Add to favorites:
Share:
- preparedness support services
- threat assessment and risk assessment services
- risk monitoring services
Objective:
This mechanism aims to complement and not duplicate efforts by Member States and those at Union level to increase the level of protection and resilience to cyber threats, in particular for large industrial installations and infrastructures, by assisting Member States in their efforts to improve the preparedness for cyber threats and incidents by providing them with knowledge and expertise.
Scope:
The provision of preparedness support services (ex-ante) shall include activities listed below, addressing for example large industrial installations or infrastructures, operators of essential services, digital service providers and governmental entities:
Support for testing for potential vulnerabilities:
- Development of penetration testing scenarios. The proposed scenarios may cover Networks, Applications, Virtualisation solutions, Cloud solutions, Industrial Control systems, and IoT.
- Support for conducting testing of essential entities operating critical infrastructure for potential vulnerabilities.
- Support the deployment of digital tools and infrastructures supporting the execution of testing scenarios and for conducting exercises such as the development of standardised cyber-ranges or other testing facilities, able to mimic features of critical sectors (e.g., energy sector, transport sector etc.) to facilitate the execution of cyber-exercises, in particular within cross-border scenarios where relevant.
- Evaluation and/or testing of MS cybersecurity capabilities (including capabilities to prevent, detect and respond to incidents).
- Consulting services, providing recommendations on how to improve infrastructure security and capabilities
Support for threat assessment and risk assessment:
- Threat Assessment process implementation and life cycle
- Customised risk scenarios analysis.
Risk monitoring service:
- Specific continuous risk monitoring such as attack surface monitoring, risk monitoring of assets and vulnerabilities.
Preparedness actions should benefit entities (including SMEs and start-ups) in sectors indicated as critical infrastructure sectors in NIS2 (Directive (EU) 2022/2555), such as energy, transport and banking, and entities in other relevant sectors.
This action aims at the creation of platforms that serve as a reference point and provide services such as penetration testing and threat assessments for providers of essential services and critical infrastructures, as well as other actors. This involves data and operational measure regarding cybersecurity, including penetration tests and exploitable vulnerabilities. Such information could be exploited by malicious actors, and thus it must be protected against possible dependencies and vulnerabilities in cybersecurity to pre-empt foreign influence and control. As previously noted, participation of non-EU entities entails the risk of highly sensitive information about security infrastructure, risks and incidents being subject to legislation or pressure that obliges those non-EU entities to disclose this information to non-EU governments, with an unpredictable security risk. Therefore, based on the outlined security reasons, the actions relating to these technologies are subject to Article 12(5) of Regulation (EU) 2021/694, in consistency with WP 2021/2022.
Expected Outcome
- preparedness support services
- threat assessment and risk assessment services
- risk monitoring services
Scope
The provision of preparedness support services (ex-ante) shall include activities listed below, addressing for example large industrial installations or infrastructures, operators of essential services, digital service providers and governmental entities:
Support for testing for potential vulnerabilities:
- Development of penetration testing scenarios. The proposed scenarios may cover Networks, Applications, Virtualisation solutions, Cloud solutions, Industrial Control systems, and IoT.
- Support for conducting testing of essential entities operating critical infrastructure for potential vulnerabilities.
- Support the deployment of digital tools and infrastructures supporting the execution of testing scenarios and for conducting exercises such as the development of standardised cyber-ranges or other testing facilities, able to mimic features of critical sectors (e.g., energy sector, transport sector etc.) to facilitate the execution of cyber-exercises, in particular within cross-border scenarios where relevant.
- Evaluation and/or testing of MS cybersecurity capabilities (including capabilities to prevent, detect and respond to incidents).
- Consulting services, providing recommendations on how to improve infrastructure security and capabilities
Support for threat assessment and risk assessment:
- Threat Assessment process implementation and life cycle
- Customised risk scenarios analysis.
Risk monitoring service:
- Specific continuous risk monitoring such as attack surface monitoring, risk monitoring of assets and vulnerabilities.
Preparedness actions should benefit entities (including SMEs and start-ups) in sectors indicated as critical infrastructure sectors in NIS2 (Directive (EU) 2022/2555), such as energy, transport and banking, and entities in other relevant sectors.
This action aims at the creation of platforms that serve as a reference point and provide services such as penetration testing and threat assessments for providers of essential services and critical infrastructures, as well as other actors. This involves data and operational measure regarding cybersecurity, including penetration tests and exploitable vulnerabilities. Such information could be exploited by malicious actors, and thus it must be protected against possible dependencies and vulnerabilities in cybersecurity to pre-empt foreign influence and control. As previously noted, participation of non-EU entities entails the risk of highly sensitive information about security infrastructure, risks and incidents being subject to legislation or pressure that obliges those non-EU entities to disclose this information to non-EU governments, with an unpredictable security risk. Therefore, based on the outlined security reasons, the actions relating to these technologies are subject to Article 12(5) of Regulation (EU) 2021/694, in consistency with WP 2021/2022.