1. 2002 Symantec Corporation, All Rights Reserved The EU Regulations and IT security An industry perspective Ilias Chantzos, Government Relations EMEA Terena Conference, May 2006

2. 2 – 2002 Symantec Corporation, All Rights Reserved Some EU terminology  Directive –Not directly applicable, aims to achieve an objective  First Pillar vs Third Pillar  Framework Decision –As opposed to a Directive  Co-decision Process –As opposed to unanimity

3. 3 – 2002 Symantec Corporation, All Rights Reserved Has the EU been looking at IT security?  For a very long time –OECD Guidelines 1986 –SOGIS –Council Resolution on NetSec –Cybercrime Communication –Network Security Communication –eEurope 2002 and 2005 –ENISA –i2010

4. 4 – 2002 Symantec Corporation, All Rights Reserved Does the EU have security competence? NO!! Well, maybe it gradually starts getting one Originally limited, no operational capabilities yet  Some legislation in place –Data protection Directives  Third Pillar initiatives –Anti-terrorism package –De Hague framework –Framework Decision on attacks against information systems –CoE Cybercrime Convention –Data retention  ECJ challenged the decision-making structure

5. 5 – 2002 Symantec Corporation, All Rights Reserved Data protection  Directives 95/46/EC (generic) and 2002/58/EC (specific)  Generic Directive covers all activities related to processing of personal data  Specific Directive covers only electronic communications  Create independent authorities responsible for supervision and enforcement  Very interesting from a security standpoint

6. 6 – 2002 Symantec Corporation, All Rights Reserved The Generic Directive  Defines data categories  Requires information collection fairly and lawfully subject to consent  Requires information security and availability for the storage of data  Requires access to data subject and rectification of the data  Forbids cross-border transfer of personal data  Determines jurisdiction

7. 7 – 2002 Symantec Corporation, All Rights Reserved Specific Directive  Defines traffic data  Requires network security  Obliges eCommunication providers to notify users of the services for eminent threats  Obliges the destruction of traffic data if no excluded specific business is applicable  Forbids spam distribution  Leaves the door open for data retention

8. 8 – 2002 Symantec Corporation, All Rights Reserved Data retention  Commission proposal under serious discussion among the European institutions –What is the scope of retention? –What data? –How much? –How long?  Security requirements for data holders  Diverging implementation in MS

9. 9 – 2002 Symantec Corporation, All Rights Reserved The political landscape of data retention  Too early to say what will happen in every country  Some retention regime already to several jurisdictions  Difficult to argue against the need for security of the retained data  Depending on the implementation there will be issue of costs, technological complexity and compliance  Law enforcement authorities need the appropriate tools to do their job  Privacy law is challenged in Europe

10. 10 – 2002 Symantec Corporation, All Rights Reserved What does this mean for Service Providers?  Service providers are faced with numerous information integrity challenges by creating huge traffic data vaults  Traffic data will need to be: –Available –Secure –Authentic beyond reasonable doubt –Constantly collected over a wide geographical region and over a variety of services –Achievable –Searchable –Retrievable/Extractable –Securely communicated upon request –Resilient –Auditable  Cost, complexity and compliance (legal and technical)

11. 11 – 2002 Symantec Corporation, All Rights Reserved Third pillar legislation  Framework Decision on Attacks Against InfoSystems –Hacking, viruses, DoS is a crime –Uniform definitions, incriminations, sanctions  Council of Europe Convention on Cybercrime –Everything that the Framework Decision has and more… –More offences, such as misuse of devices, or childporn –Procedural rules  Preservation  Warrants –Mutual legal assistance  EU cooperation –SIS2, VIS, Eurodac

12. 12 – 2002 Symantec Corporation, All Rights Reserved Down the pipeline  Traffic data retention has arrived –Applicable to all 25 Countries, albeit with divergences  I2010 –Expected Commission communication on network security –Initiatives expected to be announced –Review of 2002/58/EC  Revision of the legal basis as result of ECJ –Framework Decision on cybercrime is effected  ENISA gradually defining a role  CIP consultation completed

13. 13 – 2002 Symantec Corporation, All Rights Reserved Critical Infrastructure Protection  EU Program aiming at developing policy to protect CIP across Europe  All hazards approach with a terrorism focus  Covers cross-border infrastructure  Several industries affected –Communications/Internet –Chemicals –Energy –Etc  Opportunities for funding but also for government intervention

14. 14 – 2002 Symantec Corporation, All Rights Reserved So what is the impact?  More regulation increases –Cost –Complexity –Compliance  More harmonisation across Europe –Easier to do business cross-border –Higher standards at Member States level –A higher level of security  A lot depends on how this will cascade to Member States

15. 15 – 2002 Symantec Corporation, All Rights Reserved What does the future hold?  Security is very high on the political agenda  Information security will continue to attract political interest as an element of the wider security package  Regulation on other topics will add new security-related rules (for example, corporate governance)  Expect more regulatory intervention from Brussels

16. 2002 Symantec Corporation, All Rights Reserved Thank You! Ilias_chantzos@symantec.com +3225311161