2026/5 Weekly Update from the EU ISAC for Cities & Regions: Four cities joining GRC pilot / EU Public Administration Risk Assessment Report May 2026 / Webinar for “Accelerating NIS2 Compliance: A Regional 80/20 Framework for Cyber Resilience”? / Anyone with crowdfunding experience?
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
Discussion Summary
Hi everyone, Bulgaria and Spain joining this morning for a refreshing re-start conversation 🙂 Main discussion points were around exchanging tips on addressing NIS2 compliance (i.e. the difference between having controls and needing “effective” controls). We used our risk register to structure our thinking a little and that seemed to work out fine – NIS2 does drive the risk approach and while national requirements are not always clear, CIS does seem to at least give us a robust foundation. In this respect we are reflecting on a structured discussion on “Accelerating NIS2 Compliance: A Regional 80/20 Framework for Cyber Resilience”. Context: NIS2 compliance is a complex, resource-intensive challenge for regional administrations, especially for municipalities and smaller entities with limited cybersecurity maturity. There is an urgent need for practical, scalable solutions that deliver maximum impact with minimal effort. Objective: To co-create a framework of “quick wins” for NIS2 compliance, leveraging the 80/20 principle—focusing on the 20% of efforts that address 80% of risks. The goal is to: Share reusable solutions (e.g., cloud migration, immutable backups, incident response playbooks), Identify cross-regional synergies to reduce duplication of effort, and explore pilot joint initiatives (e.g., shared SOC services, group procurement) to lower costs and improve resilience. If you are interested in the topic please let me know and we can pull something together.
We also discussed how nations, regions, cities all have their own agendas when purchasing solutions, while in the end it can be easiest to align with the National Cyber Hubs, Cross-Cyber-Hubs, and the emerging ECAS strategy. The EU ECAS (European Cybersecurity Act) Strategy has recently been updated as part of a broader 2026 EU Cybersecurity Package, announced by the European Commission on 20 January 2026. This package aims to strengthen the EU’s cybersecurity resilience and capabilities in response to growing cyber and hybrid threats targeting essential services and democratic institutions. This is where some key procurement strategies will be designed and aligning with those can truly make our purchasing approaches a lot easier. Let me know if you would like to learn more.
Note that our risk platform is now running on a professional GRC platform provided by https://crisam.net/en/. The results of our inaugural risk assessment (https://isac4cities.eu/wp-content/uploads/2026/07/EU-Public-Administration-Risk-Assessment-25-May-2026.pdf) are mirrored there and we are now working to add the CIS controls catalogue and integrate better with our MISP instance on the https://www.x-isac.org/ . The report will probably be updated over the summer. We are now also setting up pilots for three cities to test managing their top risks on the platform with the aim of mapping these into the EU top level structure (and perhaps moving away from Excel) – there will also be an emerging community doing joint risk reviews. Currently finalising NDAs. Our AI CISO Barista (hosted by https://mistral.ai/) is doing some fabulous work mapping MISP notifications to principal risks, recommending relevant controls, and assessing huge amounts of reports to ensure the EU risk register is robust – something Barista could also do for public administrations managing their risks on the platform – all still very manual, but on the other hand that makes sure that AI outputs are scrutinised properly. For those already using robust GRC solutions, you are invited to “mirror” your top risks and align them with EU level risk structures – see the report. If you would like to join our pilot community (platform and/or top risk mirroring) let me know.
Finally, we are thinking about exploring crowdfunding opportunities for the GRC/MISP/AI solution integration and automation. If anyone has experience in using crowdfunding for solutions in the public administration space, please do contact me.
Cheers
Oliver
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/