BSA Cloud Report

Countries

The following summaries and full Member State reports give an overview of the cybersecurity landscape, based on the set of criteria outlined below, highlighting key cybersecurity legislation and policy, as well as the main entities currently operating within each jurisdiction. žž

  • Legal foundations for cybersecurity;
  • žžOperational capabilities;
  • žžPublic-private partnerships;
  • žžSector-specific cybersecurity plans; and
  • Education.




Download the EU Dashboard

Country Reports

See the summaries and full report below for detailed information on each Member State.

  1. Austria

    Rank2

    Summary

    The Austrian Cyber Security Strategy was adopted in 2013. It is part of a broader ICT security initiative of the Austrian government, as set out in the National ICT Security Strategy 2012. The Strategy is an extensive plan that maps targeted cybersecurity objectives into organised fields of action.

    Austria has an established computer emergency response team, CERT.at, with a broad and well-defined scope. There are also several public-private partnerships related to cybersecurity operating in the country, such as the Centre for Secure Information Technology Austria (A-SIT) and Kuratorium Sicheres Österreich.

    The Austrian Trust Circles provide formal structures for sector-specific information exchanges related to the critical information infrastructure of various sectors. These platforms are tasked with developing sector-specific risk management plans. The Austrian Trust Circles are an initiative of CERT.at and the Austrian Federal Chancellery.

  2. Belgium

    Rank2

    Summary

    Belgium's Cyber Security Strategy was adopted by the government in 2012. The legal framework for cybersecurity in Belgium, however, remains somewhat unclear, and the information available on the implementation of the strategy is limited.

    On the other hand, Belgium does have an established computer emergency response team, CERT.be, and a well-developed cybersecurity incident-reporting structure. Belgium also recently announced the launch of a new Cybersecurity Centre. There is active support in the country for public-private partnerships, through BeINIS, a government body that liaises closely with private and semi-private entities.

  3. Bulgaria

    Rank2

    Summary

    The legal framework for cybersecurity in Bulgaria is limited, and there is no national cybersecurity strategy in place. There are also no formalised public-private partnerships, although a significant number of cybersecurity events and academic discussions are focused on cybersecurity and critical information infrastructure protection.

    CERT Bulgaria is the country's most significant cybersecurity entity and the focus of recent efforts from the government to strengthen cybersecurity.

  4. Croatia

    Rank2

    Summary

    Croatia has yet to establish a comprehensive cybersecurity strategy or a well-developed system of public-private partnerships.

    Croatia has two established computer emergency response teams (CERTs). The National CERT, established in 2009 is responsible for coordinating security and incident response measures for parties that use a Croatian IP address or .hr domain. The Information Systems Security Bureau's ZSIS CERT has jurisdiction over Croatian government institutions.

  5. Cyprus

    Rank2

    Summary

    Cyprus adopted a national cybersecurity strategy in 2013. It includes a commitment to update key elements of the legal framework for cybersecurity. Cyprus also is working toward the establishment of a national CERT, which is expected to be operational in 2015. The country has also taken an interest in sector-specific approaches to the management of cybersecurity, with a potential focus on the energy and financial services sectors.

  6. Czech Republic

    Rank2

    Summary

    The Cyber Security Strategy of the Czech Republic for the period 2011-2015 was published in 2011. The strategy provides general cybersecurity principles and clearly stated goals. On 1 January 2015, the Act on Cyber Security came into force. This law includes comprehensive provisions on most aspects of cybersecurity and is complemented by several important regulations.

    The country has also established a national CERT, CSIRT.CZ, as well as a CERT dedicated to government agencies: GOVCERT.CZ.

    The National Cyber Security Centre was launched on 1 January 2015 to promote public-private partnerships. Furthermore, the Czech Republic is conducting a sector-based security risk assessment in cooperation with the academic and private sectors. The project is the first such assessment that addresses cybersecurity.

  7. Denmark

    Rank2

    Summary

    Denmark does not have a national cybersecurity strategy or a law dedicated to the subject. Denmark recently passed a law that establishes the Centre for Cyber Security, which both takes control of and supersedes its current government CERT. The scope and powers of the new centre are still to be confirmed.

    The Danish private sector has established a formal framework for cooperation on cybersecurity issues through the Council for Digital Security.

  8. Estonia

    Rank2

    Summary

    Estonia was one of the first countries to develop a national cybersecurity strategy in 2008, followed by the release of an updated strategy in 2014. The country also has a wide range of legislation that covers information security and cybersecurity. Estonia has a well-established CERT, CERT Estonia, under the control of the Information System Authority. Further to national bodies, also notable is the fact that NATO's Cyber Security Centre of Excellence is based in Estonia.

    While no formalised public-private partnerships exist, public entities do work closely with relevant private-sector organisations.

  9. Finland

    Rank2

    Summary

    Finland published a comprehensive cybersecurity strategy. It is complemented by a strong overall legal framework encompassing a range of important cybersecurity issues. The national authority responsible for cybersecurity in Finland is in transition, involving the amalgamation of two government CERTs and the creation of the Cyber Security Centre.

  10. France

    Rank2

    Summary

    France has had a national cybersecurity strategy in place since 2011, although it has a strong focus on defence and national security issues. The National Agency for the Security of Information Systems (ANSSI) is a well-established authority dedicated to information security and is integrated with the country's computer emergency response team, CERT-FR. The cybersecurity strategy contains recommendations for closer cooperation with the private sector, but this has not been significantly developed. ANSSI has published sector-specific security measures, making France one of the few EU countries to adopt such a targeted approach to managing cybersecurity.

  11. Germany

    Rank2

    Summary

    Germany has a comprehensive cybersecurity strategy, adopted in 2011 and complemented by a strong cybersecurity legal framework. The existence of the Federal Office for Information Security (BSI), in charge of managing computer and communication security for the German government, is a clear demonstration that cybersecurity is elevated to a high government level. Germany also has a network of CERTs, with the national CERT, CERT-BUND, working closely with both state-level and non-governmental CERTs.

    Furthermore, the country has well-developed public-private partnerships, such as the Alliance for Cyber-Security and the UP KRITIS partnership, and its national policies and legal framework reflect this focus on cooperation.

  12. Greece

    Rank2

    Summary

    Greece does not have a cybersecurity strategy or dedicated cybersecurity legislation. The legal and institutional framework that supports cybersecurity is also limited. The national computer emergency response team, NCERT-GR, is limited to government institutions and operators of critical infrastructure.

    There are no significant public-private partnerships in Greece, and the government is not actively pursuing their establishment or closer cooperation with the private sector.

  13. Hungary

    Rank2

    Summary

    The National Cyber Security Strategy of Hungary was adopted in 2013. The strategy covers key principles of cybersecurity, an overview of Hungary's current cybersecurity situation, and its future cybersecurity goals. Hungary has a limited legislative framework dedicated to cybersecurity.

    Several public authorities play a role in cybersecurity, including the National Security Authority, which deals with information security, and the Cyber Security Centre, part of the intelligence services, which deals with cybersecurity. Hungary also has a computer emergency response team, CERT-Hungary, but its remit is limited to government institutions. Furthermore, while the National Cyber Security Centre is tasked with liaising with the private sector, there are no formalised public-private partnerships.

  14. Ireland

    Rank2

    Summary

    Ireland's national legal and policy framework is very limited when it comes to cybersecurity. A cybersecurity strategy is being developed, but there is no clear timeframe for its release or adoption. Ireland is also one of the few countries in the European Union without an operational CERT, although it is in the process of establishing one.

    While there is no formalised public-private partnership set up for cybersecurity, Irish private sector entities, including Infosecurity Ireland, appear to be quite active in this field. In addition, Ireland organised a number of successful individual cybersecurity education campaigns, such as the "Make IT Secure", which included releasing online resources alongside a television advertising campaign.

  15. Italy

    Rank2

    Summary

    Italy updated its security laws in 2007 and adopted cybersecurity plans in 2013 and 2014, resulting in a strong legal framework supporting cybersecurity. The Italian cybersecurity strategy also calls out public-private partnerships as the intended direction for cybersecurity, but no formalised cooperation yet exists.

    CERT-PA was established in 2014. It is responsible for cybersecurity warning systems and the coordination of incident response measures for Italian government institutions.

  16. Latvia

    Rank2

    Summary

    The Latvian cybersecurity strategy, published in 2014, contains a clear set of concrete objectives matched with specific implementation dates. It also has a strong legal framework for supporting cybersecurity, an important pillar of which is the Law on Security of Information Technology adopted in 2010. This law sets out the roles and responsibilities of the country's national computer emergency response team, CERT.LV.

    While the cybersecurity strategy provides for the establishment of formalised public-private partnerships for cybersecurity, no such platforms yet exist.

  17. Lithuania

    Rank2

    Summary

    Lithuania published a comprehensive cybersecurity strategy in 2011, however information on its implementation remains limited. The Lithuanian computer emergency response team, CERT-LT, covers all national networks, not exclusively government ones, and the State Information Resources Management Council acts as a powerful policy formation and management body.

    The cybersecurity strategy recognises the value and need for public-private partnerships, but no formalised or systematic cooperation yet exist.

  18. Luxembourg

    Rank2

    Summary

    Luxembourg has a fairly limited cybersecurity strategy, published in 2013, which contains some key guiding principles but has little detail on their implementation. The country's legal framework for supporting cybersecurity is also yet to be fully developed. The need to encourage public-private cooperation is a principle mentioned in the cybersecurity strategy, but no formal cooperation is known.

    Luxembourg has two CERTs. CIRCL is a response coordinating body that covers all organisations operating in Luxembourg, while GOVCERT.LU is dedicated to public authorities. CASES, a government information security agency, engages in awareness raising activities and the promotion of best practices.

  19. Malta

    Rank2

    Summary

    Malta has yet to develop a comprehensive legal and policy framework for supporting cybersecurity, although its Digital Malta Strategy and e-government plan promise the elaboration of a cybersecurity strategy.

    The Malta Information Technology Agency (MITA) appears to be active in cybersecurity. The national CERT is CSIRT Malta, which is responsible for coordinating incident response measures for entities engaged with Maltese critical infrastructure.

  20. Netherlands

    Rank2

    Summary

    The Netherlands has a sophisticated and mature legal and policy framework for cybersecurity, which includes the National Cyber Security Strategy 2. Adopted in 2013, it is the second such strategy, as the country's cybersecurity framework is renewed every two years.

    The Netherlands also has a National Cyber Security Centre, an expanded CERT dealing with all cybersecurity related procedures and practices in a centralised manner. The centre also actively participates in the work of the Information Sharing and Analysis Centres (ISACs) for sectors involved with critical infrastructure.

  21. Poland

    Rank2

    Summary

    Poland has a comprehensive cybersecurity strategy with clear goals. It was adopted in 2013, thus most of the recommendations are still being implemented. The legal framework for cybersecurity is still not fully developed.

    Poland has several CERTs, including CERT.GOV.PL, which covers government and critical infrastructure entities. It also acts as the cybersecurity authority. CERT Polska is an academic CERT covering the entire .pl network in a semi-official capacity.

  22. Portugal

    Rank2

    Summary

    Portugal has not developed a comprehensive legal and policy framework for cybersecurity, and its cybersecurity strategy has not been elaborated. There is no formalised public-private cooperation in place.

    The country does have a national CERT, CERT-PT, and the National Centre for Cybersecurity. The latter was established by the National Security Authority and is tasked with liaising with the private sector on cybersecurity incidents.

  23. Romania

    Rank2

    Summary

    Romania has a somewhat vague cybersecurity strategy, adopted in 2013. Its legal framework is limited, although relevant legislative proposals have been submitted to the parliament for adoption. CERT-RO is the national computer emergency response team. It covers all users of Romanian networks. Furthermore, the cybersecurity strategy proposes the establishment of two other cybersecurity agencies.

  24. Slovakia

    Rank2

    Summary

    Slovakia adopted its first, five-year cybersecurity strategy in 2009. Details on the new strategy for 2014 to 2020 remain limited. Slovakia has a CERT, CSIRT.SK, that focuses on government agencies and critical infrastructure operators. There are no defined public-private partnerships for cybersecurity.

  25. Slovenia

    Rank2

    Summary

    Slovenia has yet to develop a comprehensive legal and policy framework for cybersecurity. As such, it also has yet to adopt a national cybersecurity strategy. SI-CERT is the national computer emergency response team, and it deals with all Slovenian networks. There are no defined public-private partnerships for cybersecurity in Slovenia.

  26. Spain

    Rank2

    Summary

    Spain adopted the National Cyber Security Strategy in 2013. It is a comprehensive document, which sets objectives and targeted lines of actions. It is compatible with, and references, both the National Security Plan and existing security laws; and these plans and laws work together as a package.

    Spain has established two CERTs, INTECO-CERT and CCN-CERT, and the National Centre for Critical Infrastructure Protection (CNPIC). The latter appears to be the premier agency for information security and cybersecurity, while the role of the CERTs is limited to dealing with cybersecurity incidents. CNPIC is responsible for ensuring coordination and cooperation between the public and private sector. It also runs sectoral working groups and is working toward the development of sector-specific cybersecurity plans.

    Additionally, cooperation with the private sector is formalised through the National Advisory Council on Cybersecurity, established in 2009, whose members are private sector representatives. The council is tasked with providing policy advice to the government, although its current status is somewhat unclear. Private sector associations are also active, with two prominent bodies dedicated specifically to cybersecurity and information security, as opposed to general IT matters.

  27. Sweden

    Rank2

    Summary

    Sweden does not have a national cybersecurity strategy, but one is being developed. There are no laws in Sweden that specifically deal with cybersecurity.

    Sweden does, however, have a functioning CERT, CERT-SE, which has jurisdiction over all Swedish networks. Furthermore, the Swedish Civil Contingencies Agency (MSB), which is the national authority in charge of information security, has helped Sweden establish a good reputation on cybersecurity. MSG is the centralised information security entity and has a prominent public presence.

  28. United Kingdom

    Rank2

    Summary

    The United Kingdom has a comprehensive cybersecurity strategy, which was released in 2011. It is complemented by a strong cybersecurity legal framework and two CERTs: CERT-UK mainly supports operators of critical infrastructure while GovCertUK supports government agencies. Other relevant bodies include the National Security Council and the Office of Cyber Security and Information Assurance.

    The United Kingdom also has a well-developed system of public-private partnerships in which the private sector actively participates. This collaborative approach also is strongly supported by its cybersecurity strategy. The Centre for the Protection of National Infrastructure (CPNI), for example, organises sector-specific information exchanges, covering 14 sectors.