NIS Country Reports Overview Document

Similar documents
ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Securing Europe's Information Society

Achieving Global Cyber Security Through Collaboration

EISAS Enhanced Roadmap 2012

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

ENISA EU Threat Landscape

EU policy on Network and Information Security & Critical Information Infrastructures Protection

13967/16 MK/mj 1 DG D 2B

Directive on security of network and information systems (NIS): State of Play

Mapping of the CVD models in Europe

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Cyber Security in Europe

ENISA s Position on the NIS Directive

ehaction Joint Action to Support the ehealth Network

Cybersecurity & Digital Privacy in the Energy sector

Between 1981 and 1983, I worked as a research assistant and for the following two years, I ran a Software Development Department.

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

European Union Agency for Network and Information Security

EUREKA European Network in international R&D Cooperation

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Package of initiatives on Cybersecurity

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Cyber Security Beyond 2020

Romania - Cyber Security Strategy. 6th IT STAR Workshop on Digital Security

European Cybersecurity cppp and ECSO. org.eu

Cybersecurity Strategy of the Republic of Cyprus

ITU. The New Global Challenges in Cybersecurity 30 October 2017 Bucharest, Romania

Country-specific notes on Waste Electrical and Electronic Equipment (WEEE)

European Cybersecurity PPP European Cyber Security Organisation - ECSO

Where is the EU in cloud security certification?: Main findings

Security and resilience in Information Society: the European approach

Combating Pharmacrime AGENDA

Valérie Andrianavaly European Commission DG INFSO-A3

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

The commission communication "towards a general policy on the fight against cyber crime"

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

European Standardization & Digital Transformation. Ashok GANESH Director Innovation ETICS Management Committee

Discussion on MS contribution to the WP2018

EXPOFACTS. Exposure Factors Sourcebook for Europe GENERAL

esignature Infrastructure Marketing Model

This document is a preview generated by EVS

Cost Saving Measures for Broadband Roll-out

The NIS Directive and Cybersecurity in

Meeting minutes of NLO annual meeting of 8 June 2016

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Directive on Security of Network and Information Systems

The prospects of data breach laws in 18 European countries

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

This document is a preview generated by EVS

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

THE REGULATORY ENVIRONMENT IN EUROPE

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Call for Expressions of Interest

Network and Information Security Directive

Experience from the UK Government s BIM Programme

ENISA Cooperation in the EU / NIS Directive

This document is a preview generated by EVS

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

Centre for cybersecurity Belgium : Role, Missions et future capacities

Minutes of National Laison Officer s Meeting,

English version. European e-competence Framework - Part 1: The Framework - Version 1.0

e-sens Electronic Simple European Networked Services

NIS Standardisation ENISA view

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

RESOLUTION 130 (REV. BUSAN, 2014)

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Space Policy and ESDP. The use of satellites in space for security purposes

Cybersecurity Package

Cyber Security Strategy

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

EU funded research is keeping up trust in digital society

ITS Action Plan Task 1.3 Digital Maps

EU e-marketing requirements

CSIRT capacity building Andrea Dufkova CSIRT-relations, COD1 NLO meeting Athens June 8. European Union Agency for Network and Information Security

ITU Global Cybersecurity Index

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Improving Resilience in European e-communication networks MTP 1

Countdown to GDPR. Impact on the Security Ecosystem and How to Prepare

The Potential of ICT for Creative Learning & Innovative Teaching

Critical Information Infrastructure Protection Law

NIS-Directive and Smart Grids

ENISA CE2014 After Action Report

Global cybersecurity and international standards

Project III Public/private cooperation

Europol The Police Intelligence Agency of the European Union

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 26 September 2008 (30.09) (OR. fr) 13567/08 LIMITE ENFOPOL 170 CRIMORG 150

UN General Assembly Resolution 68/243 GEORGIA. General appreciation of the issues of information security

RESOLUTION 130 (Rev. Antalya, 2006)

10025/16 MP/mj 1 DG D 2B

ENISA National Cyber Security Strategies workshop

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Transcription:

Country Reports May 11 NIS Country Reports Overview Document www.enisa.europa.eu

2 Country Reports Overview Document About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the European Member States and European institutions in network and information security, giving advice and recommendations and acting as a switchboard of information for good practices. Moreover, the agency facilitates contacts between the European institutions, the Member States and private business and industry actors. Contact details For contacting ENISA or for general enquiries on the Country Reports: Mr. Giorgos Dimitriou ENISA External Relations Expert Giorgos.Dimitriou@enisa.europa.eu Internet: http://www.enisa.europa.eu Acknowledgments: ENISA would like to express its gratitude to the National Liaison Officers that provided input to the individual country reports. Our appreciation is also extended to the ENISA experts and Steering Committee members who contributed throughout this activity. ENISA would also like to recognise the contribution of the Deloitte team members that prepared this overview of the 30 NIS country reports, on behalf of ENISA. Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be an action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as amended by Regulation (EC) No 1007/2008. This publication does not necessarily represent state-of the-art and it might be updated from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. Member States are not responsible for the outcomes of the study. This publication is intended for educational and information purposes only. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. European Network and Information Security Agency (ENISA) 2011

ENISA Country Reports - Overview Document 3 Table of Contents INTRODUCTION... 4 APPROACH... 5 THE STRUCTURE OF THE INDIVIDUAL COUNTRY REPORTS... 6 NIS NATIONAL STRATEGY, REGULATORY FRAMEWORK AND KEY POLICY MEASURES... 8 OVERVIEW OF THE NIS NATIONAL STRATEGY... 8 THE REGULATORY FRAMEWORK... 9 NIS GOVERNANCE...10 OVERVIEW OF THE KEY STAKEHOLDERS BY COUNTRY... 10 INTERACTION BETWEEN KEY STAKEHOLDERS, INFORMATION EXCHANGE MECHANISMS IN PLACE, CO-OPERATION & DIALOGUE PLATFORMS AROUND NIS... 10 NIS FACTS, TRENDS, GOOD PRACTICES AND INSPIRING CASES...12 SECURITY INCIDENT MANAGEMENT AND REPORTING... 12 RISK MANAGEMENT AND EMERGING NIS RISKS... 12 RESILIENCE ASPECTS... 13 PRIVACY AND TRUST... 13 NIS AWARENESS AT THE COUNTRY LEVEL... 15 RELEVANT STATISTICS FOR THE COUNTRIES IN THE SCOPE...17 STATISTICS ON INTERNET ACCESS... 17 STATISTICS ON AWARENESS REGARDING IT SECURITY... 18 STATISTICS ON BEST PRACTICES AND POLICIES... 19 OTHER STATISTICS... 20

4 Country Reports Overview Document Introduction ENISA engaged an external consultant (i.e. Deloitte) for a project aiming towards the provision of updated country reports to give an overview of the key Network and Information Security (NIS) developments and other key aspects in each country in the scope. A total of 30 countries were included in the scope of the project the 27 EU Member States and 3 other countries within the European Economic Area - and therefore 30 updated individual country reports were issued, covering: Nr Country Nr Country 1 Austria 16 Latvia 2 Belgium 17 Liechtenstein 3 Bulgaria 18 Lithuania 4 Cyprus 19 Luxembourg 5 Czech Republic 20 Malta 6 Denmark 21 Norway 7 Estonia 22 Poland 8 Finland 23 Portugal 9 France 24 Romania 10 Germany 25 Slovakia 11 Greece 26 Slovenia 12 Hungary 27 Spain 13 Iceland 28 Sweden 14 Ireland 29 The Netherlands 15 Italy 30 United Kingdom The purpose of the current document is to provide a general introduction to the entire project and a high level overview of the individual country reports produced. It is not intended to provide a separate analysis, nor is it intended to perform benchmarking or ranking of the NIS specific elements of these countries. For more detailed information on the NIS aspects specific for each country, we refer to the individual country reports published on ENISA web site.

ENISA Country Reports - Overview Document 5 Approach A structured approach was applied in order to support update analysis and delivery of the 2011 NIS country reports. The adopted approach to collect the required information for updating the country reports was based on five distinct inputs as depicted in the figure below: Agree on new Country Report structure with ENISA (kick-off) Desktop research Collect primary input from ENISA Country Reports Collect input from Deloitte s European network of NIS professionals Collect input from one or more selected key stakeholders per Member State Figure 1 - Information collection approach After an initial analysis of prior year NIS country reports, a number of new elements were identified to be included in the updated version of the country reports. These elements have the aim to enhance the structure and content of the updated country reports and to also ensure that the country reports are in line with the ENISA Work Programme. Extensive desktop research was performed on a broad set of relevant information sources available, including an in-depth review of the current state of the information described in the previous year country reports. Public information sources regarding key stakeholders active in NIS were considered on a percountry basis, including those indicated in the ENISA s Who-is-Who Directory on Network and Information Security publication. Based on this research, the information in the country reports was initially compiled, enhanced and updated. The international network of Deloitte in the countries in scope was also used for the purposes of this extensive country reports exercise. Key European members of the network of Deloitte Security & Privacy professionals collected and provided additional input regarding new developments in the Member States and validated the draft updated country reports.

6 Country Reports Overview Document Key input and comments were also collected from close interaction with the ENISA National Liaison Officers (NLOs) from the Member States in the scope, in close coordination with the project Steering Committee led by Mr. Giorgos Dimitriou, ENISA External Relations Expert. Figure 2 - Key principles followed during the interaction with the NLOs The draft versions of the country reports were iterated with the NLOs who provided valuable clarification comments and additional input on the different sections of the individual reports. The authors would like to acknowledge the valuable input received from NLOs. The structure of the individual country reports The individual country reports present the key NIS information by following a structure intended to provide additional value to the reader: NIS national strategy, regulatory framework and key policy measures Overview of the NIS governance model at country level: o Key stakeholders, their mandate, role and responsibilities, and an overview of their substantial activities in the area of NIS o Interaction between key stakeholders, information exchange mechanisms in place, cooperation & dialogue platforms around NIS o Fostering a proactive NIS community Country specific NIS facts, trends, good practices and inspiring cases (as applicable): o Security incident management o Emerging NIS risks o Resilience aspects o Privacy and trust o NIS awareness at the country level o Country-specific activities for identifying and promoting economically efficient approaches to information security o Interdependencies, interconnection and improving critical information infrastructure protection

ENISA Country Reports - Overview Document 7 Relevant statistics for the country This generic structure can however be subject to adaptations from one country to another, based on the different inputs that were collected. It is also worth mentioning that this year, particular efforts were made in order to follow the topics of ENISA s work program 2011.

8 Country Reports Overview Document NIS national strategy, regulatory framework and key policy measures For the details related to the countries and examples indicated in this section, we invite the readers to consult the individual country reports. These reports include the relevant links and references, as appropriate, to the third-party sources that are quoted. Overview of the NIS national strategy There is no consistency in the observed European countries with respect to the presence of a NIS national strategy or cyber-security strategy, but many countries are putting strong efforts to make progress in this area. From this perspective there are differences by individual country, and moreover, these differences are not necessary related to the size of the country. In most of the countries, there is still no formally defined and consolidated NIS national strategy, but key elements are often embedded into the strategies, initiatives and measures implemented or planned by the government. Usually, the government and the public authorities are playing a central and active role in defining the main lines of the NIS national strategy. As a general comment, the level of involvement from other stakeholders (industry, academic, NGOs, etc.) is not consistent throughout Europe. Interesting recent developments regarding national NIS or cyber security strategies include the following examples for France, Germany and The Netherlands early 2011. In 2009, the French government took a first step regarding its national strategy for the defence and security of information systems with the creation of ANSSI, the French Network and Information Security Agency, which acts as the national authority for cyber-security. Following these efforts, France issued a national strategy for the defence and security of information systems in February 2011. This strategy relies on four major objectives: being a global power in cyber-defence and belong to the first circle of major nations in this area, while maintaining its autonomy; guarantee France s freedom of decision by the protection of sovereignty information; reinforce the French national vital infrastructures cyber-security; and ensure security in the cyber-space. The German Federal Government has announced its National Cyber Security Strategy early in 2011 to ensure secure operation of communications networks for the State, business and citizens. The core points of the strategy include: enhanced protection of critical infrastructure against IT attacks; protection of IT systems in Germany; and an effective joint effort across Europe and the world. The strategy also calls for the creation of a National Cyber Defence Centre, to be led by the Department for IT Security (BSI). The Netherlands consider trust in the Information Society as an important condition for economic development, prosperity and social welfare. In carrying out the political demands of the Dutch Parliament and the new Government, the administrations have been preparing a national cyber security strategy. This strategy embraces combating cybercrime including illegal and harmful content, improving network and information security, cyber defence and cyber warfare. The

ENISA Country Reports - Overview Document 9 minister of Security and Justice presented the first Dutch national Cyber Security Strategy for approval by the Dutch parliament (Second Chamber). The strategy contains an analysis of the problem, a vision presentation, as well as an action plan. Another interesting example is the Estonian Cyber-security Strategy that lays out the priorities and activities aimed at improving the security of the country s cyberspace. The cyber-security strategy concentrates on the following areas: the responsibilities of state and private organizations, vulnerability assessments of critical national information infrastructure, the response system, domestic and international legal instruments, international cooperation, and training and awareness-raising issues. It should be noted that several countries are also in the process of preparing or considering the creation of a holistic cyber security strategy, while others have already done so. The regulatory framework This section aims to provide an overall picture of the situation and progress of NIS-related regulations and laws within the 27 EU member states and the 3 EFTA members that are also in the scope of these reports. In general, the primary legislation in the countries included in the scope of the Country Reports is well represented and quite aligned in terms of NIS topics covered. However the definitions of NIS topics and structure of regulation is not consistent. An overview of the NIS areas that are addressed by the national primary legislation and that have relevance from an NIS perspective is included in the individual country reports. These typically include Data Protection-Privacy, esignatures-eidentity, ecommunications and Cyber Crime. Additionally, secondary regulation on a national level, such as self-regulations, is further presented in the country reports.

10 Country Reports Overview Document NIS Governance For the details related to the countries and examples indicated in this section we invite the readers to consult the individual country reports. These reports include the relevant links and references, as appropriate, to the third-party sources that are quoted. Overview of the key stakeholders by country For the update of the NIS country reports, key stakeholders were identified for each country in the following areas: Government (national authorities, regulators, etc.); CERT teams; Industry organisations with a focus on NIS; Academic organisations with NIS focus; Other organisations with NIS focus. The country reports illustrate differences in the number of stakeholders and their respective mandates involved in NIS on national level. These are linked either to the size of the country and its maturity in structurally addressing NIS issues across the board. An interesting trend is that more countries are establishing centralized cyber-security authorities (e.g. in the United Kingdom, France, The Netherlands, etc.). In other countries, the need for such centralized bodies is often recognized by private or public sector stakeholders, even though it has not led to a concrete implementation yet. Clearly this is linked to the formulation of an adequate national Cyber security strategy. The country reports also illustrate the increasing presence of national and governmental CERTs. Furthermore, the number of other CERTs varies from one country to another, depending mostly on the size of the country and its general level of awareness regarding NIS issues. Interaction between key stakeholders, information exchange mechanisms in place, co-operation & dialogue platforms around NIS Achieving a coherent response to the evolving NIS threat landscape, in which all actors contribute to define and implement a global approach to securing infrastructure and reacting to incidents, remains a key challenge in modern information security. Whilst Member States can reasonably expect to master natural disasters and malicious attacks that take place within their own borders, incidents that have a global impact will require a coordinated prevention strategies and response based on strong collaboration. This will only be possible if the community at large is both aware of the role that it has to play and has the necessary competence to carry out the associated activities.

ENISA Country Reports - Overview Document 11 Overall, the interaction between key stakeholders has increased further in the past year and additional information exchange mechanisms have been put in place. The co-operation and dialogue platforms around NIS are essential and this is clearly recognized in the Member states. Several countries have established sector collaboration and consultation initiatives around NIS topics, such as ISAC s and WARPs.

12 Country Reports Overview Document NIS facts, trends, good practices and inspiring cases For the details related to the countries and examples indicated in this section, we invite the readers to consult the individual country reports. These reports include the relevant links and references, as appropriate, to the third-party sources that are quoted. Security incident management and reporting In most of the countries that were the subject of this study, information security incidents are reported and handled via the national/governmental CERTs. The level of information reported and of support given by the CERT varies depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CERT resources available. Special attention is generally given to issues affecting critical infrastructure. The security incident management services are often provided by CERTs and only during the normal office hours, from Monday to Friday. However more and more CERTs operate on a 24x7 basis in many countries. CERTs are also still expanding their services in order to better support their constituencies, also towards preventative measures including alerting, advisory, etc. Network operators are also essential in responding in the case of security incidents in their networks. The common practice is that representatives work with NIS-related authorities in case of major incidents, in order to appropriately coordinate the incident handling. In some countries, notice-and-takedown provisions have been implemented to make incident response more efficient. Risk Management and Emerging NIS risks In the different Member States, the risks due to man-made attacks, technical failures or natural disasters are often not completely investigated or analysed. Cyber attacks have risen to an unprecedented level of sophistication and the large scale cyber-attacks on Estonia, Lithuania and Georgia are the most widely covered examples of a general trend. The increasing number of viruses, worms, malware, botnets and spam in all Member States confirm the severity of the problem. The high (and increasing) dependence of critical information infrastructures, their cross-border interconnectedness and interdependencies with other infrastructures, as well as the vulnerabilities and threats the Member States face raise the need to address their security and resilience in a systemic perspective as the frontline of defence against failures and attacks. Most countries have a kind of risk management process either in the context of National Security, CIP (Critical Infrastructure Protection), etc. However the existence of a comprehensive NIS risk assessment process is closely correlated with the (preparation of and) existence of a national NIS strategy, and hence the overall maturity of the Member States in addressing cyber risks.

ENISA Country Reports - Overview Document 13 Resilience aspects Best practice information on the resilience of ecommunications networks is usually collected by different authorities, while there is no central repository in place. In many countries, good practices on ecommunications networks resilience have been worked out in the form of recommendations by the responsible authorities, service providers associations, etc., and address key aspects regarding business continuity and recovery measures. As in the previous issue of this overview document, the Austrian Programme for Critical Infrastructure Protection (APCIP) can be cited as an inspirational example as it defines the risks, stakeholders and objectives in regards of resilience, and involves Ministries and the private sector. France is also worth mentioning, as part of its national risk management process involves having each ministry doing a risk assessment regarding network resilience and information security. This country also participates in multiple nation-wide and international exercises on crisis management in the cyber-defence context, parts of which being focused on network resilience. The particular case of Malta, which was already described in 2010, can again be quoted. International connectivity being crucial to this country, the Malta Communications Authority (MCA) deemed appropriate to issue a regulation on international connectivity, giving it the required powers to ensure that international gateway providers are caring for redundancy in their links. In other countries, no mechanism exists where authorities, telecom providers and infrastructure owners would meet on a regular basis to address ecommunications resilience and/or security issues. In multiple countries, however, industry players have got their own bilateral mechanisms such as a committee addressing technical issues. Privacy and trust In general, the Data Protection Directive has been implemented by the countries and at least one competent national regulatory authority on this matter is in place and responsible for the enforcement of the locally-implemented Data Protection Act. An interesting case is Germany, where there are 20 different federal and regional supervisory authorities in place responsible for monitoring the implementation of data protection. With few exceptions, there are no deviations from the standard definition of personal data or sensitive data. The noted exceptions are, for example, extensions of the definition to data relating to both individuals and legal entities (e.g. Austria). Latvia is also worth mentioning here, as it has implemented a general ban for the processing of sensitive personal data.

14 Country Reports Overview Document The Data Protection Acts implemented by countries do not always contain an obligation to inform the authority or the affected data subject of a security breach. This is apparently the case for countries like Germany, Greece and Italy. However, in certain sectors data controllers may be required to inform sector regulators of any breach noted - such obligations may arise from contractual obligations if the data controller has entered into a contract with the data subject.

ENISA Country Reports - Overview Document 15 NIS awareness at the country level European Member States have continued their awareness rising activities on various levels. An inspirational case is Austria this country has put in place an IT Security Handbook, which is a key NIS awareness tool at national level used across different sectors to establish comprehensive IT security processes. The Austrian IT Security Handbook was published by the A-SIT (Austrian Centre of Secure IT). Awareness actions targeting the consumers/citizens The results regarding the EU s Safer Internet programme can be observed in the different EU countries. This program covers public awareness activities, actions for fighting illegal and harmful content online and actions promoting a safer online environment. Furthermore there are many national awareness initiatives where the public and private sector collaborate. A good example of this can be found in the UK with the Get Safe Online (http://www.getsafeonline.org/) campaign and national initiative. It aims at teaching citizens and micro-businesses about basic computer security and internet privacy. It was launched in October 2005 with the backing of several public and private partners. The campaign's centre point is its website where people can go to get information about internet safety, how to protect themselves online, and practical advice. The site offers information for beginners, as well as more technical information and guidance for businesses as well as home users. Another interesting example is the Day of Data Protection, organised annually by the Committee for Data Protection (Datenschutzkommission) in Austria this focuses on promoting data protection good practices and on awareness rising towards Consumers/Citizens, but also SMEs, large enterprises, government institutions. In almost all countries, ISPs offer their clients information on possible vulnerabilities and risks and provide (web based) spam filters, blacklists, etc. Also, the banks inform and warn their clients via their website about the risks of Internet banking and, in particular, phishing (for which victims are increasing). This is the case in the majority of the newer EU Member states, for example in: Latvia, Bulgaria, Hungary, Romania, Lithuania, Poland or Czech Republic where the number of cases of fraud was relatively higher than in the rest of the countries in scope. Awareness actions towards spam and/or malware An interesting and increasingly popular category of awareness actions noted relates to the awareness actions towards spam and/or malware. More information about the spam phenomena and guidelines regarding the measures to be taken by an end-user against unsolicited commercial communications, are in general provided by industry or consumer organisations through their websites. In Romania for instance, the Association for Technology and Internet provides the first Romanian black list of spammers through its website.

16 Country Reports Overview Document Some countries have already a tradition in this respect, like for example Germany, who organised the 7 th German Anti Spam Summit, September 14 16, 2009, in Wiesbaden.

ENISA Country Reports - Overview Document 17 Relevant statistics for the countries in the scope In general, the more a country relies on IT for its business and governmental activities, as well as for private purposes, the more NIS gains in importance. For this reason, a general understanding of the stage of IT adoption in the countries included in the scope of the country reports is relevant. We included IT adoption indicators in the country reports, based on Eurostat 1 information which allows comparing different countries. The statistics presented in the reports are linked to the following areas: Internet access; Awareness regarding IT security; Best practices and policies. Statistics on Internet access These statistics give a general idea on the level of Internet access that can be measured in each country for the population and for enterprises, as can be seen in figures below. Figure 3 - Example on Internet access for households in the Netherlands 1 Source : Eurostat

18 Country Reports Overview Document Figure 4 - Example on Internet access for enterprises For more detailed information on the NIS aspects specific for each country, we refer to the individual country reports published on ENISA web site. Statistics on awareness regarding IT security These statistics provide an overview of the general awareness level of the population in each country, compared with the European average. This awareness level is illustrated by both the reluctance of Internet users towards performing certain web-based activities and their potential use and update of IT security software and tools to protect their private computers and data, as shown in the figures above. Figure 5 - Example on activities via Internet not done because of security concerns

ENISA Country Reports - Overview Document 19 Figure 6 - Example on the use and update of IT security software and tools to protect private computers and data For more detailed information on the NIS aspects specific for each country, we refer to the individual country reports published on ENISA web site. Statistics on best practices and policies These statistics provide the reader with an overview of the application of ICT security policies in enterprises, for each surveyed country, as shown in Error! Reference source not found.. Figure 7 - Example on use of an ICT security policy in enterprises For more detailed information on the NIS aspects specific for each country, we refer to the individual country reports published on ENISA web site.

20 Country Reports Overview Document Other statistics The country reports also include statistics from the Anti-Phishing Working Group, allowing a comparison between the number of phishing attacks in the first half of 2009 and the first half of 2010, as shown in Error! Reference source not found. and Error! Reference source not found.. Figure 8 - Example of APWG statistics for unique attacks and unique domain names used for phishing Figure 9 - Example of APWG statistics per 10.000 domains For more detailed information on the NIS aspects specific for each country, we refer to the individual country reports published on ENISA web site.

ENISA Country Reports - Overview Document 21