The aim of the study is to provide a mapping of the technical requirements of the NIS Directive to existing standards, to identify gaps and overlaps in related standardisation and provide recommendations for the future work in this area.
The report identifies a relatively small number of gaps and areas of overlap in standardisation where there is no clear best practice to be adopted partly due to the diversity of the current standardisation ecosystem. This allows for several recommendations:
- It is recommended that the European Commission adopt a standards based framework for the exchange of threat and defensive measure information, that impacts the functioning of Network Information Infrastructure (NII), with the support of the Member States pursuant to the NIS Directive. The capabilities from this framework underscore NII as a Critical Infrastructure of the EU and its Member States and can further act a manual and reference point.
- ENISA urges to adopt open standards in threat exchange. This translates into increased interoperability and improved cooperation and information sharing. In this context, the risk analysis and defensive measures capabilities defined in current standards should be extended, to allow Member States to address the Network Information Infrastructure and NIS provisions necessary to mitigate risk both at a national and regional level.
- At another level, it will be useful to highlight the similarities between the USA Cybersecurity Act and the NIS Directive and promote possible synergies in the application of standards.