You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Attendees

  • Alf Moens
  • Ana Alves
  • Anastas Mishev
  • Andrea Garcia-Casillas
  • Anne-Marie Achrenius
  • Brian Nisbet
  • Carlos Nisbet
  • Carlos Friaças
  • Christian Grimm
  • Christoph Campregher
  • Cynthia Wagner
  • Daniel Muscat
  • Dave Mifsudi
  • Eligijus Račkauskas
  • Floor Jas
  • Gilles Massen
  • Henrik Larsen
  • Ilse Koning
  • Irina Mattews
  • Ivana Golub
  • Ivana Jelacic 
  • Jan Kolouch
  • Jan Wiebelitz 
  • Jennifer Ross
  • Jeroen Schuuring 
  • João Nuno Ferreira
  • John Creaven
  • Kestutis Butkus
  • Lars Lange Bjorn
  • Laurentiu Sandu-Bufi
  • Michael Schmidt
  • Natalia Voces Fernández
  • Øyvind Eilertsen
  • Ralf Groeper
  • Ramaz Kvatadze
  • Raoul Vernède
  • Robert Hackett
  • Rolf Stute Normann
  • Rune Sydskjør
  • Ryan Richford 
  • Simona Venuti
  • Stefan Piger
  • Stefan WInter
  • Thibaud Badouard
  • Tim Waters
  • Tony Barber
  • Viktoras
  • Zoë Fischer 

This infoshare has been recorded. You can find the recording here

Agenda 

ItemSpeakerNotes
Welcome and Introduction Alf Moens 

Slides

NIS-2 directive published 15.12.24, should be implemented latest October 2024, but with the council recommendation to do it asap. 

National transposition: EU Members states decide individually on: National implementation, Scope, Standards, Audit and Compliance Structure, National CSIRT structure

Implementation coordination through: Ruling from the EC, NIS Cooperation Group, ENISA

→ Legislative challenges to align with national law 


Summary - Where are we now with NIS2Alf Moens

GÉANT preparation NIS-2

Together with GÉANT members: Stratix report, Infoshares, wiki pages, develop and share best practices for security management

For GÉANT Association: Security improvement with internal reviews against the GÉANT Security Baseline, Compliance Strategy, Preparation for certification (ISO27K), Contact with authorities for clarification on status

New materials

  • published guidance from EC 
  • No clarification on scoping 
    • education 
    • digital infrastructure
  • NCSC Ireland: A quick guide to NIS2
  • NIS 2 Self-assessment Netherlands
CISO meetings 2023Ana Alves

Slides CISO meetings

From July to October 2023, GÉANT met online with CISOs or equivalents from 34 NRENs. The aim was to assess security maturity, collect best practices, address concerns and identify opportunities for support from GÉANT.

It was noted that different NRENs have different perspectives on NIS2 (EU and non-EU), as well as different stages of readiness.  There is often lack of clear information from the responsible governments on NIS2, which means that the NRENs often do not have a good understanding of the legal requirements. 

Nevertheless, it can be noted that most NRENs have a very positive approach to the challenges of implementing the Directive. They are following best practices, they are getting certified (ISO), they are looking for more information at national and international level and they are improving their internal maturity and supporting their communities.

GÉANT found that NRENs have good practices in planning and improvement, incident management, creativity in dealing with challenges, risk management, training and awareness, and certification. Apart from the challenges with NIS2, NRENs have shown us that most of the concerns in the security team are about human resources, networking and support, cyber attacks and different security roles.

NIS-2 at CARnetIvana Jelačić

Slides CARnet


Cesnet UpdateJan Kolouch

Education is regulated by local law (based on NIS2). Cesnet officially in scope (provider of infrastructure).

The law has not yet been approved by the Czech Parliament, but it will regulate more than it does now. Law will define two certs (governemetal and national).

SURF UpdateFloor Jas

No answer from ministry (Education and Science). Information on NIS2 now mainly about universities and universities for applied sciences.

As NREN still not clear if in scope or not. CERT task a lot of debate in the Netherlands. If large part of the sector will be under NIS2 SURFCERT will also.

DFN UpdateRalf Groeper

Same situation as in the Netherlands.

There is a trend that education will not fall under the regulations (but research organisation would → only higher education and not schools).

Critical infrastructure only networks that are available for the public (not DFN). But also companies in the telecom that have annual budget over 50million euros a year they will fall under regulation → Not clear if DFN is a company, because they are non-profit organisation. Not sure if applied to commercial purposes (if research organisations always in scope or only for commercial purposes)

For DFNCERT: it doesnt say anything about sector CCERTs. It only talks about BSI.

RENATER UpdateThibaud Badouard

RENTATER will be in scope (not sure in which parts) because they are public network operators/domain registration.

Issue: In France they are not a commercial company but not a public organisation either (their status is completely new).

Government told RENATER that they have the right to choose organisations (even if they are not exactly in the categories).

RENATER CERT part will not be CSIRT part for education community because there is also a public CSIRT.

FCCN Update

João Nuno Ferreira

FCCN are already in scope because they operate an internet exchange (already in scope for NIS1).

FCCN have received clarity on when research organisations will be included in NIS2 and when they will not. They are waiting for the first drafts of Portuguese legislation.

Will CERT be CSIRT for the sector? For all entities to the network and the Ministry (the rest will be the Cyber Security Centre). 

Next meeting

Next infoshare will be in March 2024. 

  • No labels