The EU Cybersecurity strategy (see IP/13/94) announced that the Commission would set up in 2013 a platform on network and information security (NIS) bringing together relevant public and private stakeholders, to identify good cybersecurity practices across the value chain and create the favourable market conditions for the development and adoption of secure ICT solutions.
The NIS platform will as a matter of priority aim to identify technologically neutral best practices, including standards, to enhance cybersecurity and to develop incentives, on both the demand and the supply side, to abide by those best practices and adopt secure ICT solutions.
The first meeting will define a roadmap setting out expected output of the platform and milestones. In its work on identifying best practices, the group may focus on the following four areas:
- Organisational measures: best practices to define, guide or evaluate an organisation’s cyber security, specifically its capability to identify and assess risks, and to deter and handle incidents.
- Secure products and services: best practices to demonstrate the ability of products or services to provide a “good” level of cybersecurity performance as part of the ICT value chain.
- Metrics, measurement and language for cyber risk: best practices for measuring, describing and evaluating cyber risks, impacts, threats, controls, etc.
- Information exchange: best practices for the exchange of cyber incident information, to allow cyber incident reports to be understood and acted on in the framework of complex cooperation schemes; to facilitate a “big picture” view of all cyber incidents to spot trends and direct resources.
The NIS platform will work in close collaboration with the Multi-Stakeholder Platform on ICT standardisation, including for the identification of relevant security-related common technical specifications.
In parallel, the NIS platform will discuss economic, legal and technological incentives which could be defined at EU, national or sectorial level.
The output of the platform will feed into the Commission recommendations on cybersecurity across the value chain to be adopted in 2014, as well as the implementation of the risk management and incident reporting obligations under the proposed NIS Directive (see MEMO/13/71).
The Commission will convene the first meeting of the platform on 17 June 2013. The platform will be open to EU Member State governments, relevant private players, relevant standardisation and sector organisations, and relevant consumer and civil society organisations. The first meeting will define a roadmap setting out expected output of the platform and milestones. It is expected that thematic working groups composed of experts will be set up and start working right after the summer break.
The European Public-Private Partnership for Resilience (EP3R) will be subsumed in the NIS platform.
Stakeholders are invited to express their interest in participating in the platform before 24 May 2013 by sending an email to CNECT-NIS@ec.europa.eu. On this basis, the Commission will select the platform participants, with a view to ensuring a balanced and manageable representation of the different stakeholders.