Slides

• Short summary of the NIS-2 directive
• What has happened around security in the last few years:
  A lot has changed in the last 25 years around information security in the GÉANT community. We can see an exponential growth of security activities. It shows that there is more interest in information security in society and in the research and communication community. 

In order to get an overview of where everyone stands and what progress has been made in terms of scoping and certification, we started the session with a multiple choice survey with the following questions:

1. Do you know if you are in or out of scope for NIS-2? 
2. Are you working on certification?
3. What help do you need to prepare for NIS-2?
4. What help can you offer? 

25 out of 34 people participated (73%), the results of the poll can be found here: 

Poll result Q1

Poll result Q2

Poll result Q3

Poll result Q4

Slides

Content:

Edit gave an update on the EU legislation and what it means for research and education. Based on a discussion around this during TNC and updates from Brussels. 

She compared two scenarios. 1. Scenario where you as an organisation have to comply with the regulation (as part of Research Infrastructure and Digital Infrastructure) and the 2. scenario where you are exempt. She also highlights the Security Union Legislative landscape, underlines the supply chain-driven approach, and things to consider in both scenarios.

Why it is important: There is a self-identity issue for GÉANT and NRENs between Digital Infrastructures, Research Infrastructures, both or nothing. 

Slides

3rd community conference for the user community from the Benelux with presentations from different national bodies and ENISA. Special attention for critical sectors (Healthcare, Energy, Telco/DI/ICT services, Water & Transport, Finance, Manufacturing) 

Subject focus on national implementation of the regulation

Development in the Netherlands moves towards self-registration and not being appointed to being in scope.

For Austria, it's currently very unlikely that the national legislation will be in place in time for October. The current draft of the law, which has been submitted to the parliament, has been strongly criticized by the opposition. This draft forsees a general exemption for universities in Austria and higher education and educational institutions in general. ACOnet is not a separate legal entity. But the NREN is legally represented by the university of Vienna. Through this exemption of all universities not only ACOnet is exempted but also for the operations of the Vienna internet exchange which is strange because they are under NIS-1 as an operator of essential services as the Vienna IX. Facing the problem that they have a lot of participants that will fall under the regulation (so they need to apply through the supply chain) 

New draft of German legislation for 5-6 weeks. Lawmakers plan to implement it in time. Non-qualified trust service provider -> important entity. 
Part of the law aimed at domain registries -> will probably apply to them 
Universities are out of scope, but research organisations that use the results for commercial interests are in scope.
Law may come into force in time. DFN will at least be in scope as an important entity and may be even a critical entity. 

Vladislav Bidikov

Local law, which was transposing NIS2 to local law in the parliament in December 23. Law was not passed before the elections (it was left as it was). New government since yesterday. Wondering how things will continue with the new government.
New: Ministry of Digitalization (NIS2 and GDPR will go into a clear ministry).
He thinks that this issue is not a priority for the new government and does not expect updates soon. 

Joao Nuno Ferreira

Information about the draft of the law was ready last November/ December last year.
Government collapsed, new elections
New update: no recent updates on draft and how this will go forward
FCCN: in scope (because IX) they try to get information about their affiliated institutions

Alessandro Inzerillii

National Agency on Cybersecurity is responsible for writing draft laws will soon go into government, they think they will be in time for October. 

The list for the organisations in scope will be bigger then the current list of organisation as critical infrastructure. GARR will be in scope for NIS-2. They do not know the extend of the scope. 

Anne-Marie Achrenius 

Sweden has a law proposition that has been out for comments (deadline is closed). We're implementing NIS2 on 1st of January 2025 and universities are inluded as critical entities (!). Sunet is also within scope

Brian Nisbet

Our NCSC is having a conference tomorrow with a lot of NIS2 content, so who knows what we'll know by this time tomorrow!