2026/6 Weekly Update from the EU ISAC for Cities & Regions: Cleaning up meeting mess – valid invite “I4C+ Open Weekly meeting” / GRC pilot – preparing for first city to transfer risk records / MISPs don´t help without automated GRC & AI integration / IT vulnerabilities are irrelevant – process risks count…
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
Discussion Summary
Hi everyone – Bulgaria and Italy joining this morning (while Ireland tried to join but caught in the meeting mess we made – see below).
Yes – we made a mess of reinstating the weekly meetings – sorry. A new invite was sent titled “I4C+ Open Weekly meeting” / EU ISAC for Cities and Regions I4C+ Friday Caffe Corretto – All Members (Chatham House Rules Apply) / Fridays 09:00 – 10:00. Time zone: Europe/Berlin. Google Meet joining info. Video call link: https://meet.google.com/ywe-dzvi-mxr. Note that anyone can open the meeting now and we invited our Google group city-isac-i4c-cyber-update-tlpwhite@majorcities.eu. Hopefully this will clean up things a little – please do delete any other weekly meeting invites you might have at that time.
Update on our GRC pilot – the first of four participants has provided a copy of their risk register, and we are now beginning to explore what needs to be done to transfer the records into the GRC tool. Some things we have already discovered and will need to discuss with Crisam are: Loading CIS Controls, providing a calculated field for “risk score” which allows for a finer ranking of risks; there are different ways of doing this (i.e. using a five points scales for impact and probably, and then multiplying them). We have also noted things like that probability ranges (i.e. >75% for “Very High”) may differ on national/regional/city levels, libraries will be needed for assets – we can probably use an ITSM like structure, libraries will be needed for actions/mitigations – these usually distil out of the CIS controls. We will shortly discuss with Crisam and see what configuration changes are do-able: the aspiration is making changes to the central ISAC instance that every participating user can benefit from. In the end, each region / city will have its current approach mirrored, while the ISAC level will be aligned to ENISA / EU policies etc, and we can tackle upward alignment later. As ever, this is a pro-bono effort by all and thus speed of progress is, now, mainly dependent on how nice the weather is
I would also love to see a field capturing how robust / mature a risk assessment is!
Update on our MISP – our MISP (hosted by https://www.x-isac.org/) is causing us headaches… In principle, we should assess notifications (and separately CVEs of course) against our risks / assets in the GRC tool and use those that map to drive the estimation of probabilities. Mechanically we have tried this out (with AI CISO Barista support) and the concept works. Due to the volume of MISP notifications, we need to automate that though and continue to explore funding routes to make this possible. In the meantime, if you are interested in access to the MISP please let me know – ideally of course you would also be posting notifications (versus just reading them…). A good place for AI to help.
Finally, one of the key things we are learning via the GRC pilot is that IT / cyber risk registers are primarily aligned to IT assets (i.e. server xyz which runs the voice over IP telephone system). The funder of / budget holder for remediation measures is typically the leaders of the administration – to be frank, they do not care about the server, they care about the phone system for emergency response working -> that is the story that needs to be told and the NIS2 driven risk management approach is looking to encourage exactly that. IT vulnerabilities are irrelevant – vulnerabilities to public administrations are the important thing – as a reminder*:

Cheers
Oliver
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/