Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This infoshare has been recorded. You can find the recording here

Agenda 

ItemSpeakerNotes
Welcome and Introduction Alf Moens 

Slides

NIS-2 directive published 15.12.24, should be implemented latest October 2024, but with the council recommendation to do it asap. 

National transposition: EU Members states decide individually on: National implementation, Scope, Standards, Audit and Compliance Structure, National CSIRT structure

Implementation coordination through: Ruling from the EC, NIS Cooperation Group, ENISA

→ Legislative challenges to align with national law 


Summary - Where are we now with NIS2Alf Moens

GÉANT preparation NIS-2

Together with GÉANT members: Stratix report, Infoshares, wiki pages, develop and share best practices for security management

For GÉANT Association: Security improvement with internal reviews against the GÉANT Security Baseline, Compliance Strategy, Preparation for certification (ISO27K), Contact with authorities for clarification on status

New materials

  • published guidance from EC 
  • No clarification on scoping 
    • education 
    • digital infrastructure
  • NCSC Ireland: A quick guide to NIS2
  • NIS 2 Self-assessment Netherlands
CISO meetings 2023Ana Alves

Slides CISO meetings

From July to October 2023, GÉANT met online with CISOs or equivalents from 34 NRENs. The aim was to assess security maturity, collect best practices, address concerns and identify opportunities for support from GÉANT.

It was noted that different NRENs have different perspectives on NIS2 (EU and non-EU), as well as different stages of readiness.  There is often lack of clear information from the responsible governments on NIS2, which means that the NRENs often do not have a good understanding of the legal requirements. 

Nevertheless, it can be noted that most NRENs have a very positive approach to the challenges of implementing the Directive. They are following best practices, they are getting certified (ISO), they are looking for more information at national and international level and they are improving their internal maturity and supporting their communities.

GÉANT found that NRENs have good practices in planning and improvement, incident management, creativity in dealing with challenges, risk management, training and awareness, and certification. Apart from the challenges with NIS2, NRENs have shown us that most of the concerns in the security team are about human resources, networking and support, cyber attacks and different security roles.

NIS-2 at CARnetIvana Jelačić

Slides CARnet

Status NIS1

Two CSIRTs: 1. National CERT (in CARENT one of the departments), 2. ZSIS - Information Systems Security Bureau (CERT/CSIRT for government organisations)

CARNET position: 1. operator of key services, 2. CSIRT for five sectors, 3. National CERT (NCERT), 4. technical body for conformity assessment 

New Cybersecurity Act

under voting for adoption in parliament in Croatia for 3 sectors (autonomous sectors, semi-autonomous sectors (including scientific research and education), Other NIS2 sectors)

Main authority: National CYbersecurity Center 

NIS2 

CSIRT competences are shared by the National Cyber Security Center (main authority) and the National CERT (CARNET) 

ZSIS (Information Systems Security Bureau): Cyber security certification 

CARNET position 

Supporting institution → stakeholder which support NIS2 implementation

CSIRT for 4 sectors (banking, financial market infrastructure, research and education)

Update Cesnet

essential entity (top-level management of internet domain)

National CERT (CSIRT for private sector and citizens)


Cesnet UpdateJan Kolouch

Education is regulated by local law (based on NIS2).

Cesnet officially in scope (provider of infrastructure).

The law has not yet been approved by the Czech Parliament, but it will regulate more than it does now.

Law will define two certs (governemetal and national).

SURF Update
SURF
Floor Jas
Still no

No answer from ministry (Education and Science).

Information on NIS2 now mainly about universities and universities for applied sciences.

As NREN still not clear if in scope or not. CERT task a lot of debate in the Netherlands.

If large part of the sector will be under NIS2 SURFCERT will also.

DFN Update
DFN
Ralf Groeper

Same situation as in the Netherlands.

There is a trend that education will not fall under the regulations (but research organisation would → only higher education and not schools).

Critical infrastructure only networks that are available for the public (not DFN)

. But also companies in the telecom that have annual budget over 50million euros a year they will fall under regulation

Not clear if DFN is a company, because they are non-profit organisation.

Not sure if applied to commercial purposes (if research organisations always in scope or only for commercial purposes)

For DFNCERT: it doesnt say anything about sector CCERTs. It only talks about BSI.

RENATER Update
RENATER
Thibaud Badouard

RENTATER will be in scope (not sure in which parts) because they are public network operators/domain registration.

Issue: In France they are not a commercial company but not a public organisation either (their status is completely new).

Government told RENATER that they have the right to choose organisations (even if they are not exactly in the categories).

Update FCCNJoão Nuno Ferreira

RENATER CERT part will not be CSIRT part for education community because there is also a public CSIRT.

FCCN Update

João Nuno Ferreira

FCCN are already in scope because they operate an internet exchange (already in scope for NIS1).

FCCN have received clarity on when research organisations will be included in NIS2 and when they will not. They are waiting for the first drafts of Portuguese legislation.

Will CERT be CSIRT for the sector? For all entities to the network and the Ministry (the rest will be the Cyber Security Centre). 


Next meeting

Next infoshare will be in March 2024.