[Owasp-leaders] EC consultation on risk management and breach reporting

Colin Watson colin.watson at owasp.org
Sun Aug 5 14:15:01 UTC 2012


I would like to ask if OWASP leaders, especially in the EU, would be
able to work together to produce a combined response to the following
EC consultation. We would need:

- 1 or 2 people to coordinate actions, generate a consistent response,
and seek EU-chapter wide support for the final draft
- several people to act as points of contact for particular sections
of the response
- other people to ask for input from participants through their local
chapter lists


The European Commission has published a consultation document called
"Improving Network and Information Security (NIS) in the EU" but
essentially relating to future risk management and breach reporting
requirements. Currently in the EU only telecomms companies and ISPs
are subject to breach reporting.

    Background information

      As PDF

      As online form

 Some of the questions appear to be a good fit for OWASP to respond
to, for example:

    3.9. Information exchange between private companies and between
the public and private sector on incidents, threats and risks is key
to share best practices, build capabilities, develop trend analysis,
manage risks effectively or reduce the impacts of incidents. What are
the most effective ways to facilitate such exchanges at EU level
(please explain)?

    3.16. Everybody (business, consumers and governments) should
ensure a minimum level of protection against cyber threats. Do you

    3.17. Which actions can be reasonably be expected to be taken
respectively by business, consumers and governments to better protect
 themselves on-line?

    3.18. It is key to empower consumers and help them identify
companies with good levels of cyber security protection. Which is the
best way to achieve this objective?
        - Stimulate the development of industry-led standards at EU level [or]
        - Give guidance at EU level to enable consumers to
differentiate good security products and services [or]
        - Define compulsory security standards for goods and services
at EU level [or]
        - Other

    3.19. If you chose other [in 3.18], please specify

    3.22. People driving a car are required to take security measures
to protect themselves and others.Do you consider that people using the
Internet should also be subject to security obligations? If yes, which

    3.23. It is important to ensure security throughout the supply
chain. Which is the most effective way to encourage all actors in the
value chain (e.g. product manufacturers, software developers and
Internet companies) to invest in security solutions at an appropriate

    4.1.7. Would you in principle be favourable to the introduction of
a regulatory requirement to manage NIS risks?


If you would like to take part, please reply directly, or via the GIC
mailing list:


We have until October, but would really need to prepare a draft
response by early September.


Colin Watson
OWASP Global Industry Committee

More information about the OWASP-Leaders mailing list