2025/12 Weekly Update from the EU ISAC for Cities & Regions: National NIS2 – going beyond the needed? / Do you have a “bratwurst” or “goulash” cyber strategy? / EU Council of ISACs meeting in Brussels end of April / Gartner report on the “Leadership Vision for 2025, Top 3 Strategic Priorities for Security and Risk Management Leaders.”
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 24): Good relationships with the leaders of your police and fire services departments are crucial for making a crisis centre work.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 24): Make sure you can operate key processes without an Internet connection, save key transactional data on USB drives and are able to transfer that via USB to another PC/laptop at your regional administration. “Sneaker Interfaces” must work.
- Weekly [TLP:RED] for IT Leaders (Repeat # 24): Expect that securing a solution will cost up to 3x the cost of the solution itself.
| Summary |
Hi everyone, friends from Belgium, France, Ireland and Italy joining this Friday morning.
Our colleague from France was new to the round and hence we proceeded to “interrogate” him as to his world covering a region in France. His focus on NIS2 led to a discussion on the way national NIS2 implementations are progressing and how it seems that most member states are using the opportunity to go “above and beyond” the EU level NIS2 focus – i.e., in Belgium we see “Essential entities shall have their implementation regularly assessed and reviewed by a third party. This can be done through a CyFun® certification granted by an accredited and authorised conformity assessment body (CAB). Essential entities have to obtain the assurance level basic or important before 18/04/2026, the final level needs to certified before 18/04/2027.” See https://atwork.safeonweb.be/tools-resources/nis-2-quickstart-guide. This then led to a renewed discussion on the critical difference between completing an assessment on relevant controls and the “effectiveness” of those controls (which cyber professionals naturally focus on). We then also looked at how the US DoD tackles this (see https://dodcio.defense.gov/cmmc/About/) and that the crucial thing is demonstrating that controls exist and that there is a PLAN to improve their effectiveness. That then led us to a discussion on possible penalties for not passing a national NIS2 assessment and that such penalties may well not be implemented in the first years of NIS2 mandation. Ah yes, we then also reflected on the cultural differences in addressing such policies – France, Germany and Italy for example have different views on how important compliance by the letter is and how urgent that might be 😊I think these comparisons can help us learn about “tricks of the trade” to accelerate / delay activities as needed! Just for “starters” (no pun intended) below image shows the most famous European dishes – hmmm…. maybe there is a link to the way we tackle cyber differently – a “bratwurst” strategy versus a “goulash” one? 😊
We also reflected on how to support an upcoming face-to-face meeting of the EU Council of ISACs Tuesday 29th and 30th of April (on site) with a focus on “Workshop on data sharing between members, ISACs and institutions.” Day 1 (ISACs only): Explain our different information sharing processes (between industry and EU/national regulators, members and ISACS, etc.) and evaluate how we could energise information sharing between ISACs as well as with European institutions. Day 2 (ISACs and European partners representatives): Review current information sharing processes (mandatory reporting, exchanges between CERTs/CSIRTs, feedback to the industry) & draft an ideal information sharing process including ISACs. Both meetings are scheduled in Brussels, confirmation of the exact location will be provided shortly. We have two colleagues from Belgium and Italy planning to attend (I cannot make it unfortunately).
Finally, for those of you receiving the email version of this weekly update, you will find a Gartner report on the “Leadership Vision for 2025, Top 3 Strategic Priorities for Security and Risk Management Leaders.” you might find interesting. We may all have our own opinion of Gartner (and similar “research” organisations), however remember that their view is considered by business leadership following the adage “if Gartner recommends it, then it must be a good decision to make”. For those not on the email distribution list please contact me to be added – key points from Gartner on three Trends Defining the Cybersecurity Landscape in 2025:
- Cyber risk is a ubiquitous concern for nonexecutive board members — a sentiment echoed by their executive colleagues. More than 93% of nonexecutive board members see cybersecurity threats as a threat to shareholder value. What’s more, 98% of respondents believe cyberthreats will only grow over the next two years.
- There remains an appetite for technology risk as the preferred method for delivering shareholder value. The majority of corporate board members indicate they’d like to see their organizations take more risks when it comes to technology.
- Cybersecurity still dominates investment planning and remains the top focus for CIOs. Eighty-seven percent of technology executives are planning to increase funding toward cyber/information security initiatives in 2025.
Cheers,
Oliver
| In the News |
- See https://statetechmagazine.com/article/2025/03/cybersecurity-kpis-matter-most-government for a good summary of key cyber KPIs – nothing new really but a good validation for what we are doing.
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/