Attendees

  • Alessandro Inzerilli
  • Alf Moens
  • Ana Tavares Pinto
  • Andrea García-Casillas
  • Anne-Marie Achrenius
  • Carlos Friaças
  • Chris Atherton
  • Christian Grimm
  • David Heed
  • Edit Herczog
  • Gilles Massen
  • Hussain Faqeri
  • Irina Matthews
  • Ivana Jelacic
  • Jeroen Schuuring
  • Juan Antonio Gutierrez Gil
  • Kęstutis Butkus
  • Lars Bjørn
  • Maria Tauson
  • Michael Schmidt
  • Natalia Voces
  • Nicole Harris
  • Øyvind Eilertsen
  • Panayiota Smyrli
  • Ralf Groeper
  • Raoul Vernède
  • Roderick Mooi
  • Rolf Stute Normann
  • Simona Venuti
  • Stefan Winter
  • Stephanos Andreou
  • Thibaud Badouard
  • Tony Barber
  • Vitālijs Borščs
  • Zoë Fischer

This Infoshare has been recorded. You can find the recording here.  

Agenda

ItemSpeakerNotes
Welcome and Introduction Alf Moens

Slides

Content: 

Quick summary: NIS-2 directive published 15.12.24.  4th of October 2024: (January 4th 2023+ 21 months) latest, but with the Council Recommendation to do it ASAP.

    • Standards are still ‘negotiated’ via comitology (delegated Act)
    • Expect „Rulings” or „guidance” from ENISA and NIS Cooperation Group
    • Obligations are „logical”, no real surprises

The EU Security Union is complex and overlaps with the EU Digital priorities.

What is the NIS-2 directive about?/ Supervision and Sanctions 

What is the impact of NIS-2 for organisations? 

Best practices, guidelines and baselines: SIG-ISM wiki pages NIS-2 Directive


What you need to know NOW: 

  • Find out what your position is and try to have that confirmed 
  • Establish contacts in government 
  • Establish a baseline position 
    • Use the GÉANT security baseline or any other checklist to verify your status on the main security subjects
    • Identify weak spots and gaps 
Questions, Questions, Questions  Alf Moens, Zoë Fischer 

In order to get an overview of where everyone stands and what progress has been made in terms of scoping and certification, we started the session with a multiple choice survey with the following questions:

  1. Do you know if you are in or out of scope for NIS-2? 
  2. Are you working on certification?
  3. What help do you need to prepare for NIS-2?
  4. What help can you offer? 

20 out of 32 people participated (62%), the results of the poll can be found here: 

Poll results Q1

Poll results Q2

Poll results Q3

Poll results Q4

DFN UpdateRalf Groeper

Law professor confirms at keynote that everyone in Germany is still confused about NIS-2 (including lawmakers) 
NIS2 and Cybersecurity Strengthening Act → Not ready yet. 
Nothing clear, not even in the draft of the German law → Germany will miss the deadline and probably have to pay a fine. 
After implementation, they have three years to obtain certification

  • Still a long time until it comes into force

DFN is preparing by modelling the network (backbone) according to BSI Grundschutz (German Implementation of ISO27001) but not 100% compliant. Other parts of the organizations are already certified. Keypoint: Modelling everything according to BSI Grundschutz, so when the time arises of certification, they know what is missing and what they have. CSIRTs: last draft of the German law almost completely ignores it.
IT planning committee advise the law makers to keep education completely out of scope. 
Probably only commercially driven research will be in scope. 

Link to current draft for German NIS2-implementing law: https://intrapol.org/wp-content/uploads/2024/03/NIS2UmsuCG-RefE-Stand-12-2023.pdf

Much more Info on https://intrapol.org/ - Google translate it if you need to

FCCN Update

Carlos Friaças

Issue: understanding the relation between ISO27001 and NIS2. Is it necessary to have it or not?

ISO27001 is a quality management system. NIST is a technical standard (more comparable with ISO27002). → Alf is happy to discuss it in a more private setting.

SURF UpdateJeroen Schuuring 

Scope:

SURF will fall under NIS-2, as they provide multiple services which will fall under NIS-2. They are starting preparations to fulfil all demands, even though they are not known yet. They have a ISO270001 certification (not all services yet) but planned for whole organisation until end of this year.

They are not sure about the scope for NIS-2 of their educational institutions. → They are interested if other NRENs know whether their institutions fall under NIS-2 or not. 

The Dutch legislation is too late and they won’t make it in time (specifics in the Netherlands not clear). Still need to wait for the draft.

CSIRT: not sure if SURF will become csirt or not. Depends on if universities will fall under NIS2.

The Dutch legislator reasons that if a part of an organisation falls under NIS2, the whole organisation falls under NIS2. As such, if SURFs institutions will fall under NIS2, it will be for both research and education. And as such, the whole of SURF falls under NIS2.

SUNET Update David Heed

Similar situation as DFN. Not striving for ISO27001 certification but to fulfil it. They have a local legislation with best practices and how to implement that. They are in contact with supervisors and meet at a conference.

Swedish universities are classified as essential entities (for research and education).

They will probably also fall behind on a national level.

Swedish legislator chose the wording "Universities with degree-awarding powers" to include both universities that are governmental and not.

Next meeting

The next NIS2 Infoshare will take place on Monday, 24.06.24 at 2pm (CEST). Here is the registration page: https://events.geant.org/event/1682/



  • No labels