Generic placeholder image

E.U. Cyber Security Institutional Network & Legal Framework

Miami - November 20, 2020

1 - Institutional Network

The EU Cyber Security Institutional Network is composed of 4 main stakeholders which are increasingly working together since 2013 namely EUROPOL, CERT-EU, ENISA and the EU COMMISSION:

- EUROPOL (European Union Agency for Law Enforcement Cooperation) was formed in 1998. Since 2013, it has a European Cybercrime Centre (EC3 based in the Hague, Netherlands) that coordinates cross-border law enforcement activities against computer crime and acts as a centre of technical expertise on the matter.

- CERT-EU (European Union Computer Emergency Response Team, the EU “anti-cyberattacks” team created in 2012 and headquartered in Brussels) is made up of IT security experts from the main EU Institutions (European Commission, General Secretariat of the Council, European Parliament, Committee of the Regions, Economic and Social Committee). It cooperates closely with Member States’ CERTs and with specialized IT security companies.

- In 2013, the E.U. COMMISSION adopted the E.U. Cybersecurity Strategy. This led to the reform and strengthening of the EUROPEAN UNION AGENCY FOR CYBERSECURITY (ENISA). The ENISA was formed in 2004 and is headquartered in Athens (main office) and Heraklion, Greece. The ENISA is regulated by the EU Regulation No 2019/88 (also known as ‘Cybersecurity Act’ which has been in force since 2019). It works with the EU Commission, EU Members States and other stakeholders (e.g. CERT-EU and EUROPOL) to deliver advice/solutions and improve cybersecurity capabilities within the EU. It supports the development of a cooperative response to large-scale cross-border cybersecurity incidents/crises. Since 2019, in line with the Cybersecurity Act, ENISA has been drawing up EU cybersecurity certification schemes for Information and communications technology (ICT) products. ENISA assists the EU Commission, Member States and the EU business community in meeting the requirements of the EU NIS Directive 2016/1148 (as further explained below).

2 – Legal Framework: NIS Directive

The EU Directive 2016/1148 (better known as the “NIS Directive”) on Measures for High Common Level of Security of Network (including Electronic Communications Networks) and Information Systems (including all Digital Data thereon including Personal Data) across EU can be summarized as follows:

2.1 Purpose:

The NIS Directive aims to improve (i) cybersecurity capabilities at national level and foster better cybersecurity communication among Member States, and (ii) the functioning of the Internal Market.

2.2 Scope of the NIS Directive (EU Critical Infrastructure):

The NIS Directive only applies to Operators (public/private) of Essential Services (also called “OoESs”) and Digital Service Providers (“DSPs” which provide online marketplace/search engine and cloud computing services) on which OoESs rely to deliver services that are essential to maintain EU’s critical societal and economic activities [energy (electricity, gas and oil), transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, digital infrastructure].

Nota Bene: Agriculture, Telecommunications and Police/Military Security NOT LISTED by the NIS Directive as part of the EU Cyber Security-related Critical Infrastructure.

2.3 Obligations to take appropriate measures and notify competent authorities

OoESs and DSPs must take all appropriate ‘state of the art’ technical and organizational measures to prevent/minimize impact of incidents affecting security of their network and information systems to ensure continuity of Essential Services. If incidents have significant/substantial impact on the continuity of the delivery of Essential Services, OoESs and/or DSPs have the obligation to notify national competent authority or computer security incident response teams.

Dr. Ariel Humphrey