Page History

Slides

NIS-2 directive published 15.12.24, should be implemented latest October 2024, but with the council recommendation to do it asap. 

National transposition: EU Members states decide individually on: National implementation, Scope, Standards, Audit and Compliance Structure, National CSIRT structure

Implementation coordination through: Ruling from the EC, NIS Cooperation Group, ENISA

→ Legislative challenges to align with national law 

GÉANT preparation NIS-2

Together with GÉANT members: Stratix report, Infoshares, wiki pages, develop and share best practices for security management

For GÉANT Association: Security improvement with internal reviews against the GÉANT Security Baseline, Compliance Strategy, Preparation for certification (ISO27K), Contact with authorities for clarification on status

New materials

• published guidance from EC 
• No clarification on scoping 
  • education 
  • digital infrastructure
• NCSC Ireland: A quick guide to NIS2
• NIS 2 Self-assessment Netherlands

• Education is regulated by local law (based on NIS2).
• Cesnet officially in scope (provider of infrastructure).
• The law has not yet been approved by the Czech Parliament, but it will regulate more than it does now.
• Law will define two certs (governemetal and national).

• Still no answer from ministry (Education and Science).

• Information on NIS2 now mainly about universities and universities for applied sciences.

• As NREN still not clear if in scope or not. CERT task a lot of debate in the Netherlands.

• If large part of the sector will be under NIS2 SURFCERT will also.

• Same situation as in the Netherlands.
• There is a trend that education will not fall under the regulations (but research organisation would → only higher education and not schools).
• Critical infrastructure only networks that are available for the public (not DFN)
• But also companies in the telecom that have annual budget over 50million euros a year they will fall under regulation
  • Not clear if DFN is a company, because they are non-profit organisation.
  • Not sure if applied to commercial purposes (if research organisations always in scope or only for commercial purposes)

• For DFNCERT: it doesnt say anything about sector CCERTs. It only talks about BSI.

• RENTATER will be in scope (not sure in which parts) because they are public network operators/domain registration.
• Issue: In France they are not a commercial company but not a public organisation either (their status is completely new).
• Government told RENATER that they have the right to choose organisations (even if they are not exactly in the categories).
• RENATER CERT part will not be CCERT CSIRT part for education community because there is also a public CCERTCSIRT.

João Nuno Ferreira

• FCCN are already in scope because they operate an internet exchange (already in scope for NIS1).
• FCCN have received clarity on when research organisations will be included in NIS2 and when they will not.
• They are waiting for the first drafts of Portuguese legislation.
• Will CERT be CCERT CSIRT for the sector? For all entities to the network and the Ministry (the rest will be the Cyber Security Centre).