Attendees
- Alf Moens
- Alberto Perez
- Alessandro Inzerilli
- Antonio Meireles
- Brian Nisbet
- Carlos Friacas
- Casper Dreef
- Christian Grimm
- Cynthia Wagner
- D Burke
- Edit Herczog
- Elias Duerr
- Joao Nuno Ferreira
- Gilles Massen
- Henrik Larsen
- Henry Hughes
- Ilse Koning
- Ivana Jelacic
- Jan Kolouch
- Jenni Hyppola
- John Creaven
- Juan Antonio Gutierrez
- Karen Thorton
- Koen Schelkens
- Kestutis Butkus
- Kristine Andersone
- Mark Tysom
- Mauro Campanella
- Nathalie McKenzie
- Paul Rouse
- Raoul Vernede
- Robert Hackett
- Sabrina Tomassini
- Sarunas Grigaliunas
- Simona Venuti
- Stefan Winter
- Tim Waters
- Vladislav Bidikov
- Leonardo Lanzi
Overview: Alf Moens
NIS2 Directive formally published on January 4th 2023 formally. Will enter into force after 21 months. How do you prove that you have completely
EU Security Union: complex system with many rules and regulations. Cyber-resiliance act (more focused on product safety), Cyber security Act, NIS2, eiDAS etc etc.
Supported by NIS Coordination Group but work of this group is not yet clear.
NREN Overviews
NREN / Speaker | Notes | Critical Infrastructure? |
|---|---|---|
JISC: Henry Hughes | NCSC Cyber Essentials. Required for offering services to UK gov. Minimum standard, aimed at SMEs. Checklist - self assessed. NCSC Cyber Assurance Framework. Required for UK public sector. Outcome based, auditor assessed. UK Telecomms Security Act Center for Internet Security Critical Secutity Controls v8 NIST CyberSecurity Framework v.1.1 Looking to map all of these to create a single picture of complex framework | not required to comply with NIS2 currently |
DFN: Christian Grimm | Big question for DFN - what will change? Not enough information at the moment. It is on the NREN to decide whether it is a critical infrastructure or not. No one is going to announce this. Around 20 criteria to look at, some are fairly arbitrary regarding thresholds - these are national criteria. Parts of NREN might be declared critical infrastructure, not necessarily the whole organisation. Certificate Service has been declared critical infrastructure. | Partly - has defined certificate service as critical infra |
MARNET: Vladislav Bidikov | Government making new strategies - Cybersecurity Strategy in discussion phase but based on NIS2. Very slow process, still in initial discussions before first draft. Synchronisation between strategies complex as crosses different departments. MARNET supporting discussions. Jumping straight to NIS2 but there needs to be more of a baseline first. Moving to reality will be some way out, but pressure of joining EU is driving this. | not required to comply with NIS2 currently |
HEANET: Brian Nisbet | Government CyberSecurity Baseline standard - HEANET doing some auditing against that. Irish NCSC don’t think they will have anything this year. Expecting new legislation to go through in 2024. | |
DEIC: Henrik Larsen | Contacting agency for education and research for guidance but not much information at the moment. Part of National Cyber Information Strategy which covers 22-24. DEIC is running an internet exchange so NIS2 must apply. | yes - internet exchange |
SURF / GÉANT: Ilse Koning / Alf Moens | Have reached out to the government and hope to talk directly with the ministry of education but that is lack of clarity. Implementation text is being written at the moment and will be out for consultation later this year. Want to do an impact analysis later. Alf notes that this is also the same situation for GÉANT. SURF has clearly been established NOT as a telecom. Supply chain responsibility is a “catch” that might cause problems if one of your constituency is in scope. Difficult to speak to "an" authority as this is split across the sectors. Not enough expertise within these authorities. | |
RESTENA: Gilles Massen | Current information is informal. For timeline, NIS authorities themselves won’t be ready in time so won’t be able to enforce. Lack of consensus in working groups as to whether R&E is covered. May be important or essential entity but do not expect us to be a priority for the authorities. Would be good to have a commonality of approach to sectors and who is covered or not (based on DNS?). | |
LITNET: Sarunas Grigaliunas | NCSC in Lithuania has been appointed at this authority. Have not started on requirements. LITNET has started using Security Baseline to position themselves. Have identified that they do have a critical infrastructure: DNS. Will create a group to help ministry of education to manage this process. | yes - DNS service. |
CARNET: Ivana Jelacic | Part of a working group to help define requirements. Not able to share information out of this group yet. | yes - registry for .hr and national CERT |
Supporting Work
- GÉANT has asked a consultancy company to do a review of different NRENs to ty and better determine the position. Group will produce a report by the end of May - interviews are being undertaken. This will report back at the next of these infoshares.
- The Security Workpackage in GN5 will also be able to provide support to NRENs.
- Security Baseline.
- S7 BCM Framework.
- Above are being mapped to the NIS2 Directive alongside GDPR requirements.
- Next steps: working in GN5, SIG-ISM meeting, Next Infoshare (Juneish), Security Day at TNC23.
Comments
Gilles: Reminder: the high-level to do list is best summarised by the points in Art 21.2. A lot of this almost qualifies as “common sense” - the actual effort will of course depend on local details, and how many process overhead you can/want/ have to afford. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555&qid=1680003102643&from=en.
Edit: EuroHPC is a critical infrastructure. Good to understand this relationship too. Business across countries but not legal entities across countries?