2025/10 Weekly Update from the EU ISAC for Cities & Regions: Habemus our own SOC? / Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community! / SaaS = RENT ≠ OWN! / How can we prefer EU controlled suppliers in tendering? / Are we “CISOs Anonymous”?
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 22): If a threat that can trigger legal liability is officially minuted, then you have become legally aware of it and can be held liable for penalties if an incident occurs.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 22): If you can get a threat that can trigger legal liabilities minuted, then you have transferred that liability.
- Weekly [TLP:RED] for IT Leaders (Repeat # 22): Formal minuted meetings of budget presentations can limit your liabilities in the case of incidents.
| Summary |
Hi everyone, friends from Belgium, Bulgaria, Croatia and Italy joining this Friday morning along with friends from ENISA and we started off reflecting how over the past generation or so competencies have basically shifted from technical expertise to administration expertise which sort of aligns with the growing supplier management focus of our roles (versus technically operating data centres etc.). This then also falls squarely in line with the growing technical dependency on the big cloud vendors who unfortunately understand little about our contexts. Our friends at ENISA then reminder us of the growing moment around https://www.securitybydefault.org/ and we reflected a little whether we can actually stay in control of all the security configurations that might be relevant – indeed upgrades to cloud services often reset our custom security configurations back to default and we are typically also not notified of the details.
We then moved to discussing how while regulations associated with public tendering processes do often give robust guidance on security requirements, this has nothing to do with the political decisions related to suppliers. One colleague has a network infrastructure provided by an EU based supplier and leadership is looking to move to a US based supplier at 10x the cost with the reasons being rather unclear. All things considered both suppliers meet the tendering requirements, and we need to challenge ourselves to reflect whether EU based suppliers should be preferred by default? In a current exercise another colleague is looking to achieve this by leveraging GDPR legislation, although the large US suppliers do now offer EU based data hosting – beware of the difference between what is promised and what is actually happening technically.
Some good feedback then from ENISA mentioning that along with the Health ISAC we are the only ISAC with a focus on the citizens of our society – nice story from the Health ISAC that with all the budget constraints they are often faced by the decision to buy a software license OR hire a nurse… I´ll vote for the second! Yes – we are the “digital knights” of our cities and regions.
A good point then came up around a purchasing activity of another colleague where internal guidance is to “buy” a solution (versus making one). We reminded ourselves that if we are purchasing SaaS solutions, then we are actually not “buying” – we are “renting”. May seem an irrelevant word-play, but there is actually a fundamental mindset difference here – “renting” means you have a landlord who controls many things (i.e., the cost). “Buy” does not mean “ownership” and definitely does not mean “control”!
We finished up on a light note realising that what we appreciate about our Friday mornings is that we remind ourselves we are not along and everyone is facing similar challenges – sort of like a club “CISOs Anonymous”?
Ah yes, on Friday afternoon we spoke about more intensive collaboration with some friends at a very mature e-identity suite of solutions that serve many administrations in their country. One specific project we will look to develop is to have their SOC grow into also becoming our SOC – stay tuned since this could be a very good resource for us all moving forward. We have been looking to implement something like this for a while and struggled to find a fundable way forward – this may indeed finally be the right direction of travel – a “SOC of SOCs” for our community?
Cheers,
Oliver
| In the News |
- We are now collaborating directly with the European Energy Information Sharing & Analysis Centre – see https://www.ee-isac.eu/
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/