ENISA publishes a report that provides an assessment on the maturity of the implementation of the European Cyber Security Standardisation activities in the EU Member States with respect to the NIS Directive.
The main assertions of this report include the following:
- Standardisation for compliance with the NIS Directive is essential;
- Recognition of standardisation in policy has generally be deemed to be low;
- Utilisation of standards add value to Member States and their infrastructure;
- The use of standards raises Cyber Security levels of compliance and effectiveness;
- The use of standards provides sustainability and interoperability at European level and beyond.
Based on a survey only inconclusive suggestions can be made with regard to a perceived lack of knowledge of standards. If an appropriate standard is available, it is reasonable to expect that it will be adopted or applied. For example, even though the ISO27000 series of standards consists of sets of broad guidance, there is a well-established eco-system that supports their implementation.
In terms of the NIS Directive, however a major concern stems from the fact that it is the prerogative of the MS concerned to seek implementation. Where cross-border information sharing is required, this requirement has been interpreted as a competence under existing CSIRT relationships used for reporting security incidents; it would be far more effective of course to broadly seek compliance with the NIS Directive within and across borders.
To improve the current situation the main recommendations of the report include:
- Appropriate training initiatives to be undertaken at the level of Member States;
- Promoting new work items in the European SDOs for some areas (e.g. criteria for defining OES / DSP) or the adoption of appropriate standards in Europe where existing (for example information exchange, where several mature efforts already are in place, like STIX ).
Read the report here: Improving recognition of ICT security standards