The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest of these developments, launched on 28 November 2019, is a security mapping tool for operators of essential services (OES) and digital service providers (DSPs) in the energy, banking, health and digital infrastructure sectors, helping them comply with their obligations under the Network and Information Systems Directive 2016/1148 (NIS Directive).

Below we take a closer look at the new security mapping tool.

The NIS Directive

ENISA notes that the initiative for the security mapping tool comes from the NIS Directive. Adopted in 2016, the NIS Directive is the first cybersecurity legislation passed by the European Union (EU). The Directive aims to achieve a high common standard of network and information security across all EU Member States.

The NIS Directive applies to OES and DSPs. It sets a range of network and information security requirements. Under the NIS Directive, the OES and DSPs must:

  • Secure their network and information systems by taking technical and organisational measures appropriate to the risk
  • Ensure service continuity by taking appropriate measures to prevent incidents
  • Notify the national regulator of any substantial security incident

The security mapping tool

The security mapping tool aims to facilitate the search of security measures and security controls in international standards. In its press release (here),ENISA sets out how the tool will help individual operators and EU Member States assess their security measures:

  • Operators can get an assessment of their information security practices against the requirements adopted by the NIS Directive
  • EU Member States can use the tool to identify issues and look for solutions when assessing the security measures of their national OES and possibly identify a mapping to corresponding national security measures of other EU Member States

The tool allows users to select security measures associated with a particular sector (air transport, digital infrastructure, water supply, electricity, financial and banking, health, oil and gas or water transport) or specific EU countries.

The tool touches upon crucial security measures such as:

  • Incident reporting: creating and keeping up-to-date records and procedures for reporting incidents
  • Detection: setting up a security detection system including protocols which analyse data flows in order to detect events likely to affect system security
  • Authentication and identification: setting up unique accounts for users or for automated processes
  • System segregation: segregating systems in order to limit propagation of IT-related security incidents

Comment

ENISA is playing an instrumental role in helping Member States develop their cyber security strategies. According to ENISA (here), all 28 Member States have a national cyber security strategy and many of them are developing their second or third versions.

While tools such as ENISA’s security mapping tool do not replace existing standards, frameworks or good practices, the launch of the tool assists with achieving a converged and consistent level of security in network and information systems across the EU.

The new tool is available through an online platform, and you can access it here.