Report on RM/RA in European regulation, international guidelines

This ENISA result encompasses international normative texts that directly or indirectly refer to aspects of Risk Management / Risk Assessment (RM / RA). The necessity of such a collection of regulations, directives, codes of practices and other document with normative character has been communicated to ENISA by different players in the area of Risk Management. To our knowledge, such a compilation of normative texts in the context of Risk Management / Risk Assessment is unique at the European level.

Due to the amount of available resources, only texts with European/international applicability have been considered within this document, while individual national normative texts have been left out of the scope of this document.

The identification of relevance of the considered texts to Risk Management / Risk Assessment has been performed on the basis of overview material delivered by ENISA in 2006 (see ENISA report on “Risk Management: Implementation principles and Inventories for Risk Management / Risk Assessment methods and tools”). The degree of relevance varies from direct relevance to indirect relevance according to the specificity of references found in the normative texts.

Except from the relevant provisions of the normative text, we present a short comprehensive description of what are the consequences of the text for Risk Management / Risk Assessment. This description will help experts without legal background to understand the essence of the normative text with regard to Risk Management.

The presented material has been grouped in categories according to the horizontal applicability of normative areas, e.g. Data Protection/Privacy, National Security, Civil and Penal Law, Corporate Governance, etc. The vertical applicability according to application areas (e.g. Telecommunications, Financial Services, Health and Commerce Services) has not been considered. This was due to the fact the relevance of legal requirements to application areas may vary according to the security context of information being processed within the application. Thus, vertical aspects seemed not to be “stable” enough to be use as basis for the classification.

The content of this section is inline with a study performed by the ENISA ad hoc Working Group RANIS in 2006. The RANIS study presents EU legal instruments related to Network Information Security (NIS). This study is an inventory of European legislation on NIS, whereas the present section focuses on Risk Management and covers also international normative texts.