Implementing regulation 2018/151 - Rules for application of Directive 2016/1148 as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
Contents
official title
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact| Legal instrument | Implementing regulation |
|---|---|
| Number legal act | Implementing regulation 2018/151 |
| CELEX number i | 32018R0151 |
| Document | 30-01-2018; Date of adoption |
|---|---|
| Publication in Official Journal | 31-01-2018; OJ L 26 p. 48-51 |
| Effect | 20-02-2018; Entry into force Date pub. +20 See Art 5.1 10-05-2018; Application See Art 5.2 |
| End of validity | 31-12-9999 |
31.1.2018 |
EN |
Official Journal of the European Union |
L 26/48 |
COMMISSION IMPLEMENTING REGULATION (EU) 2018/151
of 30 January 2018
laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (1), and in particular Article 16(8) thereof,
Whereas:
(1) |
In accordance with Directive (EU) 2016/1148, digital service providers remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risk posed to the security of their network and information systems, as long as those measures ensure an appropriate level of security and take into account the elements provided for in that Directive. |
(2) |
When identifying the appropriate and proportionate technical and organisational measures, the digital service provider should approach information security in a systematic way, using a risk-based approach. |
(3) |
In order to ensure the security of systems and facilities, digital service providers should perform assessment and analysis procedures. These activities should concern the systematic management of network and information systems, the physical and environmental security, the security of supplies and the access controls. |
(4) |
When carrying out a risk analysis within the systematic management of network and information systems, digital service providers should be encouraged to identify specific risks and quantify their significance, for example by identifying threats to critical assets and how they may affect the operations, and determining how best to mitigate those threats based on current capabilities and resource requirements. |
(5) |
Policies on human resources could refer to the management of skills, including aspects related to the development of security related skills and awareness-raising. When deciding on an appropriate set of policies on security of operation, the digital service providers should be encouraged to take into account aspects of change management, vulnerability management, formalisation of operating and administrative practices and system mapping. |
(6) |
Policies on security architecture could comprise in particular the segregation of networks and systems as well as specific security measures for critical operations such as administration operations. The segregation of networks and systems could enable a digital service provider to distinguish between elements such as data flows and computing resources that belong to a client, group of clients, the digital service provider or third parties. |
(7) |
The measures taken with regard to the physical and environmental security should ensure the security of an organisation's network and information systems from damage caused by incidents such as theft, fire, flood or other weather effects, telecommunications or power failures. |
(8) |
The security of supplies such as electrical power, fuel or cooling could encompass the security of the supply chain that includes in particular the security of third party contractors and subcontractors and their management. The traceability of critical supplies refers to the ability of the digital service provider to identify and record sources of those... |
More
This text has been adopted from EUR-Lex.
This dossier is compiled each night drawing from aforementioned sources through automated processes. We have invested a great deal in optimising the programming underlying these processes. However, we cannot guarantee the sources we draw our information from nor the resulting dossier are without fault.
This page is also available in a full version containing the legal context, de Europese rechtsgrond, other dossiers related to the dossier at hand and the related cases of the European Court of Justice.
The full version is available for registered users of the EU Monitor by ANP and PDC Informatie Architectuur.
The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.