EU Cybersecurity Dashboard - A Path to a Secure European Cyberspace
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
EU Cybersecurity Dashboard
A Path to a Secure European Cyberspace
BUSINESS SOFTWARE ALLIANCE AEU Cybersecurity Dashboard A Path to a Secure European Cyberspace
CONTENTS
EXECUTIVE SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
KEY FINDINGS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Legal Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Operational Entities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Public-Private Partnership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Sector-Specific Cybersecurity Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
EUROPEAN UNION CYBERSECURITY
MATURITY DASHBOARD (2015). . . . . . . . . . . . . . . . . . . . . . . . . . 8
EUROPEAN UNION CYBERSECURITY
COUNTRY SUMMARIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11EXECUTIVE SUMMARY
The promise of today’s interconnected world is immeasurable.
Technology has become integral to virtually every sector of the global
economy, including banking, communications and the electrical grid.
The benefits that stem from that promise, however, face very real threats.
Attackers — in ever greater numbers and with Such policy and legal frameworks and appropriate
increasing sophistication — see, in the growing implementation structures must be stable and clear,
promise of our tech-connected world, opportunities but they need also to remain flexible. They must
to steal or cause major disruption or destruction take into account and be able to adjust to the
by exploiting vulnerabilities. Unfortunately, as evolving threat environment that is inherent in the
technology’s benefits expand and evolve, so too will technology arena.
the threats. Countering those threats and ensuring the
resilience of our cyber-enabled systems will require The purpose of this report — the first-of-its-kind
flexibility and an ability to evolve as well. BSA EU Cybersecurity Dashboard — is to provide
government officials in each of the EU Member States
For governments, protection from cyber-attacks — with an opportunity to evaluate their country’s policies
as well as the ability to both mitigate the harms of against these metrics, as well as their European
any such instances and to address all newly emerging neighbors.
threats — can be found in the cybersecurity policies
they adopt and execute. Three elements must be The most important takeaways of the report can be
present: the proper legal and policy frameworks along summarised as follows:
with the appropriate public input and the necessary Most EU Member States recognise that working
infrastructure needed to implement those frameworks. toward cybersecurity and cyber resilience —
Laws, rules, institutions and appropriate structure to with particular focus on the protection of critical
facilitate cooperation with relevant stakeholders are infrastructure — should be an important national
the key foundations that support countries, as well as priority.
non-governmental actors in their effort to protect their Considerable discrepancies exist between
systems and prevent, mitigate and respond to cyber- Member States’ cybersecurity policies, legal
attacks. frameworks and operational capabilities, creating
notable cybersecurity gaps across Europe.
www.bsa.org 1EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
In addition to this report, the detailed results of the research are available online
— at www.bsa.org/EUcybersecurity.
While 27 EU Member States have established communities, effectively sharing meaningful
operational entities, such as computer emergency cybersecurity information and prioritising the
response teams (CERTs), the mission and protection of critical infrastructures are key steps
experience of those entities vary greatly. which will increase cybersecurity and cyber
resilience of all EU Member States.
One notable gap is the lack of systematic
cooperation with non-governmental entities and In addition to this report, the detailed results of the
public-private partnerships: a well-established research are available online — at www.bsa.org/
framework in place for such partnerships exists EUcybersecurity.
in only five EU Member States. This leaves a
large area untapped for effective, voluntary Just as cybersecurity is an ever-evolving field, this
collaboration between governments and the report is also intended to be a living document. As
private sector that owns and operates the majority national governments and decision makers update
of commercial critical infrastructure services in their frameworks to address the remaining gaps, this
Europe. website will be updated to show progress across
the relevant areas. We invite you to review these
Achieving a coherent approach and common results and contact BSA | The Software Alliance with
baseline level of cybersecurity in the EU will information regarding any relevant changes.
require a sustained effort. The Network and
Information Security (NIS) Directive and its
implementation presents an opportunity to
focus on protecting Member States’ most critical METHODOLOGY
services and assets. Doing so would enable the
This study is based on an assessment of twenty
NIS Directive to play a key role in closing Europe’s
five criteria across five themes. (See results,
cybersecurity gap.
pages 8–9.) Each of the criteria are given a
This year’s report, thus, highlights some fundamental “Yes”, “No”, “Partial”, or “Not Applicable”
challenges as well as significant opportunities for status. There are no overall rankings or scores in
improving cybersecurity across the EU. If EU Member this study.
States can align their approach to cybersecurity and
This analysis is the result of desk-based research
bring their capabilities to a comparable, coherent
on publicly available information, and did not
baseline level, it will be a major step towards achieving
involve direct interviews with national agencies.
a true Digital Single Market in the EU.
Where possible we have included links to further
Cybersecurity and cyber resilience are often information and resources. These are available
thought of as a funding challenge, but primarily on our homepage.
it is a management one. Getting the right policy,
The research period concluded on 1 January
legal and operational frameworks in place, improving
2015 and general information in the report is
collaboration with various relevant stakeholders’
correct up to that date.
For detailed information on the methodology
used, please visit our website www.bsa.org/
EUcybersecurity.
2 BSA | The Software AllianceTHE BUILDING BLOCKS OF A STRONG LEGAL
CYBERSECURITY FRAMEWORK
Construct Solid Legal Foundations Establish Operational Entities with Key
Governments should enact and keep up-to-date a Responsibilities for Security
comprehensive legal and policy framework, based on Governments should set up operational entities to
a solid national cybersecurity strategy. This framework support the prevention of cybersecurity incidents and
should be built upon the following key principles. to ensure response to them. A core component of this
is the establishment of operational computer security,
Risk-based and prioritised: Cyber-threats come in emergency and incident response teams.
many shapes and magnitudes with varying degrees
of severity. Establishing a hierarchy of priorities —
based on an objective assessment of risk — with Engender Trust and Work in Partnership
critical assets and/or critical sectors at the top is No country or government can address cybersecurity
an effective starting point from which to ensure risk in isolation. Collaboration with non-governmental
that cyber protections are focused on those areas entities as well as with international partners and allies
where the potential for harm is greatest. is a crucial component of an effective approach to
cybersecurity.
Technology-neutral: A technology-neutral
approach to cybersecurity protection is vital to Partnering with the private sector: Most
ensure access to the most secure and effective infrastructure is owned by the private sector,
solutions in the marketplace. Specific requirements making effective public-private cooperation
or policies that mandate the use of certain essential. Cooperation also improves the
technology only undermine security by restricting effectiveness of risk management by improving the
evolving security controls and best practices and sharing of information, experience and perspective
potentially creating single points of failure. of multiple sources. Particular efforts are needed
to foster trust and avoid legal obstacles that may
Practicable: Any strategy is only as effective as it is
hinder it.
adoptable by the largest possible group of critical
assets and implementable across the broadest Global rather than isolated: Given that cyber
range of critical actors. Overly burdensome threats are global, effective cybersecurity policies
government supervision of private operators, or and strategies need to maintain an international
disproportionately intrusive regulatory intervention outlook, building on joint efforts with partners and
in their operational management of cybersecurity allies. They should also leverage international,
risk would most often prove counterproductive, voluntary and market-driven standards in order
diverting resources from effective and scalable to maximise pan-regional and global information
protection to fragmented administrative sharing and protection.
compliance.
Flexible: Managing cyber risk is a cross-disciplinary Foster Education and Awareness About
function and no one-size-fits-all approach exists. Cybersecurity Risk
Each industry, system and business faces distinct
challenges, and the range of actors must have People, process and technology are equally important
flexibility to address their unique needs. to ensuring cybersecurity. Even the best technology
will be ineffective if not used appropriately. Awareness
Respectful of privacy and civil liberties: Security raising, education and training about clearly
requirements should be duly balanced with the articulated cybersecurity priorities, principles, policies,
need for protection of privacy and civil liberties. processes and programs are essential components of
Ensuring that requirements and obligations are any cybersecurity strategy.
proportionate, do not represent more intrusion in
fundamental rights than what is strictly necessary,
follow due process and are supported by adequate
judicial oversight are all important considerations
to address in any cybersecurity framework.
www.bsa.org 3EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
KEY FINDINGS
Recent high-profile cybersecurity incidents have underlined the crucial
importance of strengthening cyber resilience in general, as well as the
protection of critical infrastructure from cyber threats, both in Europe
and around the world. In order to achieve these goals, public and private
stakeholders need to be equipped with the capacity to effectively prevent,
mitigate and respond to cyber-attacks and incidents.
With an increasing focus on improving cyber resilience A key component, and in many ways the
in both the Member States and at the EU level, this foundation, of this framework is a national
report — the first-of-its kind BSA EU Cybersecurity cybersecurity strategy, which is critical for managing
Dashboard — provides a comprehensive overview of national level cyber risks and developing appropriate
the state of the current cybersecurity frameworks and legislation to support those efforts. A strong
capabilities. cybersecurity strategy should be a “living document,”
developed and implemented in partnership with key
As detailed below, the report examines five key areas public and private stakeholders. It should contain
of each EU Member State’s cybersecurity policy clearly articulated principles and priorities that reflect
environment: societal values, traditions and legal principles.
Legal foundations for cybersecurity;
In this regard, there is a need for further improvement
Operational capabilities; within the EU. Only 19 of the 28 Member States have
Public-private partnerships; more or less detailed and comprehensive cybersecurity
Sector-specific cybersecurity plans; and strategies in place, while eight have not declared
any such framework at all. Even in the case of those
Education. countries with adopted cybersecurity strategies, the
quality of these is variable, many remaining vague and
high-level, lacking a clear implementation plan.
LEGAL FOUNDATIONS
Furthermore, most of these documents seem static.
Policymakers have a key role to play in ensuring that Only a small number of countries have already revised
both public and private entities are well equipped and improved their initial strategies and published an
to face the cybersecurity challenges of an ever more updated one. Finally, only a minority of the Member
connected world. They can achieve this not only by States have reinforced their cybersecurity strategy
establishing appropriate legal and policy frameworks, with relevant legislative and policy instruments that
but also through promoting cybersecurity awareness address security, information classification obligations
and cooperation with the different actors involved in and critical information infrastructure protection
working towards cyber resilience. requirements.
4 BSA | The Software AlliancePolicymakers have a key role to play in ensuring that both public and private
entities are well equipped to face the cybersecurity challenges of an ever more
connected world.
Governments also should assess and establish Sharing cybersecurity relevant information is no
clear priorities among the critical services and doubt an important aspect of an effective approach
infrastructures that most need protection. Not to cyber resilience, as it serves the interest of both
all assets, systems, networks, data and services are public and private stakeholders. This is because it
equally essential. Accordingly, it is important that increases collective awareness and, thereby, enables
decision makers assess the national infrastructure, every stakeholder to adapt their security posture to the
based on objective criteria and subject to public evolution of the threat landscape.
comment, and determine those that are providing
critical services and functions, whose compromise, Effective information sharing, however, requires
damage or destruction through a cybersecurity information protection, appropriate information
incident could have national significance. classification requirements are therefore crucial. This is
recognised by almost all EU Member States as most of
The results of this study show that more than half of them have such classification requirements in place.
the EU Member States have not yet gone through this
evaluation process in order to pursue a strategy or Governments also should facilitate information
plan to protect their most important assets. sharing by supporting the creation of public-private
partnerships and sector-specific collaboration (see
Once these critical infrastructures are identified, below), as well as by providing the necessary human
their cyber resilience needs to be evaluated in order and technical resources, operational entities and the
to identify and address vulnerabilities and gaps. appropriate legal protections against anti-trust claims,
undue disclosure requirements or liabilities, and
Best practices developed in the private sector often identify and address any other policy and legal barriers
include systematic internal and third party audits that may inhibit information sharing.
to test the cyber resilience of critical systems. This
approach is equally valuable for the public sector, yet
the study has shown that most EU Member States and
public bodies do not follow such best practices.
OPERATIONAL ENTITIES
Incident-response capabilities should be established
Finally, as discussions around mandatory cyber
to manage the most critical and significant events that
incident reporting intensify, it is important to note that
threaten the confidentiality, integrity or availability
most European countries seem to remain reluctant
of nationally significant information networks and
to introduce such schemes, many of them favoring
systems. Computer emergency response teams
formal or informal cooperation with the private
(CERTs) and computer security incident response
sector. Many fear that a mandatory requirement
teams (CSIRTs) can play a crucial role in improving
to notify incidents may be less effective than the
cyber resilience.
exchange of information based on mutual trust and
ongoing collaboration. These bodies can provide incident response services
to victims of attacks; share information concerning
Indeed, if a notification regime should be introduced,
vulnerabilities and threats with key stakeholders in the
most Member States recognise the importance that
government, private sector and in some instances with
only incidents having a significant impact or causing
the broader public; and offer other ways of helping to
a serious risk of harm should be captured by the
improve computer and network security.
obligation.
www.bsa.org 5EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
Effective partnership between public and private sectors is all the more important
because non-government entities manage and operate many critical infrastructures
that we rely on every day, including those that control transportation, health,
banking and energy.
Given this important role, it is a positive development guidance that is tailored to the business needs of
that most EU Member States have operational CERTs, particular entities or provides methods to address
with only Cyprus and Ireland yet to make their CERTs unique risks or specific operations in certain sectors.
fully operational.
Moreover, while there is a growing interest in
Most of the countries also have established establishing sector-specific responses to cybersecurity,
competent national authorities for network and practical implementation is still fairly limited in the
information security. Member States. The same countries that are leading
the way in public-private partnerships also are the
leaders in this field, often establishing sector-specific
PUBLIC-PRIVATE PARTNERSHIP dialogues and information exchanges with the private
sector. Such steps can help promote the most suitable
The culture of cybersecurity requires collaborative and effective guidance throughout individual sectors.
efforts and coordination among all national
stakeholders. Effective partnership between public
and private sectors is all the more important because EDUCATION
non-government entities manage and operate many
critical infrastructures that we rely on every day, No single entity or group of stakeholders can
including those that control transportation, health, secure cyberspace alone — and no individual or
banking and energy. group is without responsibility for playing a part
in cybersecurity. As not only governments, but
While the importance of cooperation is recognised organisations of all sizes, as well as consumers, need to
in Europe, there is a wide diversity in national take steps to secure their own systems, education and
approaches and maturity levels on this issue. Five awareness raising play a crucial role.
countries — Austria, Germany, the Netherlands, Spain
and the United Kingdom — are leading the way by This requires educational and awareness-raising
having established formal public-private partnerships campaigns as well as support for the development and
for cybersecurity. generalisation of cybersecurity training in universities
and in earlier curricula.
On the other hand, public-private partnerships for
cybersecurity are either non-existent, very restricted, The European Union has expressed a strong
or still at a very early stage of development in the commitment to cybersecurity education and
majority of the Member States. awareness raising and is acting upon this
commitment. For instance, the European Cyber
Security Month takes place every October all over
SECTOR-SPECIFIC CYBERSECURITY Europe, with most EU countries participating.
PLANS On the other hand, a small number of countries,
including Greece, Malta, Portugal and Slovenia
While certain elements of cybersecurity protection
have yet to implement national education strategies
apply across all areas, and a wide variety of
in this field.
recommendations are available from national and
international organisations, there is also a need for
6 BSA | The Software AllianceSTUMBLING BLOCKS IN THE PATH TO TRUE SECURITY
Some governments today are invoking cybersecurity Avoid Data Localization Rules
as a justification for a variety of policies that go
With the rise of global cloud computing services,
beyond what is needed to address legitimate security
companies of all sizes around the world can leverage
concerns. In fact, such policies often undermine
powerful resources that were once available only to the
cybersecurity rather than improve it. They also impose
largest firms. The cloud model, though, is based on
unfair market access barriers on global producers and
networks that allow the storage and processing of data
service providers, whether intended or not.
in multiple locations and even in multiple countries. By
allowing data to flow freely among multiple markets,
Avoid Unnecessary or Unreasonable cloud providers can deliver numerous advantages,
Requirements including reliability, resiliency, and 24-hour service
support.
A proper cybersecurity policy enables organisations
to develop and adopt the widest possible choice of Based on the mistaken assumption that data is safer in
cutting-edge cybersecurity solutions. It also allows a specific location, some countries are imposing rules
entities to implement the security measures that are that prohibit or significantly impede data transfers
most effective at mitigating the specific risks they face. across borders. Policies that unnecessarily restrict the
free flow of data undermine the very benefits of cloud
Some governments instead impose various computing by increasing costs and threatening to
requirements that restrict choice, increase costs prevent access to emerging cloud-enabled services.
and reduce the ability of their own firms to use the
most appropriate cybersecurity tools available.
These include, but are not limited to, country unique Avoid Preferences for Indigenous Technologies
certification conditions or local testing requirements; Cutting-edge products and services are developed
mandates for local content; requirements to disclose through global collaboration in research and design
sensitive information, such as source codes and centers in many different countries. Countries should
encryption keys; and, restrictions on foreign ownership create incentives for cross-border collaboration to
of intellectual property. facilitate voluntary technology transfer and the rapid
development and deployment of enhanced products
Refrain from Manipulating Standards and services.
Technology standards play a vital role in enabling and However, some countries take the opposite approach,
enhancing cybersecurity. By supporting internationally assuming that by preventing foreign competition
recognised technical standards that are developed they can protect domestic champions, develop
with industry participation and accepted across an indigenous technology industry, and enhance
markets, companies can more quickly develop and cybersecurity. By definition, indigenous technologies
distribute newer and more secure products. are a subset of global innovation. Preventing foreign
competition reduces cybersecurity by denying firms
Even so, some governments have imposed and agencies from buying world-class products
country-specific standards with the argument that and services. Furthermore, such policies deprive
requiring market-specific rules will lead to improved domestic technology firms of valuable opportunities
cybersecurity. The real effect, however, is the opposite. to collaborate with global leaders and make them less
Government-imposed standards, rather than competitive internationally, harming global innovation.
bolstering security, tend to freeze innovation and force
consumers and businesses into using products that
might not suit their needs.
www.bsa.org 7EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
EUROPEAN UNION CYBERSECURITY MATURITY DASHBOARD (2015)
Czech Republic
4 Yes 6 No Partial
Denmark
Bulgaria
Belgium
Estonia
Finland
Croatia
Austria
Cyprus
France
# QUESTION
LEGAL FOUNDATIONS
1. Is there a national cybersecurity strategy in place? 4 4 6 6 4 4 6 4 4 4
2. What year was the national cybersecurity strategy adopted? 2013 2012 – – 2013 2011 – 2014 2013 2011
3. Is there a critical infrastructure protection (CIP) strategy or plan
in place?
4 6 6 4 6 4 4 6
4. Is there legislation/policy that requires the establishment of a
written information security plan?
6 6 6 6 6 4 4 6
5. Is there legislation/policy that requires an inventory of
“systems” and the classification of data?
4 4 4 4 4 4 4 4 4
6. Is there legislation/policy that requires security practices/
requirements to be mapped to risk levels?
4 4 4 4 6 4 4 4 4 4
7. Is there legislation/policy that requires (at least) an annual
cybersecurity audit?
4 6 6 6 6 6 4 4 6
8. Is there legislation/policy that requires a public report on
cybersecurity capacity for the government?
6 6 6 4 6 4 4 6
9. Is there legislation/policy that requires each agency to have a
chief information officer (CIO) or chief security officer (CSO)?
6 6 6 6 6 6 6 6 6 4
10. Is there legislation/policy that requires mandatory reporting of
cybersecurity incidents?
6 6 6 4 4 6 4 6 6
11. Does legislation/policy include an appropriate definition for
"critical infrastructure protection" (CIP)?
4 4 4 6 6 4 4 4 4 6
12. Are requirements for public and private procurement of
cybersecurity solutions based on international accreditation or 4 N/A N/A N/A 4 4 4
certification schemes, without additional local requirements?
OPERATIONAL ENTITIES
1. Is there a national computer emergency response team (CERT)
or computer security incident response team (CSIRT)?
4 4 4 4 6 4 4 4 4 4
2. What year was the computer emergency response team (CERT)
2008 2008 2008 2009 – 2011 2009 2008 2014 2008
established?
3. Is there a national competent authority for network and
information security (NIS)?
4 4 4 4 4 4 4 4
4. Is there an incident reporting platform for collecting
cybersecurity incident data?
4 4 4 4 6 4 4 4 4 4
5. Are national cybersecurity exercises conducted? 4 4 4 4 4 4 4
6. Is there a national incident management structure (NIMS) for
responding to cybersecurity incidents?
4 6 6 6 4 6 6
PUBLIC PRIVATE PARTNERSHIPS
1. Is there a defined public private partnership (PPP) for
cybersecurity?
4 6 6 6
2. Is industry organised (i.e. business or industry cybersecurity
councils)?
4 4 6 6 6 4 4 6
3. Are new public private partnerships in planning or underway (if
so, which focus area)?
4 – 6 6 6 6 6 6
SECTOR SPECIFIC CYBERSECURITY PLANS
1. Is there a joint public private sector plan that addresses
cybersecurity?
4 6 6 6 6 6 4
2. Have sector specific security priorities been defined? 6 6 6 6 6 6 6 6 6 6
3. Have any sector cybersecurity risk assessments been
conducted?
6 6 6 6 6 4 6 6 6 6
EDUCATION
1. Is there an education strategy to enhance cybersecurity
knowledge and increase cybersecurity awareness of the public 4 6 6 4 6 4 4 4
from a young age?
8 BSA | The Software AllianceUnited Kingdom
Luxembourg
Netherlands
Germany
Lithuania
Romania
Portugal
Hungary
Slovenia
Slovakia
Sweden
Greece
Ireland
Poland
Latvia
Malta
Spain
Italy
4 6 4 6 4 4 4 4 6 4 4 Draft 4 4 6 4 6 4
2011 – 2013 – 2014 2014 2011 2013 – 2013 2013 – 2013 2008 – 2013 – 2011
4 4 6 4 6 6 4 4 6 4 4 4 4 4 4
6 4 6 6 6 6 6 6 6 6 6 6 4
4 4 4 6 4 4 4 4 4 4 4 4 4 4 4 4
4 6 4 6 4 4 4 6 6 4 4 4 4 4 4 4 4 4
Draft 6 6 6 6 4 6 6 6 6 6
Draft 6 4 6 4 6 6 6 4 6 6 6 6 6
6 6 6 6 6 4 6 6 6 6 6 6 6 6 6 6 4 6
4 6 6 6 6 4 4 6 4 6 4 6 6 4 6 6 6
4 4 4 6 4 4 4 4 4 4 4 6 4 4 4 4 4 4
4 4 4 N/A 4 N/A 4 N/A 6 N/A 4 4
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
2012 2009 2013 – 2014 2006 2006 2011 2002 2012 2008 2008 2011 2009 2010 2008 2003 2014
4 4 4 6 4 4 4 4 4 4 4 4 4 4 4
4 4 4 6 4 4 4 4 4 4 4 4 4 4 4 4 4 4
4 4 4 4 4 4 4 4 4
6 6 4 6 4 4 6 4 4 6 6 4 4
4 6 6 6 6 6 4 6 6 6 6 4 4
4 6 4 6 6 6 4 6 4 4
4 6 6 6 6 – 6 6 4 6 6 – 6 –
6 6 6 6 6 6 6 6 4 6 6 6 6 6 4 6 4
6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
6 4 4 4 4 4 6 4 4 6 4 4 6 4 6 4
www.bsa.org 9EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
ESTABLISHING AN APPROPRIATE FRAMEWORK FOR
MEANINGFUL INFORMATION SHARING
Cybersecurity incidents or breaches can have a Ensure a high level of confidentiality: Given
major impact on governments, private entities, the sensitive nature of the information shared
as well as individuals. Some high-profile breaches about an incident or cyber threat affecting any
have encouraged governments around the world to critical infrastructure, it is crucial to ensure that
consider how to best prevent, detect and react to confidentiality and security of the communications
these incidents. between the infrastructure operator and any
supervisory authorities are respected and
The exchange and sharing of the appropriate maintained, subject to transparent reporting by
information at the right time — and the coordinated the authority, as appropriate.
effort among relevant actors it enables — is
considered the best way to reduce and mitigate Nevertheless, in some cases, informing the public
risks and respond to cyber incidents. of an incident may be necessary. In these instances
all care should be taken to ensure an in-depth
Accordingly, the key question is how to best achieve dialogue between the entities suffering a breach
meaningful and effective information sharing among and the authorities before any disclosure in order
relevant stakeholders. While some countries have to avoid increasing the attack surface, multiplying
considered mandatory incident notification systems, the impact of the incident, creating panic, or
these alone would not suffice to address the issue leading to undue public shaming.
of collective awareness and preparedness. When it
comes to that, voluntary information exchanges based Ensure reciprocity: While the private sector
on trust have proved to be the most efficient way to owns and operates much of the countries’ critical
achieve successful information sharing. infrastructure, information sharing should not be
seen as a one-way provision of relevant data from
Such meaningful information sharing is not an easy private to public entities. It should be regarded as
undertaking. It can only be achieved if the necessary a real and mutual exchange of information, based
environment facilitating such exchanges is in place. on trust and mutual benefits.
Some of the fundamentals of such an environment are
the following: Make requirements clear and consistent
across jurisdictions: As mandatory notification
Create an environment of trust: Information requirements cover an ever-increasing number of
sharing, as well as incident reporting, require areas and geographies, the likelihood of facing
safeguards and incentives for their effective conflicting legal obligations increases. As various
functioning. These elements help ensure the trust organisations operate in multiple sectors across
necessary for the operation of such a system. They different countries and regions, the questions of
include guarantees that the sharing of information what to report when and to whom already pose
will not subject the organisation providing these important compliance challenges. Therefore, to
to undue liabilities, public humiliation, litigation or the extent a mandatory notification system should
sanctions. be introduced, it is imperative to strive for as
much consistency as possible not only among the
different notification obligations, but also among
the various national and regional requirements.
10 BSA | The Software AllianceEUROPEAN UNION CYBERSECURITY
COUNTRY SUMMARIES
The following summaries give an overview of the cybersecurity landscape,
based on the set of criteria outlined above, highlighting key cybersecurity
legislation and policy, as well as the main entities currently operating
within each jurisdiction. For more detailed information on each country
surveyed, please refer to the detailed Member State summaries available
at www.bsa.org/EUcybersecurity.
Finland
Finland
Sweden
Estonia
Latvia
Ireland United
Denmark
Lithuania AUSTRIA Sweden
EstoniaBELGIUM
Kingdom Latvia
Netherlands Denmark
The Austrian Cyber Security Belgium’s Cyber Security
Poland Lithuania
Germany Ireland United
Belgium
Kingdom
Luxembourg Czech
Strategy was adopted in Strategy was adopted by the
Republic Netherlands
Slovakia Poland
Germany
France Hungary
2013. It is part of a broader government in 2012. The legal
Luxembourg Czech
Slovenia Romania Republic
Slovakia
Croatia
Austria
ICT security initiative of the framework for cybersecurity
France Hungary
Monaco Bulgaria
ortugal Slovenia Romania
Italy
Spain Croatia
Austrian government, asGreece Portugal
in Belgium, however, remains
Monaco
Italy
Bulgaria
set out in the National ICT somewhat unclear, and the
Spain
Cyprus
Security Strategy 2012. The Strategy is an extensive information available on the implementation of the
Malta Greece
Cyprus
plan that maps targeted cybersecurity objectives into strategy is limited. Malta
organised fields of action.
On the other hand, Belgium does have an established
Austria has an established computer emergency computer emergency response team, CERT.be, and
response team, CERT.at, with a broad and well- a well-developed cybersecurity incident-reporting
defined scope. There are also several public-private structure. Belgium also recently announced the launch
partnerships related to cybersecurity operating in the of a new Cybersecurity Centre. There is active support
country, such as the Centre for Secure Information in the country for public-private partnerships, through
Finland
Technology Austria (A-SIT) and Kuratorium Sicheres BeINIS, a government body that liaises closely with
Österreich. private and semi-private entities.
Sweden
Estonia
Latvia
Denmark
Lithuania
The Austrian Trust Circles provide formal structures for
Ireland United
Kingdom
BULGARIA
Netherlands
sector-specific information exchanges related to the
Poland
Belgium Germany
Luxembourg Czech
critical information infrastructure of various sectors. Republic
Slovakia
France
Austria
Hungary The legal framework for
These platforms are tasked with developing sector- Slovenia Romania
cybersecurity in Bulgaria
Croatia
specific risk management plans. The Austrian Trust Monaco
is limited, and there is
Portugal Italy
Spain
Circles are an initiative of CERT.at and the Austrian Greece
no national cybersecurity
Federal Chancellery. Cyprus
Malta strategy in place. There are
also no formalised public-
www.bsa.org 11EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
private partnerships, although a significant number includes comprehensive provisions on most aspects
of cybersecurity events and academic discussions of cybersecurity and is complemented by several
are focused on cybersecurity and critical information important regulations.
infrastructure protection.
The country has also established a national CERT,
CERT Bulgaria is the country’s most significant CSIRT.CZ, as well as a CERT dedicated to government
cybersecurity entity and the focus of recent efforts agencies: GOVCERT.CZ.
from the government to strengthen cybersecurity.
Sweden
Estonia The National Cyber Security Centre was launched on
1 January 2015 to promote public-private partnerships.
Latvia
Denmark
Lithuania
Ireland United
Kingdom
Netherlands CROATIA Furthermore, the Czech Republic is conducting a
Poland
Belgium
Luxembourg
Germany
Czech
sector-based security risk assessment in cooperation
Croatia has yet to establish a
Republic
with the academic and private sectors. The project is
Slovakia
Austria
France Hungary
Slovenia Romania
comprehensive cybersecurity the first such assessment that addresses cybersecurity.
al
Spain
Monaco
Italy
Bulgaria
strategy or a well-developed
system of public-private
Greece
partnerships.
Cyprus
Finland DENMARK
Malta
Croatia has two established Denmark does not have a
Sweden
Estonia
national cybersecurity strategy
Latvia
computer emergency response teams (CERTs). The Ireland United
Lithuania
National CERT, established in 2009 is responsible for
Kingdom
or a law dedicated to the
Netherlands
Poland
coordinating security and incident response measures
Belgium
Luxembourg
subject. Denmark recently
Germany
Czech
Republic
passed a law that establishes
Slovakia
for parties that use a Croatian IP address or .hr France
Austria
Hungary
domain. The Information Systems Security Bureau’s the Centre for Cyber Security,
Slovenia
Croatia
Romania
which both takes control of and supersedes its current
Finland Monaco Bulgaria
ZSIS CERT has jurisdiction over Croatian government
Portugal Italy
Spain
institutions.
Sweden
Estonia
government CERT. The scope and powers of the new Greece
Denmark
Latvia
centre are still to be confirmed. Cyprus
Lithuania Malta
United
ngdom
Netherlands
Germany
Poland
CYPRUS The Danish private sector has established a formal
Belgium
Luxembourg Czech
Republic
Slovakia
framework for cooperation on cybersecurity issues
France
Austria
Hungary Cyprus adopted a national
Romania
through the Council for Digital Security.
Slovenia
Monaco
Croatia
cybersecurity strategy in 2013.
Bulgaria
Italy
It includes a commitment
to update key elements
Greece
ESTONIA
Malta
of the legal framework for Finland
Estonia was one of the first
cybersecurity. Cyprus also is Sweden countries to develop a national
working toward the establishment of a national CERT, cybersecurity strategy in 2008,
Latvia
Denmark
which is expected to be operational in 2015. The Ireland United
Kingdom
Lithuania
followed by the release of
country has also taken an interest in sector-specific Netherlands
Belgium Germany
Poland
an updated strategy in 2014.
approaches to the management of cybersecurity, with Luxembourg Czech
The country also has a wide
Republic
Slovakia
Austria
a potential focus on the energy and financial services France Hungary
range of legislation that covers information security
Slovenia Romania
Croatia
sectors. and cybersecurity. Estonia has a well-established CERT,
Monaco Bulgaria
Finland Portugal Italy
Spain
CERT Estonia, under the control of the Information
Greece
Sweden
Estonia
CZECH REPUBLIC System Authority. Further to national bodies, also Cyprus
Latvia
notable is the fact that NATO’s Cyber Security Centre
Malta
Denmark
Lithuania
Ireland
The Cyber Security Strategy
United
Kingdom
Netherlands
Poland
of Excellence is based in Estonia.
Belgium
Luxembourg
of the Czech Republic for
Germany
the period 2011-2015 was
Austria
Slovakia
While no formalised public-private partnerships exist,
France
public entities do work closely with relevant private-
Hungary
published in 2011. The
Slovenia
Croatia
Romania
ugal
Monaco
strategy provides general
Italy
Bulgaria sector organisations.
Spain
cybersecurity principles Greece
and clearly stated goals. On 1 January 2015, the Cyprus
Malta
Act on Cyber Security came into force. This law
12 BSA | The Software AllianceFINLAND Furthermore, the country has well-developed public-
private partnerships, such as the Alliance for Cyber-
Finland published a Security and the UP KRITIS partnership, and its
Finland
comprehensive cybersecurity national policies and legal framework reflect this focus
strategy. It is complemented Sweden
on cooperation. Estonia
Sweden
by a strong overall legal
Estonia Latvia
Denmark
Latvia Lithuania
Ireland
framework encompassing
Denmark United
Lithuania Kingdom
eland United Netherlands
Kingdom
Netherlands
a range of important
Poland
Belgium Germany
Poland
GREECE
Germany Luxembourg Czech
Belgium Republic
cybersecurity issues. The national authority responsible
Luxembourg Czech
Slovakia
Greece does not have a
Republic Austria
Slovakia France Hungary
France
for cybersecurity in Finland is in transition, involving
Austria
Hungary
Slovenia
Croatia
Romania
Slovenia Romania
cybersecurity strategy or
the amalgamation of two government CERTs and the
Croatia Monaco Bulgaria
Portugal
dedicated cybersecurity
Italy
Monaco Spain
Bulgaria
Spain
creation of the Cyber Security Centre.
Italy
Finland
Greece
legislation. The legal and Cyprus
Sweden
Cyprus Estonia Malta institutional framework that
FRANCE supports cybersecurity is also
Malta Latvia
Denmark
Lithuania
Ireland
limited. The national computer emergency response
United
Kingdom
France has had a national
Netherlands
Poland
Belgium Germany
team, NCERT-GR, is limited to government institutions
cybersecurity strategy in
Luxembourg Czech
Republic
Austria
Slovakia
and operators of critical infrastructure.
place since 2011, although
Hungary
Slovenia Romania
Croatia
Portugal
it has a strong focus on
Monaco Bulgaria There are no significant public-private partnerships in
Italy
Greece, and the government is not actively pursuing
Spain
defence and national security
their establishment or closer cooperation with the
Greece
issues. The National Agency Cyprus
Finland
for the Security of Information Systems (ANSSI) is a Malta
private sector.
well-established authority dedicated to information Sweden
Estonia
security and is integrated with the country’s
Latvia
HUNGARY
Denmark
Lithuania
Ireland United
computer emergency response team, CERT-FR. The Kingdom
Netherlands
Poland
cybersecurity strategy contains recommendations for Belgium
Luxembourg
Germany
The National Cyber Security
Czech
Republic
closer cooperation with the private sector, but this has
Slovakia
France Strategy of Hungary was
Austria
not been significantly developed. ANSSI has published Slovenia Romania
adopted in 2013. The strategy
Croatia
sector-specific security measures, making France one
Monaco
covers key principles of
Bulgaria
Portugal Italy
Spain
of the few EU countries to adopt such a targeted cybersecurity, an overview
Greece
approach to managing cybersecurity. of Hungary’s current Cyprus
Finland Malta
cybersecurity situation, and its future cybersecurity
Sweden
goals. Hungary has a limited legislative framework
GERMANY
Estonia
dedicated to cybersecurity.
Latvia
Denmark
Lithuania
Ireland United
Kingdom
Germany has a comprehensive
Several public authorities play a role in cybersecurity,
Netherlands
Poland
cybersecurity strategy,
Belgium
including the National Security Authority, which
Luxembourg Czech
Republic
adopted in 2011 and
Slovakia
Austria
deals with information security, and the Cyber
France Hungary
complemented by a strong
Slovenia Romania
Croatia
Security Centre, part of the intelligence services,
cybersecurity legal framework.
Monaco Bulgaria
Portugal Italy
which deals with cybersecurity. Hungary also has a
Spain
The existence of the Federal
computer emergency response team, CERT-Hungary,
Greece
Office for Information Security (BSI), in charge of Cyprus
Malta
but its remit is limited to government institutions.
managing computer and communication security for
Furthermore, while the National Cyber Security Centre
the German government, is a clear demonstration that
is tasked with liaising with the private sector, there are
cybersecurity is elevated to a high government level.
no formalised public-private partnerships.
Germany also has a network of CERTs, with the
national CERT, CERT-BUND, working closely with both
state-level and non-governmental CERTs.
www.bsa.org 13EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
IRELAND
Finland
While the cybersecurity strategy provides for
Sweden
Estonia
the establishment of formalised public-private
Ireland’s national legal and Latvia
partnerships for cybersecurity, no such platforms
policy framework is very
Denmark
Lithuania
United
Kingdom yet exist.
limited when it comes to
Netherlands
Germany
Poland
Belgium
cybersecurity. A cybersecurity
Luxembourg Czech
Republic
Slovakia
strategy is being developed,
France
Austria
Hungary
Romania
Finland
LITHUANIA
Slovenia
but there is no clear timeframe
Croatia
Portugal
Monaco Bulgaria
Sweden Lithuania published a
for its release or adoption. Ireland is also one of
Italy Estonia
Spain
comprehensive cybersecurity
Latvia
the few countries in the European Union without an Greece Denmark
strategy in 2011, however
Ireland United
Cyprus Kingdom
operational CERT, although it is in the process of Netherlands
information on its
Malta Poland
Belgium Germany
establishing one. Luxembourg Czech
Austria
implementation remains
Republic
Slovakia
France Hungary
While there is no formalised public-private partnership Slovenia
limited. The Lithuanian
Croatia
Romania
set up for cybersecurity, Irish private sector entities, Portugal
computer emergency response team, CERT-LT, covers
Monaco
Italy
Bulgaria
Spain
including Infosecurity Ireland, appear to be quite all national networks, not exclusively government ones,
Greece
active in this field. In addition, Ireland organised and the State Information Resources Management Cyprus
a number of successful individual cybersecurity Council acts as a powerful policy formation and
Malta
education campaigns, such as the “Make IT Secure”, Finland
management body.
which included releasing online resources alongside a
The cybersecurity strategy recognises the value and
television advertising campaign.
Sweden
Estonia
Denmark
Latvia
need for public-private partnerships, but no formalised
Lithuania
Ireland United
Kingdom or systematic cooperation yet exist.
ITALY
Netherlands
Poland Finland
Belgium Germany
Luxembourg Czech
Republic
Slovakia
LUXEMBOURG
Sweden
Estonia
Italy updated its security
Austria
France Hungary
Slovenia Romania Latvia
Croatia
laws in 2007 and adopted
Denmark
Lithuania
Luxembourg has a fairly
Ireland United
Monaco Bulgaria Kingdom
Portugal
Spain
cybersecurity plans in 2013 Netherlands
limited cybersecurity strategy,
Poland
Belgium Germany
and 2014, resulting in a Greece Czech
published in 2013, which
Republic
Slovakia
Cyprus
strong legal framework
Malta
France
Austria
Hungary
contains some key guiding Slovenia Romania
supporting cybersecurity. The
Croatia
principles but has little detail
Monaco Bulgaria
Italian cybersecurity strategy also calls out public-
Portugal Italy
Spain
on their implementation. The
private partnerships as the intended direction for Greece
country’s legal framework Cyprus
cybersecurity, but no formalised cooperation yet exists.
for supporting cybersecurity is also yet to be
Malta
CERT-PA was established in 2014. It is responsible for fully developed. The need to encourage public-
cybersecurity warning systems and the coordination private cooperation is a principle mentioned in the
of incident response measures for Italian government cybersecurity strategy, but no formal cooperation is
institutions. known.
Luxembourg has two CERTs. CIRCL is a response
LATVIA coordinating body that covers all organisations
Finland
operating in Luxembourg, while GOVCERT.LU is
The Latvian cybersecurity dedicated to public authorities. CASES, a government
strategy, published in 2014,
Sweden
Estonia
information security agency, engages in awareness
Ireland United
Denmark
contains a clear set of
Lithuania
raising activities and the promotion of best practices.
Kingdom
Netherlands concrete objectives matched
Poland
Germany
with specific implementation
Belgium
Luxembourg Czech
Republic
Slovakia
France
Austria
dates. It also has a strong legal
Hungary
Slovenia Romania
framework for supporting cybersecurity, an important
Monaco
Croatia
Bulgaria
Spain pillar of which is the Law on Security of Information
Italy
Technology adopted in 2010. This law sets out the
Greece
roles and responsibilities of the country’s national
Cyprus
Malta
computer emergency response team, CERT.LV.
14 BSA | The Software AllianceFinland Finland
Sweden Sweden
Estonia Estonia
Latvia Latvia
Denmark Denmark
Lithuania Lithuania
Ireland Ireland United
United
Kingdom Kingdom
Netherlands Netherlands
MALTA PORTUGAL
Poland Poland
Germany Belgium Germany
Belgium
Luxembourg Czech Luxembourg Czech
Republic Republic
Slovakia Slovakia
Austria Austria
France
Malta has yet to develop
Slovenia
Hungary
Romania Portugal has not developed
France
Slovenia
Hungary
Romania
Croatia Croatia
Monacoa comprehensive legal Bulgaria
a comprehensive legal Monaco Bulgaria
Portugal Italy Italy
Spain
and policy framework for and policy framework
Spain
supporting cybersecurity, Greece
Cyprus
for cybersecurity, and its Greece
Cyprus
although its Digital Malta cybersecurity strategy has not Malta
Strategy and e-government been elaborated. There is no
plan promise the elaboration of a cybersecurity formalised public-private cooperation in place.
strategy.
The country does have a national CERT, CERT-PT,
The Malta Information Technology Agency (MITA) and the National Centre for Cybersecurity. The latter
appears to be active in cybersecurity. The national was established by the National Security Authority
CERT is CSIRT Malta, which is responsible for and is tasked with liaising with the private sector on
Finland
coordinating incident response measures for entities cybersecurity incidents.
Sweden
Estonia
engaged with Maltese critical infrastructure. Denmark
Latvia
Lithuania
ROMANIA
Ireland United
Kingdom
Finland
Netherlands
Poland
NETHERLANDS Belgium Germany
Sweden
Estonia
Luxembourg Czech
Republic Romania has a somewhat
Slovakia
Austria
The Netherlands has a
Denmark
Latvia France
Slovenia vague cybersecurity strategy,
Hungary
Lithuania Croatia
adopted in 2013. Its legal
Ireland United
sophisticated and mature
Kingdom Monaco Bulgaria
Portugal Italy
framework is limited, although
Poland Spain
legal and policy framework
Belgium Germany
Luxembourg Czech
for cybersecurity, which
Republic
Austria
Slovakia
relevant legislative proposals
Greece
Cyprus
France Hungary
includes the National Cyber
Slovenia
Croatia
Romania Malta have been submitted to the
Portugal
Spain
Monaco
Security Strategy 2. Adopted
Italy
Bulgaria
parliament for adoption. CERT-RO is the national
in 2013, it is the second such strategy, as the country’s Greece
computer emergency response team. It covers all users
cybersecurity framework is renewed every two years. Cyprus of Romanian networks. Furthermore, the cybersecurity
strategy proposes the establishment of two other
Malta
The Netherlands also has a National Cyber cybersecurity agencies. Finland
Security Centre, an expanded CERT dealing with Sweden
Estonia
all cybersecurity related procedures and practices Latvia
Denmark
SLOVAKIA
in a centralised manner. The centre also actively
Lithuania
Ireland United
Kingdom
participates in the work of the Information Sharing
Netherlands
Slovakia adopted its first, five-
Poland
Belgium Germany
and Analysis Centres (ISACs) for sectors involved with
Luxembourg Czech
year cybersecurity strategy
Republic
Austria
critical infrastructure.
France Hungary
in 2009. Details on the new
Slovenia
Croatia
Romania
Finland Portugal
Spain
Monaco
strategy for 2014 to 2020
Italy
Bulgaria
POLAND remain limited. Slovakia has a
Greece
CERT, CSIRT.SK, that focuses
Sweden
Estonia
Cyprus
Latvia
Poland has a comprehensive on government agencies and critical infrastructure
Malta
Denmark
Lithuania
Ireland United
Kingdom
Netherlands cybersecurity strategy with operators. There are no defined public-private
Germany
clear goals. It was adopted partnerships for cybersecurity.
Belgium
Luxembourg Czech
Republic
Slovakia
France in 2013, thus most of the
Austria
Hungary
Slovenia Romania
Monaco
recommendations are still
Croatia
Bulgaria
Spain being implemented. The legal
Italy
framework for cybersecurity is still not fully developed.
Greece
Cyprus
Malta
Poland has several CERTs, including CERT.GOV.PL,
which covers government and critical infrastructure
entities. It also acts as the cybersecurity authority.
CERT Polska is an academic CERT covering the entire
.pl network in a semi-official capacity.
www.bsa.org 15EU Cybersecurity Dashboard A Path to a Secure European Cyberspace
Finland
Sweden
Estonia
Latvia
Denmark
Lithuania
Ireland United
SLOVENIA SWEDEN
Kingdom
Netherlands
Poland
Belgium Germany
Luxembourg Czech
Slovenia has yet to develop Sweden does not have a
Republic
Slovakia
Austria
France Hungary Finland
a comprehensive legal
Croatia
Romania
national cybersecurity strategy,
ortugal
Spain
Monaco
and policy framework for
Italy
Bulgaria
Estonia but one is being developed.
cybersecurity. As such, it also
Greece
Denmark
Latvia
Lithuania
There are no laws in Sweden
Ireland
has yet to adopt a national that specifically deal with
United
Cyprus Kingdom
Netherlands
Poland
cybersecurity strategy. SI-CERT cybersecurity.
Malta
Belgium Germany
Luxembourg Czech
is the national computer emergency response team,
Republic
Slovakia
Austria
and it deals with all Slovenian networks. There are no Finland Sweden does, however, have a functioning
France
Slovenia
Hungary
Romania
Croatia
defined public-private partnerships for cybersecurity in CERT, CERT-SE, which has jurisdiction over all
Monaco Bulgaria
Sweden Portugal Italy
Swedish networks. Furthermore, the Swedish Civil
Estonia Spain
Slovenia. Latvia
Contingencies Agency (MSB), which is the national
Denmark Greece
Lithuania
Ireland United Cyprus
Kingdom
Netherlands
Poland authority in charge of information security, has helped
Malta
SPAIN
Belgium Germany
Luxembourg Czech
Republic
Slovakia
Sweden establish a good reputation on cybersecurity.
France
Austria
Hungary MSG is the centralised information security entity and
Spain adopted the National Slovenia Romania
Croatia
has a prominent public presence.
Portugal Cyber Security Strategy in Monaco
Italy
Bulgaria
2013. It is a comprehensive Greece
document, which sets Cyprus UNITED KINGDOM
Finland
objectives and targeted lines
Malta
Sweden
of actions. It is compatible The United Kingdom has a Estonia
Latvia
with, and references, both the National Security Plan Ireland
comprehensive cybersecurity Denmark
Lithuania
and existing security laws; and these plans and laws strategy, which was released
Netherlands
Poland
Germany
in 2011. It is complemented
Belgium
work together as a package. Luxembourg Czech
Republic
Slovakia
by a strong cybersecurity
France
Austria
Hungary
Romania
Slovenia
Spain has established two CERTs, INTECO-CERT legal framework and two
Monaco
Croatia
Bulgaria
and CCN-CERT, and the National Centre for Critical CERTs: CERT-UK mainly supports operators of critical
Portugal
Spain
Italy
Infrastructure Protection (CNPIC). The latter appears infrastructure while GovCertUK supports government Greece
to be the premier agency for information security and agencies. Other relevant bodies include the National
Cyprus
Malta
cybersecurity, while the role of the CERTs is limited Security Council and the Office of Cyber Security and
to dealing with cybersecurity incidents. CNPIC is Information Assurance.
responsible for ensuring coordination and cooperation
between the public and private sector. It also runs The United Kingdom also has a well-developed system
sectoral working groups and is working toward the of public-private partnerships in which the private
development of sector-specific cybersecurity plans. sector actively participates. This collaborative approach
also is strongly supported by its cybersecurity strategy.
Additionally, cooperation with the private sector is The Centre for the Protection of National Infrastructure
formalised through the National Advisory Council on (CPNI), for example, organises sector-specific
Cybersecurity, established in 2009, whose members information exchanges, covering 14 sectors.
are private sector representatives. The council is
tasked with providing policy advice to the government,
although its current status is somewhat unclear. Private
sector associations are also active, with two prominent
bodies dedicated specifically to cybersecurity and
information security, as opposed to general IT matters.
16 BSA | The Software AllianceYou can also read
