Page History

Slides

NIS-2 directive published 15.12.24, should be implemented latest October 2024, but with the council recommendation to do it asap. 

National transposition: EU Members states decide individually on: National implementation, Scope, Standards, Audit and Compliance Structure, National CSIRT structure

Implementation coordination through: Ruling from the EC, NIS Cooperation Group, ENISA

→ Legislative challenges to align with national law 

GÉANT preparation NIS-2

Together with GÉANT members: Stratix report, Infoshares, wiki pages, develop and share best practices for security management

For GÉANT Association: Security improvement with internal reviews against the GÉANT Security Baseline, Compliance Strategy, Preparation for certification (ISO27K), Contact with authorities for clarification on status

New materials

• published guidance from EC 
• No clarification on scoping 
  • education 
  • digital infrastructure
• NCSC Ireland: A quick guide to NIS2
• NIS 2 Self-assessment Netherlands

Education is regulated by local law (based on NIS2).

Cesnet officially in scope (provider of infrastructure).

The law has not yet been approved by the Czech Parliament, but it will regulate more than it does now.

Law will define two certs (governemetal and national).

No answer from ministry (Education and Science).

Information on NIS2 now mainly about universities and universities for applied sciences.

As NREN still not clear if in scope or not. CERT task a lot of debate in the Netherlands.

If large part of the sector will be under NIS2 SURFCERT will also.

Same situation as in the Netherlands.

There is a trend that education will not fall under the regulations (but research organisation would → only higher education and not schools).

Critical infrastructure only networks that are available for the public (not DFN)

. But also companies in the telecom that have annual budget over 50million euros a year they will fall under regulation

→ Not clear if DFN is a company, because they are non-profit organisation.

Not sure if applied to commercial purposes (if research organisations always in scope or only for commercial purposes)

For DFNCERT: it doesnt say anything about sector CCERTs. It only talks about BSI.

RENTATER will be in scope (not sure in which parts) because they are public network operators/domain registration.

Issue: In France they are not a commercial company but not a public organisation either (their status is completely new).

Government told RENATER that they have the right to choose organisations (even if they are not exactly in the categories).

RENATER CERT part will not be CSIRT part for education community because there is also a public CSIRT.

João Nuno Ferreira

FCCN are already in scope because they operate an internet exchange (already in scope for NIS1).

FCCN have received clarity on when research organisations will be included in NIS2 and when they will not.

They are waiting for the first drafts of Portuguese legislation.

Will CERT be CSIRT for the sector? For all entities to the network and the Ministry (the rest will be the Cyber Security Centre).