2026/7 Weekly Update from the EU ISAC for Cities & Regions: GRC pilot adds new region / Aligning with ENISA Risk Scoring can have benefits / Digital Strategy Checklist

2026/7 Weekly Update from the EU ISAC for Cities & Regions: GRC pilot adds new region / Aligning with ENISA Risk Scoring can have benefits / Digital Strategy Checklist

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Discussion Summary

Hi everyone – Bulgaria, Croatia, Estonia and Ireland joining this morning for a lively meeting that could have gone on for ages, I think. Great news as well, that we have a further candidate for the GRC pilot, bringing this up to five in total – this time a pure region, versus other pilots being large cities inside regions – the challenges here are a little different of course.

We started off discussing how one of our GRC pilot cities was coming along and explored how aligning with the ENISA probability scoring scheme might provide some interesting benefits. As a reminder ENISA sees probability of a risk as per below:

The pilot city uses:

In addition, the pilot city of course also has a 5-level impact scale. Since each risk gets a risk “score” based on probability x impact, we can see that the ENISA spectrum would significantly reduce the scores, leading to less priority 1 items. Sound like an “accounting trick”? Well, maybe, however it helps prioritise the “Very High/Very High” threat bucket items by aligning to higher level standards, and prioritising is always a challenging conversation – why not take the help? Next steps now involve mapping 200+ city services to specific owners in the business and identifying what IT resources they use to operate these processes (i.e. specific applications, file drives etc), after that the challenge will be to create a “good enough” mapping to specific assets managed in the IT risk register and identifying the most relevant controls to prioritise for auditing potential controls remediation, and further actions to reduce the probability / impact of relevant events. The GRC and MISP solutions hereby provide guidance for these activities which should reduce the effort involved. This of course then involves running a survey – stay tuned.

Exciting also – one city then invited us to contribute a peer-review to their 10-year digital strategy. This strategy aims to introduce systematic changes in the management of the city´s digital development, the quality of digital services and user experience. Its overarching vision, “A smart, efficient and secure digital city”, will be implemented through six action areas that contribute to the three action programmes of the city Development Strategy and support all city policy areas. Circulation will initially be among the attendees of the call. We discussed the assessment criteria with Barista and agreed that the below might be a good starting point for iteratively improving:

  1. Assessment: Strategic Vision & Alignment
    1. Clear, long-term vision aligned with EU Digital Decade targets
    1. Objectives are SMART
    1. Addresses digital sovereignty
    1. Alignment with national strategies
    1. Collaborations with other EU cities
  2. Assessment: Infrastructure & Technology
    1. Connectivity plans (fiber, 5G, public Wi-Fi)
    1. Cybersecurity integrated (NIS2 compliance)
    1. Sustainable IT (green data centers, energy efficiency)
    1. Emerging tech prioritized (AI, IoT, blockchain, digital twins)
    1. Interoperability (open APIs, standard data formats)
    1. Pilot projects for innovation
  3. Assessment: Governance & Stakeholder Engagement
    1. Key stakeholders identified
    1. Dedicated digital governance body
    1. Citizen engagement mechanisms
    1. SMEs/startups involved
    1. Public-private partnerships (PPPs)
    1. Budget allocation & EU funding
  4. Assessment: Citizen-Centric Services
    1. Digitized public services
    1. Digital inclusion addressed
    1. City-wide digital identity
    1. Usability (UX design, multilingual interfaces)
    1. Citizen data protection (GDPR compliance)
    1. Citizen control over data
  5. Asessment: Implementation & Risk Management
    1. Clear implementation phases
    1. KPIs for progress tracking
    1. Major risks identified
    1. Cybersecurity risk mitigation
    1. Contingency plans for failures
    1. Upskilling programs
  6. Assessment: Compliance with EU Acts, Policies & Procedures
    1. EU Act/Policy
    1. NIS2 Directive
    1. Cyber Resilience Act (CRA)
    1. EU AI Act
    1. GDPR
    1. EU Digital Identity Wallet (eIDAS 2.0)
    1. Digital Services Act (DSA)
    1. Digital Markets Act (DMA)
    1. EU Data Governance Act
    1. EU Data Act
    1. EU Chip Act
    1. EU Cloud Rulebook
    1. EU Digital Sovereignty
    1. EU Recovery and Resilience Facility (RRF)
  7. Assessment: Monitoring, Evaluation & Adaptability
    1. Progress monitoring (dashboards, reports)
    1. Independent evaluations
    1. Adaptability to tech advancements
    1. Feedback loops
    1. Transparency & accountability
  8. Assessment: Ethical & Legal Considerations
    1. Ethical AI (bias, fairness, transparency)
    1. Human rights safeguarded
    1. Public oversight mechanisms
    1. Cross-border legal challenges
  9. Assessment: Innovation & Future-Proofing
    1. Future tech (metaverse, Web3, post-quantum cryptography)
    1. Sandbox environments
    1. Scalability & replicability
    1. Lessons from other EU cities

Cheers

Oliver

ISAC Services (Member Funded)

We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.

Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.

 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/