Anyone who works with flows, logs and other sources of information to protect network and information security should already be familiar with Recital 49 of the GDPR, where European legislators explained why that was (subject to a risk-based design) a good thing. Now the European Commission has published its draft of the replacement Network and […]
Tag: NIS Directive
Posts relating to the European Network and Information Security Directive (2016/1148)
The Government has published the Network and Information Security Regulations 2018, which will implement the EU NIS Directive in the UK from May 9th. The education sector is not covered by either law. Where we might have been inadvertently captured was in the provisions for DNS Services. These cover both authoritative domain servers and DNS […]
[UPDATE: the Directive has now been published, with Member States required to transpose it into their national laws by 9 May 2018] The European Council has published the text of the Network and Information Security Directive recently agreed by its representatives and those of the European Parliament. This still needs to be “technically finalised” (in […]
Categories
Reducing the Impact of Privacy Breaches
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]
The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already “have to exert due diligence in the […]
The Department for Business, Innovation and Skills has published a summary of the responses to its consultation on the proposed EU Directive on Network and Information Security (NIS) (JANET’s response). Summarising that summary (!): There seems to be agreement that there is a role for the EU in Network and Information Security, in particular in […]
Categories
Can Internet Stability be Regulated?
A wide-ranging panel discussion at the TERENA Networking Conference considered the stability of the Internet routing system at all levels from technology to regulation. The conclusion seemed to be that at the moment the Internet is stable because two systems, technical and human, compensate effectively for each others’ failings. While improvements to increase stability may […]
Categories
Critical Cloud Computing
ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security […]
I’ve submitted a Janet response to a European consultation on a future EU Network and Information Security legislative initiative. The consultation itself seems to suffer from “if you only have a hammer” syndrome: if you’re a legislator then it must be tempting to think that all problems (lack of reporting of “cybercrimes”, insecure end-user computers, […]
Categories
EC Internal Security Strategy
The European Commission have recently published a more detailed action plan to support their draft Internal Security Strategy from earlier this year (that’s “internal” as in “within the continent”, by the way!). Most of the strategy covers physical security, including natural and man-made disasters, but one of the five strategic objectives is to “Raise levels […]