NIS Directive and Spanish National Security Scheme (ENS)

Blog

23
- Jan
2018
Posted by: Javier Tallón
[Cybersecurity & hacking tools and techniques]
NIS Directive and Spanish National Security Scheme (ENS)

CNPIC and critical infrastructure

In the last few years, certain areas of activity or infrastructure which provide essential services, of vital relevance for the continuity of state functioning, have become the target of numerous attacks. It is hard to miss that there is a strong dependency over certain infrastructures whose interruption or destruction would have a huge impact on the health, security and economic wellbeing of the citizens. Such infrastructures have become a high-priority target for state security strategies, materializing the concept of ”critical infrastructure”.

The development and application of different national and European legislations moved Spain to set in motion a National Plan for the protection of Critical Infrastructures (PNPIC), which causes the creation of the National Center for the Protection of Critical Infrastructures (CNPIC). The CNPIC is in charge of encouraging and coordinating the necessary mechanisms to grant the security of critical infrastructure. It was accompanied by the creation of the National Catalogue of Critical Infrastructure, which contains an updated and contrasted list of every strategical infrastructure within the national territory: location, ownership, granted services, level of security, etc. This list is categorized as secret, given the high sensibility of the information held in the catalogue.

The catalogue comprises more than 3.500 sensitive installations and infrastructures within several strategic areas. Initially, the Catalogue only included infrastructure related to sectors of energy and transport, although the set of sectors that are included has been widened since its creation.

IT Infrastructures and NIS Directive

At a European level, the EU has been taking steps towards grating a higher level of security on networks and information systems. In February 2013, the Strategy of Cybersecurity of the European Union was published (Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace). This document comprises the aspects of interior market, justice and foreign affairs in relation to the cyberspace. The cybersecurity strategy and the Directive proposal back the European Digital Agenda, whose purpose is to help European citizens and companies to make the best out of digital technologies.

This strategy is complemented with the “Directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union” (Directive (EU) 2016/1148), known as NIS Directive, which was enacted on the 6th of July 2016.

According to the NIS Directive, the existing capabilities are not enough to guarantee a high level of security on networks and information systems within the European Union. The levels of preparation among different member states are very different, entailing unequal levels of protection of consumers and companies and compromising the general level of security on networks and information systems in the Union. For this reason, it establishes common minimum requirements in terms of development of capabilities and planification, exchange of information, cooperation and common security requirements for the operators of essential services and the providers of digital services. As a part of this strategy, the service providers are encouraged to adopt the necessary measures to manage the security risks and notify the incidents that could entail a significant perturbing effect to the National Authorities, proposing the creation of a cooperation network among different Member States.

Transposition of the NIS Directive in Spain

On 7th September 2018, the Royal Decree-Law for the transposition of the European NIS Directive on cybersecurity was enacted. It will be applied to entities who provide essential services to the community and who depend on networks and information systems to develop their activity. Its application field is widened to sectors which are not explicitly included in the directive in order to give this law a global scope, although it preserves its specific legislation. The new regulation will apply to the providers of certain digital services too.

The main impact of the transposition of the NIS directive is that it includes additional areas to the National Catalogue of Critical Infrastructure. Currently, the areas included within the Catalogue are the following:

  • Energy
  • Nuclear industry
  • IT
  • Water
  • Food supply
  • Health
  • Financial System
  • Transport
  • Chemical Industry
  • Space
  • Research
  • Administration

On the other hand, the Royal Decree-Law demands the operators of essential services and the providers of digital services to notify the significant incidents that they might suffer on the networks and information services used to provide essential and digital services. The law protects the identity of the notifier and the personnel who notifies such incidents, remaining this information confidential to the public and authorities other than the notifier.

NIS directive and Spanish National Security Scheme (ENS)

The transposition of the NIS Directive aims for encouraging the development of interior markets through the improvement of the level of security on networks and information systems which uphold the provision of essential and digital services. On this way, efforts are being made to align the measures imposed by the NIS Directive with the general strategy adopted with the development and application of the Spanish National Security Scheme (ENS) which has started to be adopted in the last years by public administrations and the private companies which provide them with IT services.

This alignment of efforts between the NIS Directive and ENS will be reflected in the future publication of a package of ENS additional measures oriented to the fulfilment of the NIS Directive, as was announced at the CCN-CERT event talk, Convergence of the NIS norm with PIC, by Fernando Sánchez, head of the CNPIC. Thanks to this NIS-ENS package, it will be easier to meet the requirements of both regulations through the incorporation of a series of additional measures to the existing on the ENS which, once established, will be valid for the compliance with NIS Directive.

tags
Javier Tallón/Technical Director

Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
Augst 23, 2023
Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
May 9, 2023
New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
jtsec achieves ENS High Certification.
May 1, 2023
jtsec achieves ENS High Certification.
Common Criteria Statistics Report for 2022
March 20, 2023
Common Criteria Statistics Report for 2022
CATEGORIES