Peter Dickman - Google, Jonathan Sage - IBM, Daniele Catteddu - CSA, Mark Smitham - European Commission, Gavin Fitzpatrick - AWS, Aljosa Pasic - Atos, Roxana Banica - NSE RO, Paul Davies - Verizon, Antonio Ramos - Leet security, Oliver Perault - Orange, Jan Neutze - Microsoft, Dimitra Liveri, Dan Tofan, Rossen Naydenov, Christina Skouloudi - ENISA


Minutes from the call

-              ENISA introduced in this call the project that will run under the proposed NIS directive draft provisions. The scope is still to be worked out but the Digital Service Providers (DSPs) are a priority. This group will be the tool ENISA will use for the projects on DSPs.

-              The EC is including in the directive the opportunity of implementing acts for the DSPs, 12 months after the point of adoptions to publish the implementing acts. The EC is engaging all the stakeholders and E2 is working closely with H4.

-              The EC is hosting a workshop on Cloud security on the 18th of March: https://ec.europa.eu/digital-agenda/en/news/cloud-security-workshop-building-trust-cloud-services-certification-and-beyond The EC invites all experts of the ENISA Cloud Security group to this event as the NIS Directive is one of the topics of the agenda. ENISA will be there.

-              IBM is satisfied with the changes in the directive: the separation of the essential services and the DSPs is now recognised through the security requirements and the appropriate measures. However the NIS shouldn’t override the obligations deriving from the contract.  The challenge is how these implementing acts turn out, what specific measures will be included and how the MS will implement them.

-              Google: supports the IBM view, the only risk is how the national governments will deal with this implementation.

-              Microsoft: This is a much better version than the beginning, the DSPs should be treated differently than he ESO. Microsoft supports that ENISA should do the drafting of the implementing acts and take the lead for the incident reporting and the security measures.

-              Amazon: Agrees with what was said before, and is willing to be involved in the two projects that ENISA will be working on.

-              Leet security: the fact that SMEs are not in the scope of this Directive creates constraints for them to become part of the wider market. However since the provisions of the Directive would be costly in resources for the DSPs, the SMEs would not be obliged to comply. 

-              Google: This directive should not affect the economic growth, but the focus should be on the amount of risk the company is creating, regardless if it would be an SME or not.

-              On the question about the incident reporting scheme to be followed (and if it is going to be similar to the Art13a of the Telecoms Directive operated by ENISA) the response is that there is no specific reporting scheme suggested in the NIS Directive as it is in Art13a, and ENISA is not directly mentioned as the recipient of the incident reports. The implementing act will shed some light on this matter.

-              EC: implementing acts are relying on the guidance from ENISA by December, then consultation should be put in place in 12 months after the adoption. Adoption is expected by May-June 2016 meaning that the implementing act should be out till May-June 2017.

-              The implementing acts should also give more information on the scope: the Directive includes the datacentres for cloud computing but the definition doesn’t differentiate between deployment and service models.

-              Harmonisation between the different DSPs? For incident reporting and security measures, the group experts in some cases have two roles, but we need to engage also online market places.

-              As more experts will request being part of this experts group a need for formalisation is emerging. ENISA will create and publish the Terms of Reference  for this experts group as well as the list of experts involved. Also ENISA will arrange for face to face meetings to discuss next steps during the process. These face to face meetings will take place back to back with big cloud events (like Secure Cloud).

-              Next call of the EG will take place after the 18th of March and you can let us know of your availability here: http://doodle.com/poll/rp8bx88rxrerxrxx

-              Secure Cloud 2016 takes place at 24-25 May in Dublin, the face to face meeting of the group will take place the day before or the day after, you can vote here: http://doodle.com/poll/mwdbmum84fskbvgn

