Vault restructure

Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/info.json

@@ -0,0 +1,9 @@
+{
+  "creatorIdentifier" : "net.ia.presenter",
+  "net.ia.presenter" : {
+    "localFileIdentifier" : "9757E1E9-D1A8-44B7-843A-8120E2560A25"
+  },
+  "transient" : false,
+  "type" : "net.daringfireball.markdown",
+  "version" : 2
+}

Corpus/Standards/NIS 2/FortMesa NIS2 Explained.iapresenter/text.md

@@ -0,0 +1,343 @@
+#nis2
+
+### NIS2 Explained
+#### Raising the Baseline for Cybersecurity Across the Union
+
+	Richard Kranendonk, Thinking Security Works for FortMesa, June 2025
+
+/assets/ISO27DIY Logo in circle.png
+size: contain
+y: bottom
+
+
+
+---
+
+## What is NIS 2?
+	NIS2 (Directive (EU) 2022/2555) is the EU's updated comprehensive cybersecurity law.
+
+	Aims to **significantly raise the baseline level of cybersecurity and resilience** across the European Union.
+	Focuses especially on **critical infrastructure and essential services**.
+	**Designed to protect the EU’s economy and society** by making digital infrastructure more secure, resilient, and better prepared for evolving cyber threats.
+
+---
+
+# Goals
+
+	**Establish a unified, high standard of cybersecurity** for network and information systems in key sectors across all EU member states.
+	Strengthen cooperation and information sharing among member states for a **coordinated response to cross-border cyber threats**.
+	Promote consistency by **harmonizing security requirements, reporting obligations, and enforcement** across the EU.
+
+	Ensure organizations implement **robust risk management**, **incident response**, and **business continuity measures**.
+
+
+---
+
+# Compared with GDPR
+
+	GDPR: **protecting citizens against the misuse of personal data**. Caused an obsession with data confidentiality and Cookie Banners.
+
+	NIS 2: **resilience of critical infrastructure**, threat of disruption. Emphasis on risk management.
+
+---
+
+# Origins of NIS 2
+
+	The original Network and Information Security Directive (NIS1) was adopted in 2016. It was the **EU’s first comprehensive cybersecurity law**.
+	Aimed to establish a high common level of cybersecurity across Member States.
+	Targeted critical sectors: energy, transport, healthcare, finance, water, and digital infrastructure.
+	Required essential service providers (OES) and digital service providers to take security measures and report incidents.
+
+---
+
+# But ...
+
+	**Scope was too narrow:** Only applied to seven key sectors identified by Member States.
+	**Inconsistent Implementation:** Member States had discretion in identifying OES.
+	**Unclear Definitions:** Contributed to fragmentation and gaps in protection. Some critical digital infrastructure and services were not covered.
+	Digital Service Providers were subject to lighter requirements, whereas **digitalization accelerated** and **cyber threats became more sophisticated**.
+
+---
+
+# So: NIS 2
+
+	NIS2 expands the scope, introduces stricter supervision/enforcement, harmonizes sanctions, and emphasizes supply chain security and top management responsibility.
+	Proposal for NIS2 in December 2020.
+	Formal adoption: November 2022.
+	**Entered into force: January 16, 2023**.
+	Member States required to transpose NIS2 into national law by **October 17, 2024**.
+	Current state: European Commission has **warned 19 Member States for missing the deadline** and may take legal action.
+
+---
+
+# NIS 1 vs NIS 2
+
+| Aspect        | NIS1 (2016)                      | NIS2 (2023)                                       |
+| :------------ | :------------------------------- | :------------------------------------------------ |
+| **Scope**     | Limited sectors, fewer entities  | **Expanded sectors and more entities**            |
+| **Enforcement** | Inconsistent across Member States | **Stronger, harmonized supervision**              |
+| **Management**  | Limited focus on top management  | **Clear top management responsibility**           |
+| **Reporting**   | Less stringent, varied obligations | **Stricter, harmonized reporting**                |
+| **Supply Chain**| Not specifically addressed       | **Explicitly included**                           |
+
+---
+
+### Le loi relatif à la résilience des infrastructures critiques
+	*NIS 2 in France*
+
+---
+
+# Scope
+
+---
+
+# Organizations targeted by NIS2
+
+	Principle: Entities critical to the functioning of society and the economy
+	Covers a wide range of **public and private organizations** listed in Annex I (Essential) and II (Important).
+	Entities with over 50 employees or 10 million turnover (with exceptions for smaller but critical entities)
+	**Supply Chain Focus:** Entities essential to the supply chain of critical infrastructures are now included.
+
+---
+
+# Essential Entities
+	- Energy
+	- Transport
+	- Banking
+	- Financial market infrastructure 
+	- Healthcare
+	- Drinking water
+	- Wastewater
+	- Digital infrastructure
+	- ICT B2B service management: MSP's & MSSP's
+	- Public administration 
+	- Space (ground-based infrastructure)
+
+# Important Entities
+	- Digital providers (marketplaces, search engines, social networking)
+	- Postal and courier services
+	- Waste management
+	- Chemicals
+	- Food
+	- Manufacturing
+	- Research
+
+
+---
+
+# Geographical Location
+
+	Entities established in an EU/EEA Member State.
+	Non-EU organizations offering services within the EU, particularly in critical sectors – must designate a representative in an EU Member State.
+	Indicators include using EU languages/currencies or targeting EU users.
+
+---
+
+# Requirements
+
+---
+
+# Risk-Management
+
+	Appropriate and proportionate measures.
+	Policies on **risk analysis** and information system
+	Policies/procedures to assess effectiveness of measures.
+	Incident handling.
+	Business continuity (backup, disaster recovery, crisis management).
+	Supply chain security.
+	Basic cyber hygiene practices (zero-trust, updates, configuration, segmentation, identity/access management, user awareness).
+	Use of cryptography and, where appropriate, encryption (including end-to-end).
+	Human resources security, access control policies.
+	Multi-factor authentication or continuous authentication.
+
+---
+
+# Supply Chain Requirements
+
+	**Risk Assessment** of vendors, evaluating cybersecurity posture, incident history, and service criticality.
+	**Supply Chain Security Policies** including clear security requirements, access controls, encryption, and MFA throughout the supply chain.
+	**Contractual Obligations** w/r/t cybersecurity clauses in contracts (compliance, incident reporting, audit rights, termination).
+	**Continuous Monitoring:** Regularly monitor/audit third-party security practices and ensure ongoing compliance.
+
+---
+
+# Role of Management
+
+	Cybersecurity is a core element of corporate governance**.
+	Management bodies must approve cybersecurity risk-management measures and oversee implementation.
+	**Can be held liable for infringements**.
+	Management is **required to follow training** to gain sufficient knowledge and skills.
+	Entities are encouraged to offer similar training to employees.
+
+---
+
+---
+	
+**Slide 27: Supervision and Enforcement**
+
+*   Member States must ensure competent authorities effectively supervise and take necessary measures for compliance.
+*   Supervisory tasks can be prioritized based on a risk-based approach.
+*   Essential entities are subject to comprehensive ex ante and ex post supervision.
+*   Important entities are subject to lighter, ex post only supervision, typically triggered by evidence of non-compliance.
+
+*   Essential entities are subject to a **comprehensive ex ante and ex post supervisory regime**.
+* authorities have a general obligation to supervise these entities. Supervisory tasks can include regular on-site inspections, off-site supervision, random checks, regular and targeted security audits, and security scans
+* 
+*   Important entities are subject to a **light, ex post only, supervisory regime**, typically triggered by evidence of non-compliance.
+* supervision is specifically triggered by "evidence, indication or information" suggesting they may not comply with the directive
+---
+
+**Slide 28: Enforcement Powers**
+
+*   Competent authorities for **Essential Entities** have powers including:
+    *   Issuing warnings.
+    *   Adopting binding instructions (e.g., measures to prevent/remedy incidents, time-limits).
+    *   Ordering entities to remedy deficiencies or infringements.
+*   Competent authorities for **Important Entities** have powers including:
+    *   Issuing warnings.
+    *   Adopting binding instructions or orders to remedy deficiencies/infringements.
+
+---
+
+**Slide 29: Penalties for Non-Compliance**
+
+*   **Fines:** Up to €10 million or 2% of global annual revenue, whichever is higher.
+*   **Management Liability:** Executives face personal liability for non-compliance. This could include potential bans from managerial roles.
+*   **Market Access Risks:** Non-compliance may disrupt partnerships with EU businesses or lead to exclusion from EU markets.
+*   Member States may lay down rules on imposing administrative fines on public administration entities.
+
+---
+
+**Slide 30: Expectations for Enforcement (as of May 2025)**
+
+*   Enforcement across the EU is currently marked by significant delays and fragmentation.
+*   Many Member States missed the October 2024 transposition deadline.
+*   Formal warnings issued by the European Commission to 19 Member States.
+*   Legal action by the Commission may follow if compliance is not achieved.
+*   Actual enforcement will depend on national transposition and the approach taken by each Member State's competent authorities.
+
+---
+
+---
+
+---
+
+---
+
+**Slide 22: Incident Reporting (Significant Incidents)**
+
+*   NIS2 lays down a **multiple-stage approach** to reporting significant incidents.
+*   Strikes a balance between swift reporting (mitigate spread, seek assistance) and in-depth reporting (lessons learned).
+*   Report incidents that, based on initial assessment, could cause severe operational disruption/financial loss or affect others with considerable material/non-material damage.
+*   Initial assessment considers affected systems, threat severity/characteristics, vulnerabilities, and entity experience.
+*   Member States must provide technical means for simplified reporting (single entry points, online forms, etc.).
+*   This should ideally be a single entry point for various notification obligations (like GDPR, ePrivacy) to decrease administrative burden.
+
+---
+
+**Slide 23: Voluntary Information Sharing**
+
+*   Member States must ensure entities (in-scope and others) can **voluntarily exchange relevant cybersecurity information**.
+*   Information includes cyber threats, near misses, vulnerabilities, techniques, indicators of compromise, threat actors, alerts, and configuration recommendations.
+*   Exchange should occur within communities of entities and their suppliers/providers.
+*   Information-sharing arrangements should respect the sensitive nature of the information.
+*   Member States should facilitate the establishment of such arrangements.
+*   Entities must notify competent authorities of participation/withdrawal from these arrangements.
+*   ENISA provides assistance by exchanging best practices and guidance.
+
+---
+
+**Slide 24: Voluntary Notifications**
+
+*   In addition to mandatory reporting, entities can **voluntarily notify** CSIRTs or competent authorities.
+*   This applies to essential/important entities (incidents, cyber threats, near misses) and other entities (significant incidents, cyber threats, near misses).
+*   Voluntary reporting is processed but may be prioritized below mandatory notifications.
+*   Voluntary reporting should **not result in additional obligations** for the notifying entity.
+
+---
+
+**Slide 25: NIS2 Certification Status**
+
+*   The European Commission is working on a certification framework, but it is **still under development and not currently in force**.
+*   The NIS2 Directive itself does not mandate certification for companies, but allows for future requirements.
+*   Any companies currently offering "NIS-2 certification" or training do so based on their own interpretations or existing standards (like ISO 27001).
+*   These commercial offerings **do not have official legal status** and are **not legally recognized** EU-level certifications.
+
+---
+
+**Slide 26: NIS2 Measures and International Standards**
+
+*   Member States are encouraged to use **European and international standards** and technical specifications relevant to network and information system security.
+*   Measures for NIS2 conformity in places like Flemish Belgium are based on internationally recognized standards like **NIST processes and ISO 27001/27002**.
+*   ISO 27001/27002 and the NIST framework are recognized as best practices for NIS2 compliance.
+*   Specific NIS2 requirements, such as those related to risk management and physical/environmental security, align with standards like the ISO/IEC 27000 series.
+*   International standards ISO/IEC 30111 and ISO/IEC 29147 provide guidance on vulnerability handling and disclosure.
+*   ENISA, in cooperation with Member States, provides advice/guidelines on relevant standards.
+
+
+**Slide 31: Cooperation Mechanisms**
+
+*   **Cooperation Group:** Supports strategic cooperation and information exchange among Member States. Tasks based on biennial work programmes. Can conduct coordinated security risk assessments of critical supply chains. Discusses peer review reports.
+*   **CSIRTs Network:** Promotes swift and effective operational cooperation among national CSIRTs. Tasks include incident handling assistance, coordinating vulnerability disclosure, and identifying further forms of operational cooperation. Cooperates with regional/Union-level SOCs.
+*   **EU-CyCLONe:** Supports coordinated management of large-scale cybersecurity incidents and crises at operational level. Composed of representatives from Member States' cyber crisis management authorities and the Commission (in specific cases).
+
+---
+
+**Slide 32: Vulnerability Handling**
+
+*   Identifying and remedying vulnerabilities is crucial.
+*   Entities that develop or administer systems should establish procedures to handle vulnerabilities.
+*   Manufacturers/providers should have procedures to receive vulnerability information from third parties.
+*   **Coordinated vulnerability disclosure** (CVD) is a structured process for reporting vulnerabilities to allow remediation before public disclosure. International standards ISO/IEC 30111 and ISO/IEC 29147 provide guidance.
+*   Each Member State must designate a CSIRT as a coordinator for CVD.
+*   This coordinator acts as a trusted intermediary between the reporter and the manufacturer/provider.
+*   Reporters can report vulnerabilities anonymously.
+*   **European vulnerability database:** ENISA will develop and maintain a database for voluntary disclosure of publicly known vulnerabilities in ICT products/services. Provides information on the vulnerability, affected products/services, severity, and available patches/mitigation guidance.
+
+---
+
+**Slide 33: DNS Security and Registration Data**
+
+*   Maintaining accurate/complete domain name registration data (WHOIS) is essential for DNS security/stability.
+*   TLD name registries and domain name registration service entities must collect and maintain this data diligently, in accordance with data protection law for personal data.
+*   Data must include information to identify and contact holders and administrative points of contact (name, email, phone).
+*   Policies/procedures, including verification, must be in place to ensure accuracy.
+*   Publicly available data should include non-personal data, such as the registrant name and phone number for legal persons. A non-personal email can also be published.
+*   Lawful access to personal data must be enabled for legitimate access seekers in line with data protection law. Access requests should be responded to without undue delay.
+*   All types of access to registration data should be free of charge.
+*   ENISA will create and maintain a registry of specific cross-border providers, including TLD name registries and domain name registration services, based on Member State information.
+
+---
+
+**Slide 34: Need for Ongoing Review**
+
+*   The European Commission will periodically review NIS2, consulting stakeholders.
+*   Reviews, starting by October 17, 2027, will assess the relevance of entity size, sectors, and types in relation to cybersecurity.
+*   Will take into account reports from the Cooperation Group and CSIRTs network.
+*   Legislative proposals may accompany reports where necessary.
+
+---
+
+**Slide 35: Key Takeaways**
+
+*   NIS2 is a significant evolution from NIS1, addressing its shortcomings by expanding scope and harmonizing requirements.
+*   Targets a broad range of critical entities, imposing comprehensive cybersecurity risk management and reporting obligations.
+*   Places clear accountability on top management.
+*   Emphasizes supply chain security and third-party risk management.
+*   Implementation is facing delays in many Member States as of May 2025.
+*   International standards like ISO 27001 and NIST are relevant for compliance, though no official EU certification exists yet.
+*   Enforcement includes significant fines and potential management liability.
+
+---
+
+**Slide 36: Q&A / Discussion**
+
+*   [Placeholder for Questions and Discussion]
+
+---
+
+**Slide 37: Research and Footnotes**
+
+*   [Include a list of sources/footnotes if desired for reference, e.g., citing the origin of the excerpts]
+
+---