![Page 2: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/2.jpg)
What NIS actually is?
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 3: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/3.jpg)
NIS Directive
Jurica Cular | First Conference | Kuala Lumpur 2018
• NIS – Network Information Security Directive• EU Cyber Security Policy• Mandatory for all EU states• NOT Mandatory for all EU companies• Focus on essential/critical services
![Page 4: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/4.jpg)
Scope
• Operators of Essential Services - OES• Digital Service Providers - DSP
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 5: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/5.jpg)
OES
• Entity supplies service essential for maintainingcritical social and economic activities
• Service supply fully depends on ICT• Cyber incident would significantly impact service
delivery
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 6: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/6.jpg)
OES
• Energetics – electricity, oil, gas..• Transportation – air, railway, roads, mainland• Banking – credit institutions• Financial markets infrastructure• Health• Water supply• Digital infrastructure
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 7: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/7.jpg)
DSP
• Online marketplace• Online search engine• Cloud computing service
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 8: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/8.jpg)
Important dates
• August, 2016 – entry• February, 2017 – CG/CN starts• May, 2018 – transposition into local legal framework• November, 2018 – MS to identify and report ES• 2018 - EC control• 2020+ - broad scope
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 9: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/9.jpg)
Expectations
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 10: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/10.jpg)
Member states
• Sectoral authorities• Single POC• Cyber strategy• CERT
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 11: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/11.jpg)
Incident reporting
• Incident reporting towards authority with „nodelay” – 24-72 h from discovery
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 12: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/12.jpg)
Standards
• „State-of-the-art” equipment• „Guaranteed security level according to risk”
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 13: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/13.jpg)
What transposition is?
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 14: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/14.jpg)
EU Directive vs EU regulation
• EU Regulation• Immediately applicable and enforcable by law in all Member
States• As good practice, Member States issue national legislation that
defines the competent national authorities, inspection andsanctions on the subject matter
• EU Directive• Sets certain aims, requirements and concrete results that must
be achieved in every Member State• Sets a process for it to be implemented by Member States• National authorities must create or adopt their legislation to
meet these aims by the date specified in each given Directive
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 15: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/15.jpg)
Croatia - current state of play
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 16: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/16.jpg)
Croatia – current state of play
• Youngest EU member state - July 2013• (Rather) Young country/democracy/free market• All NIS sectors covered by law…but• Sectoral regulation – banking and financial markets• Water management – NO CI
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 17: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/17.jpg)
How we did it?
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 18: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/18.jpg)
Process
• Working Group (WG) summer 2017• Weekly meetings, drafting, polishing• Final draft – December 2017
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 19: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/19.jpg)
Who?
• NSA• CERT Community• Sectoral representatives• Regulators• MFA
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 20: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/20.jpg)
Steps
• Identify current legislation – mostly non-existent• Develop identification criteria by sector• Analyze current audit/CERT capacities by sector• Identify national competent authorities (NCA)• Develop legislation scheme• Write the LAW• …..
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 21: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/21.jpg)
Centralized Vs. Sectoral
• Depending on current country set up• Centralized:
• Single organization• Cyber skilled setup, NCSC
• Sectoral• Multiple sectoral authorities• Dispersed management
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 22: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/22.jpg)
Legislation scheme
• OES and DSP cyber security law• Roles• Deadlines• Criteria• Penalties
• Statute on cyber security measures• Security measures• Reporting procedures
• Guidelines
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 23: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/23.jpg)
Criteria - challenges
• What is essential?• Different views by each sector• Several types of criteria:
• Number of users• Unique service provider• Capacities• Market share• Geographic dispersity
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 24: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/24.jpg)
Croatia custom design
• Sectoral approach• „Compliance body”• 2 CERTs• 8th sector – „Government information infrastructure
services”• e-Citizen• Business services for state budget users
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 25: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/25.jpg)
Lessons learned
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 26: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/26.jpg)
What could have been done better?
• Develop national regulation/legislation• Foster (cross)sector cooperation• Invest in NCA skills and awareness• Start early• Communicate• Test
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 27: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/27.jpg)
Predictions
• Scenario 1• Not enough power/will to conduct by new law• Not enough resources within key role players• OES not investing
• Scenario 2• Full implementation with deadline flexibility• Close cooperation with OES• Use of CEF funds• Development of strong internal cyber services market
Jurica Cular | First Conference | Kuala Lumpur 2018
![Page 28: Creating NIS Compliant Country in a Non-Regulated ... - FIRST · Jurica Cular | First Conference | Kuala Lumpur 2018 • NIS – Network Information Security Directive • EU Cyber](https://reader033.vdocuments.us/reader033/viewer/2022042404/5f1b30be7525a740904a8779/html5/thumbnails/28.jpg)