atw 2018-12
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>atw</strong> Vol. 63 (<strong>2018</strong>) | Issue 11/<strong>12</strong> ı November/December<br />
ENERGY POLICY, ECONOMY AND LAW 582<br />
Sanctions:<br />
There are three criminal for the operators<br />
of essential services:<br />
• Directors that do not comply with<br />
the security rules, even after the<br />
timeline specified in a formal<br />
demand issued by the ANSSI shall<br />
be punishable with a fine of<br />
€100,000;<br />
• Directors that do not comply with<br />
their reporting obligation in case of<br />
an incident shall be punishable<br />
with a fine of €75,000;<br />
• Directors that obstruct an investigation<br />
shall be punishable with a<br />
fine of €<strong>12</strong>5,000.<br />
NIS Implementation<br />
in Sweden<br />
The NIS Directive is transposed.<br />
Implementation acts are:<br />
Act (<strong>2018</strong>:000) “Information security<br />
for certain operators of essential<br />
services and digital service providers”<br />
Ordinance (<strong>2018</strong>:000) “Information<br />
security for certain operators of<br />
essential services and digital service<br />
providers”<br />
The national strategy on the security<br />
of network an information security<br />
is available on:<br />
https://www.government.se/<br />
legal-documents/2017/11/<br />
skr.-201617213/<br />
Single point of contact is:<br />
Swedish Civil Contingencies Agency<br />
(MSB)<br />
651 81 Karlstad<br />
E-Mail: spoc.nis@msb.se<br />
National Computer Security Incident<br />
Response Team (CSIRT) is:<br />
MSB/CERT-SE<br />
E-Mail: cert@cert.se<br />
Phone: +46 867 857 99<br />
According tot he Swedish NIS<br />
Directive law the following sectors<br />
are identified as essential services:<br />
• Energy,<br />
• Transportation,<br />
• Banking,<br />
• Financial market infrastructure,<br />
• Health care,<br />
• Water management and digital<br />
infrastructure.<br />
Operators of essential services must<br />
immediately report significant disruptions<br />
to MSBT. The reporting<br />
obligation must not have a negative<br />
effect on correcting the disruption.<br />
Specifications on what defines a<br />
significant disruption are announced<br />
in an ordinance/government agency<br />
regulation.<br />
MSB established detailed assessment<br />
material to assist operators of<br />
essential services in deciding whether<br />
the directive is applicable to their<br />
service. MSB presented a catalogue<br />
of the identified criteria through a<br />
regulation. Operators of essential<br />
services are without delay obliged to<br />
report to the supervisory authority.<br />
Relevant regulatory authorities are:<br />
• Energy sector: Swedish Energy<br />
Agency<br />
• Transportation sector: Swedish<br />
Transport Agency<br />
• Banking: Swedish Financial Supervisory<br />
Authority<br />
• Finance: Swedish Financial Supervisory<br />
Authority<br />
• Health care: Swedish Health and<br />
Social Care Inspectorate<br />
• Distribution of Drinking water:<br />
The National Food Agency<br />
• Digital infrastructure: Swedish<br />
Post and Telecom Authority<br />
• Digital services: Swedish Post and<br />
Telecom Authority<br />
Reporting obligations:<br />
Operators of essential services must<br />
immediately report significant disruptions<br />
to the Swedish Civil Contingencies<br />
Agency.<br />
Sanctions:<br />
If the relevant authority finds that<br />
the supplier does not comply with the<br />
act or ordinance they can instruct the<br />
supplier to take actions.<br />
The request can be combined<br />
with a penalty fine. The MSB shall<br />
decide on administrative fines from<br />
5,000 SEK up to 10,000,000 SEK<br />
for not complying with the<br />
security requirements or incident<br />
notification.<br />
NIS Implementation<br />
in the United Kingdom<br />
The NIS Directive is transposed.<br />
The implementation of the EU<br />
Security of Networks and Information<br />
Systems (NIS) Directive in May <strong>2018</strong><br />
requires Competent Authorities (CAs)<br />
to have the ability to assess the cyber<br />
security of Operators of Essential<br />
Services (OES).<br />
In support of the UK NIS Directive<br />
implementation, the NCSC is committed<br />
to working with lead government<br />
departments, regulators and<br />
industry to develop a systematic<br />
method of assessing the extent to which<br />
an organisation is adequately managing<br />
cyber security risks in relation<br />
to the delivery of essential services.<br />
This assessment method, otherwise<br />
known as the Cyber Assessment<br />
Framework (CAF), is intended to meet<br />
both NIS Directive requirements and<br />
wider CNI needs.<br />
The implementation of the EU<br />
Security of Networks and Information<br />
Systems (NIS) Directive in May <strong>2018</strong><br />
requires Competent Authorities (CAs)<br />
to have the ability to assess the cyber<br />
security of Operators of Essential<br />
Services (OES).<br />
In support of the UK NIS Directive<br />
implementation, the NCSC is committed<br />
to working with lead government<br />
departments, regulators and<br />
industry to develop a systematic<br />
method of assessing the extent to<br />
which an organisation is adequately<br />
managing cyber security risks in<br />
relation to the delivery of essential<br />
services.<br />
You find indicators of good practice<br />
for four different objectives:<br />
Objective A<br />
A.1. Governance<br />
A.2. Risk Management<br />
A.3. Asset Management<br />
Source: https://www.ncsc.gov.uk/<br />
guidance/caf-objective-a<br />
Objective B<br />
B.1. Service Protection Policies and<br />
Processes<br />
B.2. Identity and Access Control<br />
B.3. Data Security<br />
B.4. System Security<br />
B.5. Resilient Networks and Systems<br />
B.6. Staff Awareness and Training<br />
Source: https://www.ncsc.gov.uk/<br />
guidance/caf-objective-b<br />
Objective C<br />
C.1. Security Monitoring<br />
C.2. Proactive Securit Event Discovery<br />
Source: https://www.ncsc.gov.uk/<br />
guidance/caf-objective-c<br />
Objective D<br />
D.1. Resource and Recovery Planning<br />
D.2. Lessons Learned<br />
Source: https://www.ncsc.gov.uk/<br />
guidance/caf-objective-d<br />
The national strategy on the<br />
security of network an information<br />
security is available on:<br />
https://www.gov.uk/government/<br />
publications/national-cyber-securitystrategy-2016-to-2021<br />
Single Point of contact is:<br />
National Cyber Security Centre (NCSC)<br />
E-Mail: UKSPOC@ncsc.gov.uk<br />
Phone: +44 300 020 0973<br />
National Computer Security Incident<br />
Response Team (CSIRT) is as well the<br />
National Cyber Security Centre<br />
(NCSC)<br />
In the UK unfortunately we find a<br />
lot of different national competent<br />
authorities for OES (=Operators of<br />
Essential Services):<br />
ENERGY – Electricity / Gas<br />
England, Scotland and Wales:<br />
Department for Business, Energy &<br />
Industrial Strategy, / the Office of Gas<br />
and Electricity Markets<br />
E-Mail: nis.energy@beis.gov.uk<br />
Phone: +44 20 7901 7000<br />
Northern Ireland:<br />
Department of Finance Northern<br />
Ireland<br />
E-Mail: nis.ca@finance-ni.gov.uk<br />
ENERGY – Oil<br />
England, Scotland and Wales:<br />
Energy Policy, Economy and Law<br />
Development on NIS Directive in Different EU Countries in the Energy Sector ı Stefan Loubichi