This document discusses current and upcoming cybersecurity policies and directives in Europe. It summarizes that the EU considers cybercrime a major threat and has made it a priority between 2014-2017. Key policies and directives discussed include the EU's Critical Infrastructure Protection policy from 2009, directives on combating child abuse and attacks against information systems, and the upcoming Cyber Security and Data Protection directives. The document outlines the objectives and focus areas of these policies to enhance cybersecurity capabilities and cooperation across Europe.

1. European Cyber and Data security,
What is coming and how we can be prepared
for it

2. Who Am I?

3. Who Am I?
CEO of BH Consulting – Independent Information Security Firm
 Founder & Head of IRISSCERT – Ireland’s first Computer
Emergency Response Team
 Special Advisor on Internet Security Europol's CyberCrime
Centre (EC3)
 Adjunct Lecturer at University College Dublin
 Expert Advisor to European Network & Information Security
Agency (ENISA)
 Regularly comments on media stories –
BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times

6. “considers cybercrime to be an
ever-increasing threat to the EU in
the form of large-scale data
breaches, online fraud and child
sexual exploitation, while profit-driven
cybercrime is becoming an
enabler for other types of criminal
activity..”
Europol Serious & Organised Threat
Assessment 2013

7. “Total Global Impact of
CyberCrime US$ 3 Trillion, making
it more profitable than the global
trade in marijuana, cocaine and
heroin combined.”
Europol Serious & Organised Threat
Assessment 2013

8. “cybercrime as one of nine EU
priorities in the fight against
serious and organised crime
between 2014 and 2017”
The Justice and Home Affairs Council
of 6-7 June 2013

10. Policy on Critical Information Infrastructure Protection (CIIP)
– 2009
Focusing on the protection of Europe from cyber disruptions
by enhancing security and resilience.
 Based on five pillars:
 Preparedness and prevention
 Detection and response
 Mitigation and recovery
 International cooperation
 Criteria for European Critical Infrastructures in the field
of ICT.

11. DIRECTIVE 2011/92/EU OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
of 13 December 2011
on combating the sexual abuse and sexual exploitation of
children and child pornography, and replacing Council
Framework Decision 2004/68/JHA
(to be transposed into national law in the Member States by 18th
December 2013)

12. DIRECTIVE 2013/40/EU OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
of 12 August 2013
on attacks against information systems and replacing
Council Framework Decision 2005/222/JH
(to be transposed into national law in the Member States by 4th
September 2015)

13.  This Directive
 Sets out minimum rules defining criminal offences.
 Improves operational cooperation between Member
States’ national law enforcement services
 Improves operational cooperation between Member
States and relevant EU agencies (Eurojust, Europol,
ENISA).
 Member States have to respond within eight hours to
an urgent request related to a cyber-attack.
 EU agencies will conduct threat assessments and
strategic analyses of cybercrime
 All such activities have also to comply with existing EU
legislation on privacy and electronic communication
and data protection

14.  The main crimes defined in the Directive are
 illegal access to information systems,
 illegal interference with systems or data,
 illegal interception of data transmissions,
 stricter criminal sanctions for botnets

15. EU Cyber Security Strategy - 2013
 Key Priorities For the Strategy
 Freedom and openness
 The EU's laws, norms and core values apply as much
in cyberspace as in the physical world
 Developing cyber security capacity building
 Fostering international cooperation in cyberspace

16. The Cyber Security Directive
(formally known as the Network & Information Security
Directive) (the Directive)
 bring all member states to a minimum security standard
 promote cooperation and ensure preparedness and
transparency in important sectors
 introduce mandatory breach notification for certain
organisations
 All member states to develop a National Security Strategy
 Appointment of a single point of contact among national
competent authorities (NCAs)

17. Changes to Data Protection Directive
 View to being ratified in 2015
 Fines of up to €100 million or 5% of Global Turnover for Data
Breaches
 Mandatory Breach Notification “without undue delay”
 Right to Be Forgotten
 Companies with more than 250 employees will need to have a
Data Protection Officer
 Privacy by Default baked into all business processes &
services

18. Trend Micro's UK Study re Data Protection Directive
 50% of UK IT decision makers were unaware of the
impending legislation
 25% percent adamant that compliance is not achievable

20. Objectives
 To enhance the capability of the Commission, other EU bodies and the
Member States to prevent, address and to respond to NIS problems
 To provide assistance and deliver advice to the Commission and the MS on
issues related to NIS falling within its competencies as set out in this
Regulation
 To develop a high level of expertise and use this expertise to stimulate broad
cooperation between actors from the public and private sectors
 To assist the Commission, where called upon, in the technical preparatory
work for updating and developing Community legislation in the field of NIS.

21.  Computer Emergency Response Teams
 Resilience of Networks and Services and Critical Information
Infrastructure Protection
 Identity, Privacy and Trust
 Risk Management
Areas of Research

23. National Cyber Security Strategies

25. Countries aligned for the deployment of the European Cyber
Security Month

26. List of available courses and certification
programmes

30. @BrianHonan
Brian.honan@bhconsulting.ie