ETSI TR 103 456 V1.1.1 (2017-10)

TECHNICAL REPORT
CYBER;
Implementation of the Network
and Information Security (NIS) Directive

2 ETSI TR 103 456 V1.1.1 (2017-10)

Reference
DTR/CYBER-0021
Keywords
cyber security, cyber-defence, information
assurance, privacy
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2017.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM® and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3 ETSI TR 103 456 V1.1.1 (2017-10)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Executive summary . 5
Introduction . 5
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definitions and abbreviations . 9
3.1 Definitions . 9
3.2 Abbreviations . 9
4 Overview of the NIS Directive . 10
4.1 The context for NIS . 10
4.2 ENISA recommendations on standardization . 12
4.3 Processing of personal data . 13
5 Cyber threat intelligence sharing: incidents and risks . 13
5.1 Introduction . 13
5.1.1 Context . 13
5.1.2 Scope of incidents . 13
5.1.3 Incident notification thresholds . 14
5.1.4 Alignment of approaches . 15
5.1.5 Incident classification indicators and metrics . 15
5.2 Concepts, models, and technical methods . 15
5.3 Cyber threat intelligence entity practices . 15
5.3.1 Introduction. 15
5.3.2 Operators of Essential Services . 16
5.3.3 Digital Service Providers . 16
5.3.4 Specialized, limited use, structured threat intelligence sharing platforms . 16
6 Role of risk analysis in protecting NIS . 17
6.1 Introduction . 17
6.2 Concepts, models, and technical methods . 18
6.2.1 Introduction. 18
6.2.2 Critical Security Controls . 19
6.2.3 National and intergovernmental programmes . 19
6.3 Cyber defence and cyber security risk management practices . 22
6.3.1 Introduction. 22
6.3.2 Operators of essential services . 23
6.3.3 Digital service providers . 23
7 Challenges and solutions . 23
7.1 Introduction . 23
7.2 New technologies and services . 24
7.3 New techniques . 24
7.3.1 Use of middlebox security protocols for cyber defence . 24
7.4 Harmonizing implementations across the diverse network and service sectors and Member State legal
and operational environments. 24
8 Recommendations . 25
8.1 Operators of essential services . 25
8.2 Digital service providers . 25
8.3 Facilitative mechanisms for network and information security . 25
ETSI
4 ETSI TR 103 456 V1.1.1 (2017-10)
Annex A: Historical development of cyber threat intelligence sharing . 26
History . 28

ETSI
5 ETSI TR 103 456 V1.1.1 (2017-10)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The present document provides guidance on the available technical specifications and those in development by major
cyber security communities worldwide designed to meet the legal measures and technical requirements relating to
implementation of the NIS Directive, including the sharing of information and network based risks and incidents and
necessary defence measures. The guidance includes: considerations for incident notification and best practices in cyber
security risk management. The present document provides a broader cyber security context than the NIS Directive or
the ENISA Standardization Gaps Report to facilitate evolution toward significant emerging open global platforms, and
includes treatment of challenges associated with harmonizing the implementations across the diverse network and
services sectors and Member State legal and operational environments.
Introduction
The Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 [i.1] concerning measures
for a high common level of security of network and information systems across the Union (commonly called the NIS
Directive or NISD contains legal measures which include:
• requiring Member States to be appropriately equipped, e.g. via Computer Security Incident Response Teams
(CSIRTs) a competent national NIS authority for a number of sectors, and a national information security
strategy;
ETSI
6 ETSI TR 103 456 V1.1.1 (2017-10)
• setting up a cooperation framework among Member States by means of a Cooperation Group, in order to
support and facilitate strategic cooperation and the exchange of information among Member States, including
and a CSIRT Network, for voluntary operational cooperation on specific cyber security incidents and sharing
information about risks; and
• requiring Member States to provide the frameworks and necessary obligations on businesses in sectors
identified by the Member States as operators of essential services, including those that operate in sectors
identified in the Directive, as well as providers of certain digital services, are implementing appropriate
security measures and notifying the relevant national authority of serious incidents having significant impact in
their services.
These legal measures in turn invoke a set of common cyber security technical requirements that include:
• structured sharing of information on risks and incidents;
• notification of incidents;
• outcomes-focused cybersecurity risk management practices and controls to identify and protect assets, detect
anomalous analyses and potential incidents, and respond to and recover from incidents that may impact
network and information systems; and
• international cooperation to improve security standards and information exchange, and promote a common
global approach to NIS issues through harmonised standards.
The present document provides implementation guidance for meeting these requirements based on ETSI's capabilities
as a regional and global organization that brings together industry expertise and global cyber security knowledge,
including its own cyber security technical specifications and report.

ETSI
7 ETSI TR 103 456 V1.1.1 (2017-10)
1 Scope
The present document provides guidance in accordance with the Directive (EU) 2016/1148 of the European Parliament
and of the Council of 6 July 2016 [i.1] concerning measures for a high common level of security of network and
information systems across the Union (commonly called the NIS Directive or NISD) on the available technical
specifications and those in development by major cyber security communities worldwide designed to meet the legal
measures and technical requirements relating to the sharing of information on network based risks and incidents and
also the necessary defence measures to enable the protection of its essential security interests.
The present document is intended be used by all that need to consider the effects, use or perform the legal transposition
of the NIS Directive into national legislation. These include national regulators who need to update regulations or
guidelines for specific industries identified in the NIS Directive as Operators of Essential Services (OES) or national
policy makers wishing to provide guidance for Digital Service Providers (DSP). The present document might also be
used by OES' and DSPs themselves for their own implementation. The present document is not intended to be
prescriptive in the selection or use of technical specifications or requirements as organizational risk based approach
yields the most effective industry wide implementations.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] Directive (EU) 2016/1148 of The European Parliament and of The Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union.
NOTE: Available at http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG.
[i.2] ENISA: "Gaps in NIS standardisation Recommendations for improving NIS in EU standardisation
policy" V.1.0, November 2016.
[i.3] ETSI TR 103 305: "CYBER; Critical Security Controls for Effective Cyber Defence".
[i.4] ETSI TR 103 421: "CYBER; Network Gateway Cyber Defence".
[i.5] Transposition of the EU Network and Information Security (NIS) Directive, Digital Europe,
Brussels, 5 July 2016.
[i.6] ETSI TR 103 331: "CYBER; Structured threat information sharing".
[i.7] ETSI TS 102 165-1: "CYBER; Methods and protocols; Part 1: Method and proforma for Threat,
Vulnerability, Risk Analysis (TVRA)".
[i.8] ETSI ETR 340: "Telecommunications Security; Guidelines for security management techniques".
ETSI
8 ETSI TR 103 456 V1.1.1 (2017-10)
[i.9] Recommendation ITU-T X.700 series (ISO/IEC 10160): "Information technology - Open Systems
Interconnection - Systems Management".
[i.10] Recommendation ITU-T X.800 series (ISO/IEC 10181, ISO/IEC 11586): "Information technology
- Open Systems Interconnection - Security frameworks for open systems, Generic upper layers
security".
[i.11] Recommendation ITU-T X.1300 series: "Network security".
[i.12] Recommendation ITU-T X.1050 series: "Security Management".
[i.13] Recommendation ITU-T X.1200 series: "Cybersecurity".
[i.14] Recommendation ITU-T M.3000 series: "Security for the management plan".
[i.15] ISO/IEC 15408: "Information technology -- Security techniques -- Evaluation criteria for IT
security".
[i.16] ISO/IEC 27000 series: "Information technology -- Security techniques -- Information security
management systems".
[i.17] IEC 62443: "Industrial communication networks - Network and system security".
[i.18] ISACA: COBIT 5 series.
[i.19] ETSI GS ISI 001 (all parts): "Information Security Indicators (ISI)".
[i.20] ETSI TR 103 303: "CYBER; Protection measures for ICT in the context of Critical Infrastructure".
[i.21] ETSI Security Week 2017.
NOTE: Available at http://www.etsi.org/etsi-security-week-2017.
[i.22] ETSI Security Week, NFV Security Tutorial.
NOTE: Available at
https://docbox.etsi.org/Workshop/2017/201706_SECURITYWEEK/04_NFVTUTORIAL/ETSI_ISGNFV
_TUTORIALMATERIAL.pdf.
[i.23] ETSI Security Week, 5G Security: a government view.
NOTE: Available at
https://docbox.etsi.org/Workshop/2017/201706_SECURITYWEEK/06_5GSECURITY/S02/NCSC_HAI
GH.pdf.
[i.24] Sean Barnum: "The MITRE Corporation, Standardizing Cyber Threat Intelligence Information
with the Structured Threat Information eXpression (STIX™)", 2012.
[i.25] ISO/IEC 15408: "Evaluation criteria for IT security".
[i.26] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
[i.27] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000
on the protection of individuals with regard to the processing of personal data by the Community
institutions and bodies and on the free movement of such data.
[i.28] Recommendation ITU-T X.1500 series: "CYBEX Cyber security information Exchange".
[i.29] U.S. NIST Cybersecurity Framework.
NOTE: Available at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf.
[i.30] ETSI TR 103 305-4: "CYBER; Critical Security Controls for Effective Cyber Defence;
Part 4: Facilitation Mechanisms".
ETSI
9 ETSI TR 103 456 V1.1.1 (2017-10)
[i.31] CCRA: "Common Criteria for Information Technology Security Evaluation", Version 1.0.
NOTE: Available at https://www.commoncriteriaportal.org/cc/.
[i.32] Federal Ministry of the Interior: "National Plan for Information Infrastructure Protection".
NOTE: Available at http://www.qcert.org/sites/default/files/public/documents/GER-PL-
National%20Plan%20For%20Information%20Infrastructure%20Protection-Eng-2005.pdf.
[i.33] Federal Ministry of the Interior: "Critical Infrastructure Protection (CIP) Implementation Plan".
NOTE: Available at http://www.qcert.org/sites/default/files/public/documents/GER-PL-
CIP%20Implementation%20Plan-Eng-2007.pdf.
[i.34] IETF draft-ietf-inch-requirements-03: "Requirements for the Format for INcident information
Exchange (FINE)".
[i.35] IETF draft-ietf-inch-iodef-02: "The Incident Data Exchange Format Data Model and XML
Implementation".
[i.36] IETF draft-ietf-inch-rid-00: "Incident Handling: Real-Time Inter-Network Defense".
[i.37] IETF draft-ietf-inch-implement-00: "The Incident Object Description Exchange Format (IODEF)
Implementation Guide".
[i.38] Recommendation ITU-T X.1500: "Overview of cybersecurity information exchange".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in the NIS Directive [i.1] apply.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ANSSI Agence Nationale de la Sécurité
BSI German Federal Office for Information Security
CCDB Common Criteria Development Board
CCRA Common Criteria Recognition Agreement
CDXI Cyber defence Data eXchange and Collaboration Infrastructure
CERT Computer Emergency Response Teams
CIA Confidentiality, Integrity, Availability
CIP Critical Infrastructure Protection
CIS Center for Internet Security
COBIT Control Objectives for Information and related Technology
CPNI Centre for the Protection of National Infrastructure
CSAF Common Security Advisory Framework
CSIRT Computer Security Incident Response Team
CTI Cyber Threat Intelligence
CTIP Cyber Threat Intelligence Program
CVRF Common Vulnerability Reporting Framework
CYBEX cybersecurity information exchange
CybOX Cyber Observable expression
DIB Defense Industrial Base
DMARC Domain-based Message Authentication Reporting and Conformance
DNS Domain Name System
DSP Digital Services Providers
ENISA European union agency for Network and Information Security
ETSI
10 ETSI TR 103 456 V1.1.1 (2017-10)
FIRST Forum of Incident Response and Security Teams
FYROM Former Yugoslav Republic Of Macedonia
GDPR General Data Protection Regulation
IAD Information Assurance Directorate
ICT Information and Communication Technology
IETF Internet Engineering Task Force
IODEF Incident Object Description Exchange Format
ISAC Information Sharing and Analysis Centre
ISACA Information Systems Audit and Control Association
ISI Information Security Indicators
IT Information Technology
IXP Internet eXchange Point
MACCSA Multinational Alliance for Collaborative Cyber Situational Awareness
MAPP Maturity Assessment, Profile and Plan
MEC Mobile Edge Computing
MILE Managed Incident Lightweight Exchange
MISP Malware Information Sharing Platform
MS Member State
MSRC Microsoft Security Response Center
NATO North Atlantic Treaty Organization
NCIRC NATO Computer Incident Response Capability
NCSC National Cyber Security Centre
NFV Network Function Virtualization
NII Network Information Infrastructure
NIS Network and Information Security
NISD NIS Directive
NIST National Institute of Standards and Technology
OASIS Organization for the Advancement of Structured Information Standards
OES Operators of Essential Services
OSSI Office of Security and Strategic Informatio
OTT Over The Top
RID Real-time Inter-network Defense
SDN Software Defined Networking
SGDSN Secretariat-General for National Defence and Security
STIX Structured Threat Information eXpression
TAXII Trusted Automated eXchange of Indicator Information
TC Technical Committee
TLD Top-Level Domain
4 Overview of the NIS Directive
4.1 The context for NIS
The NIS Directive (NISD) focuses on strengthening cyber authorities at the national level, increasing coordination
among them and introduces security requirements for key industry sectors.
The two main objectives of the NIS Directive are [i.5]:
1) ensuring a high level cyber security of the country's critical infrastructures;
2) establishing an effective cooperation mechanism among EU Member States to further advance this objective.
The Network Information Security domain is one of the many dimensions of the multi-dimensional cyber-security
landscape that can be visualised as a set of linked questions:
a) What is cyber security?
b) Who or what is affected? i.e. What is the cyber environment?
c) What measures enable protection?
ETSI
11 ETSI TR 103 456 V1.1.1 (2017-10)
d) What measures enable threat detection?
e) What measures enable thwarting and other remedies?
f) What legal remedies exist?
The NIS scope and the scope of what is cyber-security have considerable overlap and whilst the focus of the NISD may
be considered as questions c), d) and e) the reality is that the entire set of 6 questions needs to be considered in giving
an assurance of NIS as required through the detail to be found in the articles of the NISD. A visual model of the
relationship of NISD within cyber-security is shown in Figure 1.
Focus of the
Directive
Figure 1: Visualization of the relationship of NISD to cyber-security [i.2]
Defence against attack of Network and Information Systems share the same set of fundamental building blocks as any
other system. The classical Confidentiality, Integrity, Availability (CIA) model of security risk assessment and
management that leads to well-known and understood triples of (threat, security-dimension, countermeasures) such as
interception, confidentiality and encryption. The role of the CIA paradigm is most often seen in 2 areas:
• risk analysis; and
• countermeasure deployment.
The CIA paradigm applies equally to NIS as to any other domain in cyber-security.
As can be seen in Figure 1, a considerable array of structured information exchange activity among the building blocks
is necessitated. The NIS Directive has embedded within many provisions that relate to these structured information
exchange requirements that are enumerated in Table 1.
ETSI
12 ETSI TR 103 456 V1.1.1 (2017-10)
Table 1: NIS Directive provisions relating to the structured exchange of cyber security information
Defensive measures Related to risks (static):
information
• to resist, at a given level of confidence, any action that compromise the availability,
authenticity, integrity or confidentiality of stored or transmitted or processed data or the
related services offered by or accessible via that network and information systems
(Art. 3)
• to manage the risks posed to the security of networks and information systems, etc. to
ensure a level of security of networks and information systems appropriate to the risk
presentedto prevent and analyses the impact of incidents affecting the security of the
networks and information systems (Arts. 14 and 15)
Related to incident handling (dynamic):
• All procedures supporting the detection, analysis, containment and response to an
incident (Art. 3)
Cyber security risk Any reasonably identifiable circumstance or event having a potential adverse effect on the
Information security of networks and information systems (Arts. 3 and 8)
Incident information Any event having an actual adverse effect on the security of networks and information systems:
• nature of the notified incidents, such as the types of security breaches (Art. 8a 3c -
recital)
• information that could support the effective handling of the incident (Art. 14 2a)
• enable the competent authority or the CSIRT to determine the cross-border effect impact
of the incident (Art. 14 2), including (a) the number of users affected by the disruption of
the essential service; (b) the duration of the incident; (c) the geographical spread with
regard to the area affected by the incident
• other parameters for operators of essential service (Arts. 1, 2 and 14)
NOTE: Table 1 references are to [i.1].

These provisions form the basis for much of the guidance contained in the present document. The NIS Directive
mandates information sharing, although it is not expected that organizations that are covered by the NISD need
implement an automated system of un-monitored reporting to their regulator or Member State (MS) Competent
Authority. What is expected is some form of automated threat intelligence sharing. In implementing NISD, there is an
important difference between mandatory reporting and voluntary sharing. Therefore, any guidelines should preserve
space for voluntary cooperation and threat intelligence sharing.
4.2 ENISA recommendations on standardization
ENISA's report on gaps in NIS standardization makes the following broad recommendations in order to extend the
technical basis for information sharing [i.2]:
• Adoption of threat exchange open standards based on the globally accepted STIX/TAXII/CyBOX platform to
be prepared as an EN defining the syntax and semantics of the data and the necessary transfer protocol, and an
accompanying guide to the implementation of the standard.
• Extension of the risk analysis and defensive measures capabilities defined in current standards to allow
Member States to address the provisions necessary to mitigate risk both at national and regional level. This
should be prepared as an EN extending the capabilities already described in ETSI TS 102 165-1 [i.7], ETSI
TR 103 305 [i.3], ISO/IEC 15408 [i.25] and in relevant ISO/IEC JTC1 27000 series standards [i.16].
It is noted that it is not possible to separate provisions for NIS from general provisions for cyber security which have
been developed by a broad array of ICT standards bodies. It is also noted that NII, NIS and cyber security cannot be
geographically isolated in its provisioning, in the origin of attack, or in defense measures, and that this distributed
complexity should be considered in implementation of the necessary information sharing required for effective NIS.
Thus many of the capabilities of the NII will of commercial necessity be implemented using software and hardware
from a global market.
ETSI
13 ETSI TR 103 456 V1.1.1 (2017-10)
4.3 Processing of personal data
The NIS Directive requires in Art. 2 that the processing of personal data be carried out in accordance
Directive 95/46/EC [i.26] and with Regulation (EC) No 45/2001 [i.27], and Art. 15 requires cooperation with data
protection authorities, but does not otherwise treat the subject. As the NIS explanatory preamble notes "personal data
are in many cases compromised as a result of incidents and in this context, competent authorities and data protection
authorities should cooperate and exchange information on all relevant matters to tackle any personal data breaches
resulting from incidents" [i.1]. The requirements for cooperation are referenced in preamble clause (72) [i.1]. Because
the purposes of the NIS Directive are also aimed to meet these same requirements and simply ancillary to the NIS
Directive provisions, the protection of personal data is not explicitly treated in the present document.
5 Cyber threat intelligence sharing: incidents and risks
5.1 Introduction
5.1.1 Context
This clause addresses implementation of the NIS Directive's incident notification requirements that arise from many
different provisions enumerated in Table 1. In addition, Art. 7 of the NIS Directive required this capability as part of a
national strategy "defining the strategic objectives and appropriate policy and regulatory measures with a view to
achieving and maintaining a high level of security of network and information systems" [i.1].
Some sector specific implementations are also required. For example, within Art. 14(3), the NIS Directive requires that
operators of essential services "notify, without undue delay, the competent authority or the CSIRT of incidents having a
significant impact on the continuity of essential services they provide." Moreover, within Art. 14(4), the NIS Directive
posits that the number of users affected by the disruption of the essential service, the duration of the incident, and the
geographical spread of the area affected by the incident may all be relevant criteria for determining the "significance" of
an incident's impact. Although not subject to obligations, the Directive emphasizes that "information about incidents is
increasingly valuable to the general public and businesses, particularly small and medium-sized enterprises" [i.1].
Following good practices will be critical to implementing incident notification requirements that empower competent
authorities or CSIRTs to take action to mitigate the impact of significant incidents without overburdening such
authorities/CSIRTs or creating additional ecosystem risk:
• the scope of incidents for which operators of essential services and digital services providers may be mandated
(subject to national law) to provide notification should be sufficiently narrow so that it does not overlap with
other EU laws and regulations or result in duplication of notification requirements;
• if notification is required, the thresholds should be structured in a way that accounts for the divergent risks and
criticalities as well as the variations embedded in different technology architectures that support those services;
and
• with regard to Operators of Essential Services, the national approaches for scoping and structuring thresholds
for incident notification requirements should be sufficiently aligned such that these operators security response
teams can focus on responding to and recovering from incidents rather than complying with fragmented
requirements.
5.1.2 Scope of incidents
The scope of incidents for which operators of essential services are required to provide notification under the NIS
Directive should be sufficiently narrow so that it does not overlap with other EU laws and regulations or result in
duplication of notification requirements. In particular, the scope should not overlap with notification requirements
included within the EU's GDPR, resulting in multiple disclosures to multiple regulatory agencies in the event of one
security incident as well as inefficiencies and diverted resources. For instance, an incident involving a breach of
confidentiality is already covered by data breach notification requirements under the GDPR.
ETSI
14 ETSI TR 103 456 V1.1.1 (2017-10)
According to Art. 14(3), the NIS Directive's incident notification requirements cover "incidents having a significant
impact on the continuity of essential services" (emphasis added) for operators of essential services (emphasis added).
Article 16(3) of NIS Directive requires digital service providers to notify an "incident having a substantial impact on
the provision of a service" [i.1]. Continuity of services refers to their availability over time, supporting users' ability to
access them and/or rely on their availability. In contrast, a breach may impact a user's ability to have assurance of
confidentiality, but it may not necessarily impact a user's ability to access data or services.
In addition, the NIS Directive's incident notification requirements should be narrowly scoped around incidents that have
an "actual adverse effect," consistent with the Art. 4 definition of an incident. Incidents that have a potential effect, such
as attempted breaches, should not be scoped into notification requirements, helping to ensure that competent
authorities/CSIRTs are not inundated with non-critical information and instead receive more prioritized and actionable
information. In addition, such prioritization protects information about operators of essential services and digital service
providers' tactics for isolating malicious attackers and mitigating the impact of network intrusions; if exposed to
attackers, such information would likely help them to more quickly and effectively evolve offensive techniques.
5.1.3 Incident notification thresholds
What incidents will meet Art. 14(3)'s articulation of "a significant impact" may vary by service and technology
architecture. As such, incident notification thresholds under the NIS Directive should be structured in a way that
accounts for the divergent risks and criticalities of different essential services as well as the variations embedded in
different technology architectures that support those services. Specifically:
• In different contexts, the relative importance of the number of users affected by the disruption of an essential
service, the geographical spread of the area affected by the incident, and the duration of an incident may vary.
For instance, the impact of the continuity/availability of a credit institution's web page will be different than
the continuity/availability of an oil production, refinement, storage, or transmission operator's web page.
• Considering the NIS Directive criteria for measuring the significance of an incident's impact, "users" and
"geographical impact" may mean different things to or be measured in different ways by different service
providers and at different infrastructure layers. In some contexts, it may be more relevant for operators of
essential services to consider "instances of use" than "users" as individuals. In other contexts, in compliance
with EU privacy laws, operators of essential services may be limited to tracking "users" as customers, which
may include multiple individual end users, rather than each individual end user. Likewise, depending on how a
service is provisioned, an operator of essential services may have different ways of measuring the geographical
impact of an incident and that way may not correspond with, for instance, national borders (e.g. particular
number countries impacted as an incident notification threshold). Moreover, for flexible services with elastic
demand, weighing the importance of the number of "users" impacted or the extent of geographical impact may
vary over time.
Ensuring that requirements are appropriately calibrated for different services and architectures is consistent with the
NIS Directive's risk-based articulation of requirements, stipulating that different types of services should be treated
according to the risk that they pose.
In addition, the criteria that trigger a "disruption" to continuity/availability should also meet a high threshold to
prioritize and ensure focus on significant incidents. In other words, the threshold for significant impact should only be
when an entire service or a core functionality of a service is affected. Even if a non-core functionality or ancillary
feature (i.e., not central to the service function) is disrupted broadly or over a significant period of time, it should not be
considered to meet the threshold of reportability. Similarly, impact to essential services should be measured and
incident notification requirements triggered only if an incident transpires and no failover processes are in place to
absorb the incident. Unless there's an actual and noticeable impact, incident notification should not be required.
Considering the diverse contexts that impact how governments can measure the significance of an incident impacting
operators of essential services, they could develop requirements through public-private partnerships that build from
industry perspective. In particular, they should leverage the insights of both operators of essential services and the
technology providers that often support services that may be scoped in to notification requirements (for example to the
newly established NIS Cooperation Group), ensuring that the scope and thresholds of those requirements sufficiently
ensure that notification will be useful to Competent Authorities/CSIRTs in fulfilling their missions without putting the
ecosystem at increased risk.
ETSI
15 ETSI TR 103 456 V1.1.1 (2017-10)
5.1.4 Alignment of approaches
Approaches to scoping and structuring thresholds for incident notification requirements should be sufficiently aligned
such that operators of essential services' security response teams can focus on responding to and recovering from
incidents rather than complying with fragmented requirements. To the extent that requirements for incident notification
are sufficiently narrowly scoped and apply appropriate thresholds for various services, they will progress toward
requirements that are likely somewhat aligned. Continued focus on alignment will then result in additional efficiencies
and cross-border coordination.
5.1.5 Incident classification indicators and metrics
A simple and high-level incident classification and related indicators and associated metrics are more and more
important for organizations/companies and countries to measure the effectiveness of their security controls and get a
common understanding of their overall security posture and to (possibly) benchmark themselves against statistical state-
of-the-art figures. This quick move towards a real quantitative cyber security is nowadays approved almost
unanimously. These indicators should be positioned at the relevant level between general controls of general reference
frameworks (such as described in clause 6) and detailed and more technical incident classifications, that are found in
Structured Threat Intelligence eXchange (STIX) are at a too low level to make statistical figures production really
possible [i.6]. The ETSI Information Security Indicator (ISI) provide an ability to generate standardized metrics [i.19].
5.2 Concepts, models, and technical methods
Historically, cyber threat intelligence in the form of information concerning incidents, vulnerabilities, risks, and
remediations, have been unstructured and generally kept within organizations or industry sectors. The needs for
widespread, rapid exchange of this information in operating legacy telecommunication networks could be accomplished
through telephone calls and emails of audit information. It was not until the widespread eme
...