Standards & Legislation

Making standards in support of cybersecurity legislation

Monday 12 June 2017 - Amphi Athena (240 pax)

Register for Standards & Legislations to participate in the Standards & Legislation workshop on 12 June 2017.

Scope

The NIS Directive, General Data Protection Regulation, and the proposals for a Regulation on Privacy and Electronic Communications and the Directive establishing the European Electronic Communications Code are just a few examples of regulations designed to support a strong digital economy. Policy makers are taking up ambitious legislative initiatives for a secure digital economy for Europe and beyond. While there is broad understanding concerning the goals of these initiatives, what they actually mean for business has yet to come to the fore. The industry is challenged to provide products and services which comply with such legislation. As standards are expected to play an increasingly important role, adopting an integrated security approach from an early stage in the specification of any product or service, i.e. "security-by-design", as well as appropriate certification of products and services become of paramount importance while the cost and benefits need to be carefully balanced. Diverse global aspects also need to be taken into account to match the ambition of the Digital Single Market.

This workshop will gather policy makers and industrial players to discuss how and when standards can best support the above legislative initiatives, what type of standards, and how to ensure an effective collaboration between diverse interested parties.

The workshop will include four separate sessions covering the following topics

  1. Information security risk management across sectors in the context of the NIS Directive as well as data confidentiality in the context of the GDPR.
    In light of the implementation of the NIS Directive across the EU and the prospect of the GDPR entry into force in May 2018, information security risk management is receiving a lot of attention from regulators and in boardrooms across a wide variety of sectors (financial services, health, transport, energy, digital service providers, government and more) both in the EU and globally. Both pieces of legislation refer to the need to take "appropriate technical and organisational measures" in accordance with the risks encountered.
    What role can the standardization community play in ensuring a coherent and continuously effective approach to information security risk management across these very diverse sectors and in the evolving threats landscape? Are existing standards and risk management approaches still fit for purpose or does the pace of digitization and interconnectivity require a different approach?

  2. Ensuring secure and private electronic communications: the proposals for an e-Privacy Regulation and an Electronic Communications Code.
    The recent proposals on the Electronic Communications Code and the e-Privacy Regulation reinforce the need for secure and private electronic communication services as appropriate while extending the regulatory scope to interpersonal communication service providers, the so-called OTTs (Over-The-Top). The e-Privacy Regulation also reinforces the privacy-by-design concept in electronic communication and introduces new rules as to the protection of information stored in and related to end-users' terminal equipment.
    How can standards assist service providers to demonstrate compliance to these regulations? How does the digital global nature of many OTTs influence security standards and the standardization process?
    How can standardisation support the requirements set out in the proposed e-Privacy regulation as regards "Information and options for privacy settings"?

  3. Measuring and assessing ICT security - The role of security labels and certification of products, processes and services.
    Recent well publicized cyber-attacks and significant data breaches may significantly undermine European citizens' trust in the Digital Single Market. Lack of confidence in the security of ICT solutions may also impede business owners or their regulators from fully benefitting from the potential productivity gains and increased competitiveness that ICT may offer.
    How can standards best support the need to measure and assess ICT security properties? What roles can security labels and certification schemes play in increasing trust in ICT and how can standards shape the way to measure and assess what the appropriate level of security is in different operating environments and for different products and services? How best can security risk be addressed in product specific market regulation in healthcare, transport and other sectors? Which categories of products could benefit from a "lightweight" certification scheme?

  4. Cybersecurity world tour: what about legislation and relevant initiatives beyond Europe and supporting standards? Possible cooperation with EU initiatives.
    Cybersecurity is a global concern. As such, the issue is being addressed by legislators and regulators from across the world. A good understanding of developments outside of the EU is an important prerequisite in avoiding unnecessarily divergent approaches to cybersecurity risk management that may then lead, amongst others, to market inefficiencies, increased regulatory burdens and compliance costs in a global market.
    Our international partners are invited to inform participants and share their views on important emerging legislative, regulatory and standardisation initiatives on cybersecurity. Opportunities to collaborate across standardisation activities and re-use existing standards can also be discussed.
    Organisations active in the European Market are also invited to discuss their view on how regional or global developments in cybersecurity standardisation impacts their activities in a positive or perhaps even negative way.

Agenda

The Programme Committee is pleased to present the following programme

09:00 - 11:00 Session 1: Setting the Scene
Session Chair: Claire Vishik, Intel
 
  • NIS Directive, Critical sectors, Best Practices and Certification
    European Commission, DG CONNECT
  • TILT - Modalities of Technical Standardisation Supporting EU Data Protection Legislation
    Irene Kamara, Tilburg Institue for Law, Technology and Society
  • TC CYBER: Activity in Developing the Technical Framework for Securing DMS, GDPR, NIS
    Scott Cadzow, C3L & Tony Rutkowski, Yaana Ltd
  • ISO/IEC JTC 1/SC27 Work in Support of Legislation
    Laura Lindsay,ISO/IEC JTC 1/SC27
11:00 - 11:30 Coffee Break
11:30 - 13:00 Session 2: Cybersecurity World Tour: From Regional to International Perspectives
Session Chair: Dominique Lazanski, GSMA
  Scope: Discover what countries are doing in terms of legislation for security of network and information systems and data protection / privacy, stressing the related standardization initiatives they have nationally.
 
  • How to reconcile the Protection of Privacy with the Efficient Use of Information Systems: a French Approach
    Sophie Coutor, French ministry of Interior
  • CISPA, Saarland University, Sebastian Gerling
  • US NIST, Ed Griffor
13:00 - 14:30 Lunch and Networking 
14:30 - 16:30 Session 3: Measuring and assessing ICT security - The role of security labels and certification of products, processes and services 
Moderator: Charles Brookson, Zeata
  Scope: How can standards best support the need to measure and assess ICT security properties? What roles can security labels and certification schemes play in increasing trust in ICT and how can standards shape the way to measure and assess what the appropriate level of security is in different operating environments and for different products and services?
 
  • Supporting the Development of a Global TEE Certification Program
    Gil Bernabeu GlobalPlatform
  • TCG
    Claire Vishik, Intel
  • IoT Security Self-Assessment Framework
    Dominique Lazanski GSMA
  • EC DG CONNECT Unit Internet of things, Mechthild Rohen
The session concludes with a panel discussion.
15:30- 16:00

Coffee Break

16:00 -17:00

 

 

 

 

Session 3: Panel Discussion
How can standards best support the need to measure and assess ICT security properties? What roles can security labels and certification schemes play in increasing trust in ICT and how can standards shape the way to measure and assess what the appropriate level of security is in different operating environments and for different products and services?

  • Gil Bernabeu, GlobalPlatform
  • Dominique Lazanski, GSMA
  • Mechthild Rohen, EC DG CONNECT
  • Claire Vishik, Intel 
17:00 - 18:00 Session 4: Feedback from implementations
Session chair: Florent Frederix, European Commission
  Scope: How industry is implementing products complying with European cybersecurity legislation (e.g. GDPR, NIS Directive). How they do in practice with a focus on which standards they're using and what they think is missing in terms of standards, best practices, certification, labels.
 
  • Security Standards and Legislation from a Secure Product Manufacturer's Perspective
    Dirk Stegemann, Robert Bosch GmbH
  • Session in construction
18:00 - 18:15 Concluding Remarks

PC

The Programme Committee is composed of the following members:

  • Sonia Compans, ETSI
  • Marijke De Soete, Security4Biz
  • Alan Hayward, NCSC
  • Andreas Mitrakas, ENISA
  • Aristotelis Tzafalias, European Commission
  • Svetlana Schuster, European Commission
  • Florent Frederix, European Comission
  • Claire Vishik, INTEL
  • Dirk Weiler, Nokia 

The Programme Committee is in charge of selecting the presentations that fit the event objectives and build the programme on Standards and Legislation.