Attendees
- Alf Moens
- Nicole Harris
- Magda Haver
- Ilse Koning
- Cathrin Stover
- Christian Panigl
- Christoph Campregher
- Cynthia Wagner
- Floor Jas
- Gilles Massen
- Ivana Jelacic
- Jan Wiebelitz
- Jari Miettinen
- Jennifer Ross
- John Creaven
- Kestutis Butkus
- Ralf Groeper
- Raoul Vernède
- Romana Cravos
- Sarunas Grigaliunas
- Stefan Piger
- Thibaud Badouard
- Tim Waters
- Vladislav Bidikov
- Wim Biemolt
Agenda
| Item | Speaker | Notes |
|---|---|---|
| Update and Overview of NIS2 Status | Alf Moens | Main issue will be different interpretations at national level that could lead to lack of compatibility across member states. |
| RESTENA Update | Gilles Massen | RESTENA have been running the .LU registry for sometime so have always been considered a critical infrastructure / essential service. ISO27001 accredited to help address this and answer any questions easily. Have a good relationship with the competent authority. Advice - if you can speak to your regulator, do it. They are also still trying to work out the best path / process. Actions with R&E community - some awareness but not very prepared. Has a security community of CISOs. Looking assessments against the GÉANT Security Baseline. Risks: drain on staffing, all about compliance, is there room for innovation? Difficult to explain our business model to auditors that come from a commercial background typically. Impact on staff - it's not a fun process, and this is one of the selling points of being an NREN. |
| SURF Update | Alf Moens / Jeroen Schuring | Surf has appointed a project manager to look at impact of NIS2 (Jereon). Looking at impact on R&Es, impact on SURF, impact on CSIRT (does this need to be independent?). Concern that CSIRT function will be at NCSC which would undermine the well established SURF-CERT. DFN: can we be a sector cert? funding issues and need to be 24/7? |
| KIFU Update | Alf Moens / János Mohácsi | Completed review of scoping within NIS2 - met too many of the services listed (IEP, DNS resolution, cloud services etc). Hungarian government has decided to focus more on CER legislation rather than NIS2 (https://www.critical-entities-resilience-directive.com/). Plan to use the security baseline, reviewing incident management, reviewing security of the supply chain, reviewing policies, looking at MFA rollout and strengthening cooperation between Hungarian orgs. |
| ACOnet Update | Christian Panigl | supplier for nic.at (at TLD registry) so already required to follow critical infrastructure processes for NIS1, many things the same for NIS2. ACOnet expects to be included and regulated in NIS2 whereas not previously. Has a good relationship with regulator. Some awareness in the community - ArgeSecurity community group. Some indications that universities will not be included with some exceptions for specific orgs (research). Will impact ACOnet pop locations. Will definitely bring in additonal costs. Concerns about supply chain regulations. Also concerned about degraded work climate. |
| GÉANT Update | Alf Moens | Issues about where are we operating and supply chain questions - the GÉANT network locations are all across Europe. Funding approach - most of our funding comes through project grants but there is an increasing move to procurement approaches, where compliance is more of a focus (e.g. certification). Looking at a readiness assessment next year. |
| Stratix Review | Alf Moens | Independent position paper looking at potential impact on NRENs. Many services are in scope Consider shuffling services that are in scope - put services that need compliance together / separate. Sector specific regulatinos may intervene (e.g. health care, energy), will services need to stop? will we buy things instead? choose a framework that fits you best, start with a risk-based analysis. |
| Security Baseline | Sarunas Grigaliunas | Looking at a stronger mapping to ISO27001 |
Next Meeting
Next infoshare will be in November 2023.