting in place reasonable and proper contingency and fall-back strategies; striving for an appropriate diversity of sources in the supply chain of the technologies used on the Internet." Risk management in the e-Communication regulatory framework Security and integrity the risk management framework Art. 13a (1) and (2): “1. Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services. Having regard to the state of the art, these measures shall ensure a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on users and interconnected networks. 2. Member States shall ensure that undertakings providing public communications networks take all appropriate steps to guarantee the integrity of their networks, and thus ensure the continuity of supply of services provided over those networks.” ••• 9 Security and integrity Reporting Art. 13a(3): “3. Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services notify the competent national regulatory authority of a breach of security or loss of integrity that has had a significant impact on the operation of networks or services. Where appropriate, the national regulatory authority concerned shall inform the national regulatory authorities in other Member States and the European Network and Information Security Agency (ENISA). The national regulatory authority concerned may inform the public or require the undertakings to do so, where it determines that disclosure of the breach is in the public interest. Once a year, the national regulatory authority concerned shall submit a summary report to the Commission and ENISA on the notifications received and the action taken in accordance with this paragraph.” ••• 10 Security and integrity technical implementing measures Art. 13a(4): ”4. The Commission, taking the utmost account of the opinion of ENISA, may adopt appropriate technical implementing measures with a view to harmonising the measures referred to in paragraphs 1, 2, and 3, including measures defining the circumstances, format and procedures applicable to notification requirements. These technical implementing measures shall be based on European and international standards to the greatest extent possible, and shall not prevent Member States from adopting additional requirements in order to pursue the objectives set out in paragraphs 1 and 2. These implementing measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 22(3).” ••• 11 Implementation and enforcement Art. 13(b): 1.Member States shall ensure that in order to implement Article 13a, competent national regulatory authorities have the power to issue binding instructions, including those regarding time limits for implementation, to undertakings providing public communications networks or publicly available electronic communications services. 2. Member States shall ensure that competent national regulatory authorities have the power to require undertakings providing public communications networks or publicly available electronic communications services to: a) provide information needed to assess the security and/or integrity of their services and networks, including documented security policies; and b) submit to a security audit carried out by a qualified independent body or a competent national authority and make the results thereof available to the national regulatory authority. The cost of the audit shall be paid by the undertaking. 3. Member States shall ensure that national regulatory authorities have all the powers necessary to investigate cases of non-compliance and the ••• 12 effects thereof on the security and integrity of the networks. Technical guidelines on reporting security breaches by ENISA ••• 13 e-Communications security and resilience ENISA good practices • Technical Guidelines on Reporting Incidents – Guidance on incident reporting scheme in Article 13a • Shortlisting network and information security standards and good practices • Technical for Minimum Security Measures – Guidance on the security measures in Article 13a • Implementation of Article 4 - Recommendations for the technical implementation of the Article 4 of the ePrivacy Directive • Incentives and barriers of the cyber insurance market in Europe • Annual incidents reports 2011 • Inter-X: Resilience of the Internet Interconnection Ecosystem • … Risk management EU policy on electronic identification, authentication and signature (eIDAS) What is the economic interest in electronic identity? A recent view from "The Value of our Digital Identity" by Liberty Global, Inc. With permission of Boston Consulting Group, Inc.* "Digital Identity" Individual preferences What do you like? Acquired attributes What did you do? Inherent characteristics Where do you come from? Digital Identity sum of all digitally available information about an individual Economic value of applications built on the use of digital identity for both publicand private-sector organisations €330 billion in Europe by 2020 Consumer benefit annually by 2020 more than double the organisational value - €670 billion Combined total digital identity value could amount to roughly 8% of the EU-27 GDP * http://www.lgi.com/PDF/public-policy/The-Value-of-Our-Digital-Identity.pdf 16 What is the economic interest in electronic identity? Why is this question important? "Personal data is the currency of today's digital market."* *Speech by Viviane Reding Vice-President of the European Commission, EU Justice Commissioner “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age” Innovation Conference Digital, Life, Design Munich, 22 January 2012 http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/s1226_en.pdf 17 "Digital identity" vs electronic identification and trust services (eIDAS) Personal data = digital currency Digital identity USER ENABLEMENT "economic" drive vs eIDAS "trust-building" drive Trusted assertions/ credentials USER EMPOWERMENT Personal data = private asset 18 Rolling out eIDAS: the EU approach Technical interoperability 2 tiers approach Legal certainty WHY? 19 Large Scale Pilots (LSPs) Interoperable eprocurement 19 partners 11 countries Total Budget 30.8M€ Electronic Identity 32 partners 14 countries Total Budget 26M€ Patient Summary/ePrescri bing 47 partners 23 countries Total Budget 23M€ Business mobility 33 partners 16 countries Total Budget 24M€ eJustice 17 partners 15 countries Total Budget 14M€ 20 European Commission legislative proposal on eIDAS Proposal for a Regulation of the European Parliament and of the Council on "Electronic identification and trust services for electronic transactions in the internal market" (COM(2012) 238 final) {SWD(2012) 135 final} {SWD(2012) 136 final} 21 eIDAS in the EU • Electronic ID cards exist in 7 MS: Belgium, Estonia, Finland, Germany, Italy, Portugal and Spain. • Other forms of e-ID, like citizen cards, service cards and access tokens are used in 10 MS: Austria, Czech Republic, Denmark, Estonia, Ireland, Lithuania, Luxembourg, The Netherlands, Slovenia and Sweden. • e-Signature: Directive 1999/93/EC transposed in all MS 22 What is the Commission proposal's ambition? • Provide legal framework for the development of a trustworthy environment to facilitate and enable cross-border secure services and to stimulate business opportunities 23 How? 1. By ensuring that people and businesses can use and leverage across borders their national eIDs to access at least public services in other EU countries. 24 How? 2. By removing the barriers to the internal market for e-Signatures and related online trust services across borders i.e. by ensuring that trust services have the same legal value as in traditional paper based processes. 25 What is the scope of the proposed Regulation? 1. Mutual recognition of electronic identification 2. Electronic trust services: 1. Electronic signatures interoperability and usability 2. Electronic seals interoperability and usability 3. Cross-border dimension of: 1. Time stamping, 2. Electronic delivery service, 3. Electronic documents admissibility, 4. Website authentication. 26 Article 15 "Security requirements applicable to trust service providers" 1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents. Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken. Article 15 "Security requirements applicable to trust service providers" 2. Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties such as data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein. […..] 3. The supervisory body shall provide to ENISA and to the Commission once a year with a summary of breach notifications received from trust service providers. Risk management in the forthcoming legislative proposal on Network and Information security Legislative proposal on Network and Information Security (NIS) – Article 114 TFEU PREPAREDNESS National capabilities EU-LEVEL COOPERATION comparable capabilities and mutual trust A high level of NIS and smooth functioning of the internal market A CULTURE OF NIS ACROSS SECTORS NIS risk management and Public-Private cooperation Legislative proposal on Network and Information Security (NIS) – Article 114 TFEU Key elements (1/3) • Common NIS requirements at national level National NIS strategy and NIS cooperation plan National NIS competent authority Computer Emergency Response Team (CERT) Legislative proposal on Network and Information Security (NIS) – Article 114 TFEU Key elements (2/3) • NIS competent authorities to cooperate within a network at EU level – NIS cooperation plan Early warnings and coordinated response Capacity building and peer reviews NIS exercises at EU level Legislative proposal on Network and Information Security (NIS) – Article 114 TFEU Key elements (3/3) • Risk management requirements and obligation to report significant incidents to the NIS competent authorities for players in: Energy – electricity and gas Credit institutions and stock exchanges Transport – air, maritime, rail Healthcare Enablers of key Internet services Public administrations Thanks! For further information and feedback http://ec.europa.eu/information_society/policy/esignature/eu_legislation/r egulation http://ec.europa.eu/information_society/policy/esignature CNECT-TF-eIDAS-LT@ec.europa.eu Web Sites • EU policy on Critical Information Infrastructure Protection – CIIP http://ec.europa.eu/information_society/policy/nis/strat egy/activities/ciip/index_en.htm • A Digital Agenda for Europe http://ec.europa.eu/information_society/digitalagenda/index_en.htm • EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index _en.htm • European principles and guidelines for Internet resilience and stability http://ec.europa.eu/information_society/policy/nis/docs /principles_ciip/guidelines_internet_fin.pdf Links to policy documents • Council conclusions on Critical Information Infrastructure Protection http://register.consilium.europa.eu/pdf/en/11/st10/st10299.en11.pdf • Commission Communication on Critical Information Infrastructure Protection – "Achievements and next steps: towards global cyber-security" - COM(2011) 163 http://ec.europa.eu/information_society/policy/nis/docs/comm_2011/co mm_163_en.pdf • Digital Agenda for Europe - COM(2010)245 of 19 May 2010 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF • The EU Internal Security Strategy in Action: Five steps towards a more secure Europe COM(2010)673 http://ec.europa.eu/commission_20102014/malmstrom/archive/internal_security_strategy_in_action_en.pdf • Commission Communication on Critical Information Infrastructure Protection – "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" - COM(2009) 149 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF