Synopsis

In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” we already reviewed incident response life cycle defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide.

We also discussed information sharing requirements of NIST SP 800-61 and described how cybersecurity information sharing can be automated with Department of Homeland Security (DHS) Automated Indicator Sharing (AIS) system.

Before we move on to discuss ISO/IEC 27035 standard, we believe it is interesting to discuss shortly how cybersecurity information sharing is regulated in European Union.

So in this two-part article we are discussing so called EU NIS Directive. NIS stands for “Network and Information Security”. NIS Directive is an EU legislation that was introduced in 2016.

This is the second part of this article.

If your company conducts or plans to conduct business in EU, the EU NIS Directive directive may concern you.

And, by the way, by “conducting business in EU” we mean also offering digital services to customers that are located in EU. Read on…

Security and notification requirements for affected entities

The directive sets security and incident notification requirements for both classes of entities affected by the directive: essential services operators and digital service providers.

First of all it states that they should implement technical and organizational security measures relevant to the risks they face. This means any security measures should be applied after proper risk analysis is performed.

As for incidents, the directive requires these entities to report to country-level CSIRT all incidents that have significant impact. There is no “hard” definition of “significant impact” in the directive but there are criteria listed that should be taken into account when determining impact significance.

Such reporting allows country-level CSIRT to determine whether the reported incident has any country-wide or cross-border impact – if yes, then the country-level CSIRT can take appropriate action.

What is very important, the directive protects sensitive business information of entities reporting the incidents. It says that country-level CSIRT is to “preserve commercial interests and confidentiality”.

Consider using security automation software to automate procedures and tasks related to incident notifications imposed by the EU NIS Directive.

Also, a feedback mechanism is included in the EU NIS Directive for reporting entities so that they can take advantage of any information provided back to them to combat the reported incident.

As for the digital service providers, there are two important differences in approach.

Firstly, essential services operators might rely on externally owned infrastructure to provide these services. For example, an electricity distribution operator might relay on cloud-based servers to provide billing services for its customers. In such case, an incident at the cloud services provider might immediately become an incident at the essential services provider. Question is, who is to report such incident? The directive says it should be reported by the operator (which is logical, because they are last link in the chain).

Secondly, usually essential services operators are large companies. This is not the case for digital service providers (e.g. online shops) that can be small companies. Because reporting and other mechanisms of the directive can be costly for a small company, small companies are relieved from incident reporting duties.

Jurisdiction and enforcement

Enforcement mechanisms are built into the directive that are to help member states to enforce the rules of the directive. It is important to understand that the directive, although it is the law concerning all EU member states, is not a detailed regulation. However, it forces member states to prepare detailed legislation compliant with the EU NIS Directive.

One interesting and important question remains: how the directive is supposed to enforce compliance on providers that have their IT systems located outside the European Union?

This problem has been solved in the directive: such providers are to establish a “representative” in the EU, in one of the countries in which the services are offered. And, as the directive states, this will make such provider legally bound by the directive.

So, if your company provides digital services of which end users are located in EU, I recommend you study the directive and discuss internally its implications.

CSIRT requirements and tasks

The EU NIS directive contains an annex that defines requirements and tasks of a Computer Security Incident Response Team. These are grouped in two short and clear lists. If you are just starting your computer emergency response team, these lists might be very helpful.

The main purpose of publishing these lists is to help successfully establish national CSIRTs, because as the directive states, “an officially recognized mandate” is fundamental for national CSIRT to be successful (i.e. to secure budget, resources and infrastructure).

Standardization

An important statement of the directive is that the member states are to use international and/or European information security standards to achieve high level of security.

It is important because in many regulations regulators try to enumeratively list very detailed security requirements, instead of referencing to well-established security standards or recommendations (such as ISO/IEC 27035 or NIST SP 800-61 in the area of incident management).

Summary

The European Union NIS Directive is essentially the first step to build an EU-wide incident management system.

If your company conducts or plans to conduct business in European Union, the directive affects you – you should be aware of its contents and prepare accordingly.

But even if your company is not directly or indirectly affected by European law, the EU NIS Directive is worth reading – it contains a lot of useful information.

Final remark

The directive states that a culture of risk management should be promoted and developed in each member state. This is indeed what has critical significance in ensuring information security. We often quickly start implementing security measures without ensuring that they match the risks. No security measure will be effective in terms of protecting organization’s strategic goals if it’s not being applied after proper risk analysis.

(We have not covered all aspects of EU NIS Directive in this two-part article, it concentrated on incident information sharing and incident management cooperation.)

References and further reading

Cybersecurity Information Sharing – European Perspective (part 1 of 2)
European Union Directive on security of network and information systems
Information Sharing Recommendations of NIST SP 800-61
Automated Cybersecurity Information Sharing with DHS AIS system
Introduction to Incident Response Life Cycle of NIST SP 800-61