The European Commission’s Cyber Security Strategy aims to ensure that Europe benefits from a “robust and innovative Internet”. The Strategy has five priorities:

• Achieving cyber resilience
• Drastically reducing cybercrime
• Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Develop the industrial and technological resources for cybersecurity
• Establish a coherent international cyberspace policy for the European Union and promote core EU values

The first of those is most directly relevant to network operators. Here the Commission see three requirements, to be implemented by way of a draft Directive:

• Ensuring that all Member States have a basic Network and Information Security capability to include a national NIS strategy, an NIS authority and “a well-functioning CERT”;
• Ensuring that those national authorities cooperate to prevent, detect, mitigate and respond to incidents;
• Improving preparedness and engagement of the private sector operators on whom the Internet depends.

Breach Notification

The Commission’s press release has a detailed list of those “key internet companies”, who will be subject to similar NIS requirements as are already in place for public electronic communications service providers:

• Cloud computing services (“XaaS”)
• Search engines
• eCommerce platform providers (e.g. eBay, Amazon, tripadvisor, Expedia,…)
• Payment services
• Cloud service providers (Dropbox, iCloud, Flickr etc.)
• VoIP and other communications services
• Social Network providers (oddly Blogger is explicitly included but WordPress is explicitly excluded)
• Video and music sharing platforms
• Major on-line games
• Application stores.

These will be required to demonstrate that they take appropriate measures against NIS risks in designing their services, and to notify the national authority if they suffer “incidents having a significant impact on the security of core services”. The aim is to allow the identification of risks and best practice, as in ENISA’s recent report on the telecoms sector. The national authority may decide that the incident also needs to be publicly announced, but only after vulnerabilities have been fixed and taking due account of confidentiality. No time scale is set for these notifications but the text presents them as an extension of the arrangements for telecommunications providers, rather than those in the draft Data Protection Regulation whose 24 hour limit seemed to create a serious risk of distorting incident response priorities.

Incident Response Teams

Given that ENISA’s 2012 inventory lists nearly 200 CERTs in Europe it’s rather odd to find the Strategy and Directive requiring each member state to “set up a CERT”. In fact the Impact Assessment reveals that only three member states don’t already have one.

The tasks required of this national CERT are set out in Annex I of the draft Directive:

• Monitoring incidents at a national level,
• Providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents,
• Responding to incidents,
• Providing dynamic risk and incident analysis and situational awareness,
• Building broad public awareness of the risks associated with online activities,
• Organising campaigns on NIS

In the UK, at least, those are currently done by a variety of different organisations: it’s not clear whether the Directive would mean changing that.

The draft Directive does recognise that there are already “informal and trusted channels of information-sharing between market operators and between the public and the private sectors” but if the idea is indeed to set up single ‘national CERTs’ then these will need to be very careful not to disrupt the existing relationships that are already deal effectively with many Internet incidents.