Slides from my keynote at the Luxembourg Internet Days 2018. The presentation aims at briefly introducing a wider audience to the NIS directive, the 'cybersecurity arm' of the Digital Single Market.
2. Welcome
Rayna Stamboliyska
Security and Compliance
(risk & crisis management)
Author, “La face cachée d’Internet”
(Prix du livre cyber “Grand public”,
FIC 2018)
rayna@rs-strategy.consulting
@MaliciaRogue
3. What is the NIS Directive?
The Network and Information Security Directive aims to:
◉ Ensure strong common security standards across the EU;
◉ Improve IS and network governance & security;
◉ Strengthen defense and resilience.
=> the cybersecurity arm of the Digital Single Market
4. What must Member States do?
Create institutions
dedicated to
cybersecurity
Develop inter-CSIRT
collaboration
Identify and lead
concerned orgs to
compliance with NIS
Ensure organisations
remain compliant with
NIS
NB: Some orgs are excluded (unnecessary to cumulate legal obligations),
e.g. electronic comms, eIDAS-concerned, French “OIV”, etc.
5. Is my organisation concerned?
YES if you are in one of those industries:
Essential Services Digital Services
6. The road to compliance
Albeit vague, the NIS Directive insists on:
◉ Identify and master: risk management;
◉ Map, audit and get official approval: implement security;
◉ Compartiment, filter, implement IAM: consolidate architecture;
◉ Monitor, detect and fix: maintain security;
=> all that’s common sense… or is it a necessary evil?
9. “Loi de Programmation militaire” (since 2013)
◉ Legislative vehicle for security at vital services providers
◉ Articulated in 20 rules with varying compliance timelines;
◉ Defines “SIIV”: declaration-based perimeters;
◉ Governance, audit & official approval are a thing;
◉ Incident management becomes of vital importance (PDIS, PRIS);
◉ Parallelise & build upon existing expertise despite office politics.
=> ROI & all-encompassing compliance approach
10. Remember: Security is a risky business
◉ Timelines may exert pressure;
◉ What if legislation is slow to come by?
◉ Adjusting expectations might cost you
greatly;
◉ Harmony is real hard: a unique EU-wide
reference institution? Critical & sensitive
intel sharing?
11. Threat modelling is the new black
The intimate knowledge of your systems, tools and their
becoming, both technical and functional, is crucial:
Weigh in and structure your strategy.
12. Thanks!
Rayna Stamboliyska
Security and Compliance
(risk & crisis management)
Author, “La face cachée d’Internet”
(Prix du livre cyber “Grand public”,
FIC 2018)
rayna@rs-strategy.consulting
@MaliciaRogue