Definitions & Scope
The main objective of this study is to chart the primary components of the normative framework regarding risk management/risk assessment (RM/RA) practices within the European Union and to assess their impact on European undertakings, both in the private and public sector. This knowledge is instrumental to determine to which extent these guidelines apply to management considerations, and thus to which extent they may impact network and information security practices.
While basic RM/RA obligations are clearly present in a number of European initiatives (including e.g. in the Privacy Directive ’s obligation to take the necessary technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access), it is also clear that such obligations do not cover the whole spectrum of RM/RA, nor are they specific to any given sector or field of endeavour.
No clear overview presently appears to exist of the predominant regulations in the field of RM/RA, nor to the norms being applied when attempting to conform to such regulations. This informational gap presents a double risk, both to private sector interests and from a policy perspective. On the one hand, private entities have no way of comprehensively determining whether or not they are in material compliance with any applicable regulations, nor can they verify which standards are available to them in attempting to ensure compliance, as no overview exists in either regard. On the other, public sector initiatives are equally impeded by the realisation that they potentially risk overlapping with an unknown number of pre-existing guidelines, and that they may not be fully aware of applicable norms in the field they are attempting to regulate.
Thus, an overview of RM/RA regulatory and normative initiatives, covering both organisational and infrastructural considerations, is a precondition for the proper development of good practices and possible new normative initiatives.
The classic regulatory areas well known in the field of RM/RA, such as data protection, have already been widely documented in the past, including as a part of ENISA research activities. On the other hand, some normative areas, in particular corporate governance, are less well documented and do not appear to have received the same level of scrutiny.
This is perhaps surprising, since corporate governance in the last decade has shown a distinct trend towards normative formalisation into guidelines, standards and generally accepted practices. Because this practice area is of general importance in daily business life, the creation of an overview document identifying and describing the main normative texts can be a useful resource in charting auditing requirements, applicable standards and corporate good practices.
Thus, this section will attempt to identify and analyse the main normative texts with regard to RM/RA applicable to European organisations, covering both international and European regulatory initiatives emanating from public sector bodies (including directives, regulations, resolutions, treaties, and conventions), as well as the most influential normative instruments originating from both generic and sector-specific private initiatives (including norms, (de facto) standards, guidelines, recommendations, and good practices).
Research therefore has been done on different levels, ranging from the EU and international institutions, through national regulations or standards, and sectoral or normative body rules. However, this section only focuses on texts with a normative influence that extends beyond the national borders of any specific country. In the first part of this section, we will define the basis on which texts will be included as relevant to this study.
The aspired final outcome of this section is the identification and summary description of the main normative texts with regard to RM/RA obligations, specifically in any legally binding references, that directly of indirectly impose or foresee the employment of RM/RA as a management activity within organisations and/or application systems, or provide guidance on how to comply with such obligations. The results will provide ENISA with a general insight in the dominant norms in this respect, thus also providing a useful aid for any potential future field of activity.