In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” we already reviewed incident response life cycle defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide.
We also discussed information sharing requirements of NIST SP 800-61 and described how cybersecurity information sharing can be automated with Department of Homeland Security (DHS) Automated Indicator Sharing (AIS) system.
Before we move on to discuss ISO/IEC 27035 standard, we believe it is interesting to discuss shortly how cybersecurity information sharing is regulated in European Union.
So in this two-part article we are discussing so called EU NIS Directive. NIS stands for “Network and Information Security”. NIS Directive is an EU legislation that was introduced in 2016.
If your company conducts or plans to conduct business in EU, this directive may concern you.
And, by the way, by “conducting business in EU” we mean also offering digital services to customers that are located in EU. Read on…
Goals and scope of EU NIS Directive
The goal of EU NIS Directive is to achieve a high common level of network and information security among EU member states (a member state is a country member of European Union).
This goal is divided into these sub-goals:
- all member states are to adopt a national information security strategy (called “a national strategy on the security of network and information systems”);
- a network of national CSIRTs (Computer Security Incident Response Teams) is to be created – to ensure smooth incident response cooperation among member states;
- Cooperation Group is to be created – a.o. to develop trust and confidence among member states;
- information sharing requirements are to be fulfilled by so called “operators of essential services” and “digital service providers” (these notions will be explained later).
It is worth noting that these goals address (or at least try to address) two critical issues regarding wide-ranging (country-wide, EU-wide) incident management: practical one being incident response cooperation and psychological one being trust.
They also force certain groups of entities to share information security (mainly incident data).
Such approach is powerful and it lays down significant new obligations on many entities (including businesses). The goal, as mentioned above, is high level of information security.
Operators of essential services and digital service providers
The EU NIS Directive concerns two types of entities:
- operators of essential services;
- digital service providers.
The directive defines operator of essential services (in short) as public or private entity that provides an IT-dependent service that is essential for critical societal (or economic) activities.
Additional criterion is that an (information) security incident at such operator would have so called “significant disruptive effect”.
Such disruptive effect is further defined in detail in the EU NIS directive – six different factors are taken into account for this definition. These are factors such as number of users affected, size of the operator or impact on societal activities.
The responsibility for determining (and maintaining) the list of operators of essential services lies with each member state. However, the member states are to choose them using the essential service operator definition as given in the Directive.
Also, the EU NIS Directive enumeratively lists categories of entities that fall into essential services operator definitions. These are listed in the directive annex and contain categories such as energy sector entities, banking entities, digital sector entities etc.
Another group of entities affected by the directive are so called digital service providers. There are three classes of such providers listed in the directive:
- online shops;
- search engines;
- cloud computing service providers.
Incident notification requirements
Country-level incident notification is at the core of the EU NIS Directive. This is in turn taken further to EU-level notification and coordination, but the first step is on country (member state) level.
All essential services operators and all digital service providers are obliged to report incidents that have or had significant disruptive effect.
This is very important step in development of resilient information security infrastructure in European Union (and locally, in its member states). It defines who and in which situations has to report an information security incident to a country-level CSIRT. This allows for:
- better detection and quicker coordination for country-wide (or EU-wide) incidents;
- more effective post-event analysis of incidents, thus more effective protective activities.
The incident reports are then to be submitted periodically to EU-level coordination body (Coordination Group), which is created by the EU NIS Directive and is responsible for coordinating information security activities among EU member states.
Cooperation among country-level CSIRTs
The directive creates so called “CSIRTs network”. It consists of country-level CSIRTs and EU coordinating entities. The main goal of this new entity is to officially organize cooperation and information exchange among country-level CSIRTs.
The Cyber Europe 2016 incident response exercises (more on them in one of my next articles) showed that a lot has to be done in terms of country-level incident information exchange and also in terms of exchanging information among countries. Sometimes an incident affects multiple large entities in a country. This entities often do not wish to share incident information immediately (for obvious business reasons). The EU NIS Directive creates ways to communicate about such incident without e.g. directly exchanging information with competitive company. Problems can be even bigger when incident affects multiple countries. Quick and effective information exchange between country-level CSIRTs could help eradicate such incident much quicker.
And these are exactly the goals of “CSIRTs network”, among which there are e.g. “identifying a coordinated response” or “addressing cross-border incidents”.
You can compare these possibilities and requirements with Cybersecurity Information Sharing Act (CISA).
In next article, we will discuss notification requirements for entities affected by EU NIS Directive and also jurisdictional matters, which are very important in terms of conducting business for EU-based customers.
References and further reading
European Union Directive on security of network and information systems
Information Sharing Recommendations of NIST SP 800-61
Automated Cybersecurity Information Sharing with DHS AIS system
Introduction to Incident Response Life Cycle of NIST SP 800-61