...
This infoshare has been recorded. You can find the recording here.
Agenda
Item | Speaker | Notes |
---|---|---|
Welcome and Introduction | Alf Moens | NIS-2 directive published 15.12.24, should be implemented latest October 2024, but with the council recommendation to do it asap. National transposition: EU Members states decide individually on: National implementation, Scope, Standards, Audit and Compliance Structure, National CSIRT structure Implementation coordination through: Ruling from the EC, NIS Cooperation Group, ENISA → Legislative challenges to align with national law |
Summary - Where are we now with NIS2 | Alf Moens | GÉANT preparation NIS-2 Together with GÉANT members: Stratix report, Infoshares, wiki pages, develop and share best practices for security management For GÉANT Association: Security improvement with internal reviews against the GÉANT Security Baseline, Compliance Strategy, Preparation for certification (ISO27K), Contact with authorities for clarification on status New materials
|
CISO meetings 2023 | Ana Alves | From July to October 2023, GÉANT met online with CISOs or equivalents from 34 NRENs. The aim was to assess security maturity, collect best practices, address concerns and identify opportunities for support from GÉANT. It was noted that different NRENs have different perspectives on NIS2 (EU and non-EU), as well as different stages of readiness. There is often lack of clear information from the responsible governments on NIS2, which means that the NRENs often do not have a good understanding of the legal requirements. Nevertheless, it can be noted that most NRENs have a very positive approach to the challenges of implementing the Directive. They are following best practices, they are getting certified (ISO), they are looking for more information at national and international level and they are improving their internal maturity and supporting their communities. GÉANT found that NRENs have good practices in planning and improvement, incident management, creativity in dealing with challenges, risk management, training and awareness, and certification. Apart from the challenges with NIS2, NRENs have shown us that most of the concerns in the security team are about human resources, networking and support, cyber attacks and different security roles. |
NIS-2 at CARnet | Ivana Jelačić | Status NIS1 Two CSIRTs: 1. National CERT (in CARENT one of the departments), 2. ZSIS - Information Systems Security Bureau (CERT/CSIRT for government organisations) CARNET position: 1. operator of key services, 2. CSIRT for five sectors, 3. National CERT (NCERT), 4. technical body for conformity assessment New Cybersecurity Act under voting for adoption in parliament in Croatia for 3 sectors (autonomous sectors, semi-autonomous sectors (including scientific research and education), Other NIS2 sectors) Main authority: National CYbersecurity Center NIS2 CSIRT competences are shared by the National Cyber Security Center (main authority) and the National CERT (CARNET) ZSIS (Information Systems Security Bureau): Cyber security certification CARNET position Supporting institution → stakeholder which support NIS2 implementation CSIRT for 4 sectors (banking, financial market infrastructure, research and education) |
essential entity (top-level management of internet domain) National CERT (CSIRT for private sector and citizens) | ||
Cesnet Update | Jan Kolouch | Education is regulated by local law (based on NIS2). |
Cesnet officially in scope (provider of infrastructure). The law has not yet been approved by the Czech Parliament, but it will regulate more than it does now. |
Law will define two certs (governemetal and national). |
SURF Update |
Floor Jas |
No answer from ministry (Education and Science). |
Information on NIS2 now mainly about universities and universities for applied sciences. As NREN still not clear if in scope or not. CERT task a lot of debate in the Netherlands. |
If large part of the sector will be under NIS2 SURFCERT will also. |
DFN Update |
Ralf Groeper | Same situation as in the Netherlands. There is a trend that education will not fall under the regulations (but research organisation would → only higher education and not schools). Critical infrastructure only networks that are available for the public (not DFN) |
. But also companies in the telecom that have annual budget over 50million euros a year they will fall under regulation |
→ Not clear if DFN is a company, because they are non-profit organisation. |
Not sure if applied to commercial purposes (if research organisations always in scope or only for commercial purposes) For DFNCERT: it doesnt say anything about sector CCERTs. It only talks about BSI. |
RENATER Update |
Thibaud Badouard | RENTATER will be in scope (not sure in which parts) because they are public network operators/domain registration. Issue: In France they are not a commercial company but not a public organisation either (their status is completely new). Government told RENATER that they have the right to choose organisations (even if they are not exactly in the categories). |
RENATER CERT part will not be CSIRT part for education community because there is also a public CSIRT. | ||
FCCN Update | João Nuno Ferreira | FCCN are already in scope because they operate an internet exchange (already in scope for NIS1). FCCN have received clarity on when research organisations will be included in NIS2 and when they will not. They are waiting for the first drafts of Portuguese legislation. Will CERT be CSIRT for the sector? For all entities to the network and the Ministry (the rest will be the Cyber Security Centre). |
Next meeting
Next infoshare will be in March 2024.