You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »


Attendees

  • Alf Moens
  • Nicole Harris
  • Magda Haver
  • Ilse Koning
  • Cathrin Stover
  • Christian Panigl
  • Christoph Campregher
  • Cynthia Wagner
  • Floor Jas
  • Gilles Massen
  • Ivana Jelacic
  • Jan Wiebelitz
  • Jari Miettinen
  • Jennifer Ross
  • John Creaven
  • Kestutis Butkus
  • Ralf Groeper
  • Raoul Vernède
  • Romana Cravos
  • Sarunas Grigaliunas
  • Stefan Piger
  • Thibaud Badouard
  • Tim Waters
  • Vladislav Bidikov
  • Wim Biemolt

Agenda

ItemSpeakerNotes
Update and Overview of NIS2 StatusAlf Moens

Main issue will be different interpretations at national level that could lead to lack of compatibility across member states.

(All Slides, Slides Gilles)

RESTENA UpdateGilles Massen

RESTENA have been running the .LU registry for sometime so have always been considered a critical infrastructure / essential service.  ISO27001 accredited to help address this and answer any questions easily.  Have a good relationship with the competent authority. Advice - if you can speak to your regulator, do it.  They are also still trying to work out the best path / process.

Actions with R&E community - some awareness but not very prepared.  Has a security community of CISOs. Looking assessments against the GÉANT Security Baseline.

Risks: drain on staffing, all about compliance, is there room for innovation?  Difficult to explain our business model to auditors that come from a commercial background typically. Impact on staff - it's not a fun process, and this is one of the selling points of being an NREN.

SURF UpdateAlf Moens / Jeroen Schuring

Surf has appointed a project manager to look at impact of NIS2 (Jereon).  Looking at impact on R&Es, impact on SURF, impact on CSIRT (does this need to be independent?).

Concern that CSIRT function will be at NCSC which would undermine the well established SURF-CERT.

DFN: can we be a sector cert? funding issues and need to be 24/7?

KIFU UpdateAlf Moens / János Mohácsi

Completed review of scoping within NIS2 - met too many of the services listed (IEP, DNS resolution, cloud services etc).  Hungarian government has decided to focus more on CER legislation rather than NIS2 (https://www.critical-entities-resilience-directive.com/). 

Plan to use the security baseline, reviewing incident management, reviewing security of the supply chain, reviewing policies, looking at MFA rollout and strengthening cooperation between Hungarian orgs.

ACOnet Update

Christian Panigl

supplier for nic.at (at TLD registry) so already required to follow critical infrastructure processes for NIS1, many things the same for NIS2.  ACOnet expects to be included and regulated in NIS2 whereas not previously.  Has a good relationship with regulator. Some awareness in the community - ArgeSecurity community group.

Some indications that universities will not be included with some exceptions for specific orgs (research). Will impact ACOnet pop locations.  Will definitely bring in additonal costs. Concerns about supply chain regulations. Also concerned about degraded work climate.

GÉANT Update

Alf Moens

Issues about where are we operating and supply chain questions - the GÉANT network locations are all across Europe.

Funding approach - most of our funding comes through project grants but there is an increasing move to procurement approaches, where compliance is more of a focus (e.g. certification).  Looking at a readiness assessment next year.

Stratix Review

Alf Moens

Independent position paper looking at potential impact on NRENs.

Many services are in scope
Patchwork of regulations - NIS2, CER, CRA, GDPR
Impact outside of EU27
Impact on CSIRTS
Supply Chain Issues

Consider shuffling services that are in scope - put services that need compliance together / separate. Sector specific regulatinos may intervene (e.g. health care, energy), will services need to stop? will we buy things instead? choose a framework that fits you best, start with a risk-based analysis.

Security Baseline

Sarunas Grigaliunas

Looking at a stronger mapping to ISO27001

https://docs.google.com/spreadsheets/d/1HZlmklac6uLstmWh2X-E6lTpsQPfPCCkpkfpaSLb9PU/edit#gid=1802432892

Next Meeting

Next infoshare will be in November 2023.

  • No labels