1. TRANSPOSING THE NIS
DIRECTIVE
PROGRESS AND BEST PRACTICES
FROM SLOVAKIA
Rastislav Janota
Chairman
Cyber Security Committee
Security Council of the Slovak Republic
National Security Authority
2. Cybersecurity is topic for?
Who should take care on
Cybersecurity?
WE ALL!
Everyone is responsible for own data
and own services...
3. Challenges during process
• Alignment with other regulations and their regulators
• Defining balance between minimum regulation and comprehensive regulation approach
• Creating national CSIRT network structure, accreditation of CSIRTs incl. private one’s
• Alignment with Critical Infrastructure Protection legislation
• Definitions of sectors and subsectors for OES incl. managing authorities and their duties
• Mandatory government CSIRTs for sectorial managing authorities, government outsourcing
and last-resort option
• Defining areas for future voluntary ‘win-win’ cooperation with the market instead of
mandatory duties
4. Different EU REGULATIONS
• General Data Protection Regulation (GDPR) – 2016/679
– To strengthen and unify data protection for all individuals within the European Union (EU)
– Regulator – Office for Personal Data Protection of the Slovak Republic
• Payment Services Directive (PSD2) – 2015/2366
– To regulate payment services and payment service providers throughout the European
Union (EU)
– Regulator – National Bank of Slovakia
• Regulatory framework for electronic communications – Telecoms Package (2009)
– To create a common set of regulations for the telecoms industry across all 27 EU states
– Regulator –Regulatory Authority for Electronic Communication and Postal Services
• Network and Information Security Directive 2016/1148
– To force companies and organizations to protect their systems/data from cyber-attacks
– Regulator – National Securty Authority
5. Basic cyberspace activities
• Cyber Crime
– Responsible Ministry of Interior (police, crime investigators), prosecutors, courts
• Cyber Defense
– Ministry of Defense
• Cyber Intelligence
– Intelligence services
• Cyber Security
– National Security Authority
– NIS transposition,
– Cybersecurity regulation
– Regulation of sectors/subsectors
– Security standards, risk management, auditing, regulation, enforcement work
– Incident reporting and handling
– National Cybersecurity Centre and National CSIRT (SK-CERT)
– Security Operation Centre
6. Cybersecurity law in Slovakia
Content of law
•Definitions
•Cybersecurity governance in Slovak republic,
•National Cybersecurity Centre (and SK-CERT),
•Integrated Cybersecurity Information System,
•Duties and capacities of Operator of essential services and Digital service provider
•CSIRT units and their accreditation,
•Security requirements and incident notification and handling
•Implementation and enforcement
•Other procedures and bylaws
•Update (alignment) of Critical Infrastructure Law with Cybersecurity Law
•Definition of sectors and subsectors for OES
7. Cyber Security Committee
Cybersecurity governance in Slovakia
Parliament
National Cybersecurity Centre / SK-CERT
Security Council
Government
Managing authority
Sector/Subsector n
National Security Authority
Managing authority
Sector/Subsector 2
Managing authority
Sector/Subsector 1
CSIRT
Sector 1 and 2
CSIRT
Sector n
CSIRT
Commercial
8. Definition of sectors and subsectors for OES
Sector Subsector Managing authority CIP NIS CiiP
Banking Ministry of Finance ☑️ ☑️
Transport
Air transport
Ministry of transport and
construction
☑️ ☑️ ☑️
Rail transport ☑️ ☑️ ☑️
Water transport ☑️ ☑️ ☑️
Road transport ☑️ ☑️ ☑️
Digital Infrastructure
National Security
Authority
☑️ ☑️
Electronic
Communication
Satellite communication
Ministry of transport and
construction
☑️ ☑️
Electronic communications networks and
electronic communications services
☑️ ☑️
Financial market
infrastructures
Ministry of Finance ☑️ ☑️
9. Definition of sectors and subsectors for OES
Sector Subsector Managing authority CIP NIS CIIP
Postal services
Ministry of transport and
construction
☑️ ☑️
Energy
Mining
Ministry of Economy
☑️ ☑️
Electricity ☑️ ☑️ ☑️
Oil ☑️ ☑️ ☑️
Gas ☑️ ☑️ ☑️
Heat-power ☑️
Other Industries
Pharmaceutical
Ministry of Economy
☑️ ☑️
Metallurgical ☑️ ☑️
Chemical ☑️ ☑️
Health
All medical facilities (incl. Hospitals and
private clinics)
Ministry of Health ☑️ ☑️ ☑️
10. Definition of sectors and subsectors for OES
Sector Subsector Managing authority CIP NIS CIIP
Water and
Atmosphere
Weather service
Ministry of the
environment
☑️ ☑️
Water works ☑️ ☑️
Drinking water supply and distribution ☑️ ☑️ ☑️
Public Administration
Public order and security Ministry of interior ☑️
Information systems of public
administration
Deputy Prime Minister’s
Office for Investments
and Informatization
☑️ ☑️
Defense Ministry of defense ☑️
Intelligence services Intelligence services ☑️
Classified Information Protection National Security
Authority
☑️
11. NIS transposition Timeline
• July 2016 - NIS approval July
• September 2016 - first internal draft
• October 2016 - NIS Implementation international workshop, Bratislava
• December 2016 – first round of public consultation
• End of January, February 2017 – second round of public consultation
• February 2017 – public workshop after second public consultation
• March – May 2017 – third round of public consutations
• Jun 2017 – official intra-ministerial commenting procedure
• July – September 2017 – preparation of final version
• October 2017 – approval by Slovak government
• November 2017 – parliament procedure
• January 2018 - approval of the law by parliament
• March 1st
, 2018 – entry into force