Analysis
Attacks and Vulnerabilities
News
Regulation, Standards and Compliance

ENISA study works on governance framework for implementation of NCSS across member states

March 01, 2023
ENISA study works on governance framework for implementation of NCSS across member states

The European Union Agency for Cybersecurity (ENISA) launched Tuesday a study to perform a systematic review of the governance models relevant to the deployment of its National Cybersecurity Strategy (NCSS). Every EU member state is obliged, following the NIS Directive, to develop and implement an NCSS to ensure fostering security of network and information systems across the Union. 

“Each NCSS aims to set out a plan of action to improve the security and resilience of national infrastructure systems and services,” the ENISA study disclosed. “It aims to provide a high-level top-down approach to cybersecurity and to establish a range of national objectives and priorities.”

However, the fast and ever-evolving cyberspace calls for constantly developing and adopting the NCSS, and hence consistent monitoring and evaluation of the NCSS is necessary, the ENISA study said. “Additionally, establishing a functioning and effective governance model for the implementation of the current and future NCSSs is essential to foster cybersecurity across the Union and to reach the national strategies’ as well as the institutions’ objectives in this relation.”

The ENISA study revealed that out of the 27 member states, eight member states have third or later-generation NCSS, 14 member states have a second-generation NCSS, and five member states are at their first NCSS.

The outline provides an overview of the key findings of the study, linking them with the main elements of the proposed governance framework and supporting them with insightful statistics. Moreover, the report highlights a collection of good practices for the different elements of governance that the European countries put in place to ensure an effective framework for the implementation of current and future NCSSs of the EU member states.

The initiative looks to identify and select the most relevant instances, lessons learned, and good practices from the member states. It also aims to collect insights on the definition of processes, roles and responsibilities, subsequent deployment of monitoring measures and identify the main challenges and good practices that the European countries must put in place to ensure an effective governance framework for the implementation of current and future NCSSs of the EU member states.

The legislation states that ENISA shall support the member states in developing national strategies on the security of network and information systems, promote the correct deployment of those strategies and set up a governance framework that ensures the sustainability of national strategies. 

Developing an effective governance model for the NCSS involves strategic governance, operational governance, technical governance, and political governance. Strategic governance coordinates the processes of drafting the strategy and building the governance model from the outset and ensures cooperation for identifying and mitigating risks. Moving on to operational governance, it ensures the translation of NCSSs into actions to improve cybersecurity across society and aims to boost cybersecurity across levels and sectors of a nation’s society, economy, and government. 

Technical governance encompasses the definition and use of standards and specifications and ensures the inclusion of tools, technology, and certification schemes accompanying the implementation of the strategy. Political governance provides a general and legal framework and establishes processes, roles and responsibilities, and ensures accountability, transparency, and acceptance of the NCSS, its policies, and related processes. 

Last week, ENISA released a new report that explores the potential challenges faced by operators of essential services (OESs) in the EU when seeking to acquire cyber insurance. The analysis also investigates aspects of cyber insurance from the standpoint of policy development and makes recommendations to policymakers and the community of OESs. The report dives into the ‘demand side’ of the cyber insurance market, applicable to the particular case of OESs, disclosing that a big proportion of OESs consider cyber insurance less attractive due to increasing prices and decreasing coverage.

Before that, the agency published a report that explores how to develop harmonized national vulnerability programs and initiatives in the EU. Apart from insights on industry expectations, the findings feed into the guidelines ENISA and the NIS Cooperation Group intend to prepare to help EU member states establish their national CVD (Coordinated Vulnerability Disclosure) policies. These guidelines would primarily focus on vulnerability management, dedicated processes, and related responsibilities.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations