2026/3 Weekly Update from the EU ISAC for Cities & Regions: COCOMO estimating / VMWare alternatives / Are croissants in Rome better than those in Paris? / Moving towards a DEP proposal (again) – “Clones” Required / COCOMO estimating / VMWare alternatives / Roman versus Parisien Croissants / Feb 20th short vendor presentation CyberDesk
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
Discussion Summary
Hi everyone, friends from Belgium, Ireland, and Italy joining this time around. Some of the subjects we discussed were:
- Use of the COCOMO estimating method to gain a deeper appreciation of all costs involved in a cyber/IT project -> obviously more than just the assets we are purchasing. https://en.wikipedia.org/wiki/COCOMO
- https://www.proxmox.com/en/ as a viable alternative to other vmware providers. Note lack of live migration tooling though.
- Whether croissants in Rome are better than those in Paris. Our AI agent Barista thought “The answer often comes down to personal taste and what you value in a croissant—tradition, texture, or local adaptation.
- Paris is the birthplace of the modern croissant, perfected by French bakers using buttery, flaky layers (though its origins trace back to Vienna). Here, you’ll find the classic: crisp, golden, and buttery, with a light, airy interior. French bakeries take pride in using high-quality butter and precise techniques.
- Rome, on the other hand, offers croissants with an Italian twist. They’re often softer, sometimes slightly sweeter, and may be filled with custard, Nutella, or jam. Italian bakeries might prioritize a more bread-like texture, and you’ll often see them served for breakfast with cappuccino.
- Verdict?
- For purists, Paris wins for authenticity and technique.
- For those who enjoy a softer, sometimes sweeter pastry, Rome’s version might be more appealing.
Our efforts towards a good DEP proposal (for the call “Deploying Strategic Cyber Capabilities Across Europe (DIGITAL-ECCC-2025-DEPLOY-CYBER-09)” closing Fall 2026 with a focus on coordinated preparedness testing of entities operating in sectors of high criticality across the Union) have taken a step forward with conversations with the local management association of one of our member states. Specifically we are beginning to harden a proposal around the following concept: The Robust Supplier Cyber Risk Management & Cross-Border Scalability for Civic Affairs SAAS Platforms project, initiated in country x, successfully piloted a collaborative cyber risk assessment framework involving 50 municipalities and two major SAAS suppliers specializing in civic affairs—such as population administration and ID/travel document issuance. The project focused on joint risk assessments, on-site supplier audits (reviewing assurance certificates, pentest results, residual risks, and improvement measures), and provided a CSIRT-backed compliance statement for municipalities, aligning with NIS2 third-party risk management requirements. Key achievements included empowering municipalities with greater leverage over suppliers, reducing individual compliance burdens, and offering suppliers standardized demands and professional engagement, with potential AI-driven automation to streamline processes. This project aims to scale nationally by integrating actionable threat intelligence from European sources like MISP or ENISA’s vulnerability database, mandating supplier participation in centralized threat-sharing platforms, and requiring Software Bill of Materials (SBOM) for transparency. Automation of risk assessments and publishing relevant excerpts in a national software catalogue for all municipalities are also prioritized. A cross-border comparative study seeks to replicate the model in another EU country to evaluate supplier responsiveness, municipal adoption, and compliance efficiency, ultimately producing a best-practice playbook for EU-wide scalability. Expected benefits include reduced compliance costs and improved supplier accountability for municipalities, streamlined audits and enhanced trust for suppliers, and stronger alignment with NIS2 compliance and cross-border cybersecurity collaboration at the EU level. Additionally, the project envisions fostering a Community of Practice, where public administrations, suppliers, and cybersecurity experts share insights, challenges, and innovations to drive continuous improvement in cyber risk management across borders. The initiative underscores the value of standardization, automation, and collaborative intelligence-sharing in strengthening cybersecurity for civic SAAS platforms. If you are interested in joining the conversation as a “clone” please let me know.
BY the way, also discovered this LinkedIn post on the illusion of EU IT sovereignty https://www.linkedin.com/posts/arturandretta_your-eu-sovereignty-is-an-illusion-if-you-activity-7422265954585407489-mvkE/?utm_medium=ios_app&rcm=ACoAAAABAZYBM-mP-pfL-PLekLErH2keukJLfjI&utm_source=social_share_send&utm_campaign=mail – quite a sobering reminder “We fool ourselves thinking Hetzner servers or Proton mail make us sovereign. But the modern internet stack is overwhelmingly complex, and true independence is currently a fantasy.” – excellent read.
Note that on our call on Friday Feb 20th, we are inviting https://www.cyberdesk.app/ from 9:30am to 10:00am to introduce themselves and jointly reflect whether their thinking might be of use to us. “CyberDesk helps you to adaptively control who can take what actions on what data. Manage the access security of your human and non-human identities without disrupting your business.” This will be the first of a series of solution provider introductions to drive our learning forward. If we find the conversation interesting, we may also want to look at setting up a wider knowledge-sharing webinar on the topic.
OpenSSAM trending terms for today below:
Cheers
Oliver
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/