European Union Agency for Network and Information Security

Analysis of security measures deployed by e-communication providers

Thu, 02/09/2017 - 12:32

This document focuses on the security measures providers have deployed to protect networks for the provision of services, and equally important, for the personal and operational data of their customers. The report is targeted primarily at e-communication providers, and at a second level, to National Regulatory Authorities as members of ENISA’s Article 13a Experts Group.

Most of the providers, report a very good level of using ENISA recommendations on security requirements, while virtually all providers have deployed a good level of basic security controls. In some security domains, the level of maturity reported, is high as well as the sophistication of implemented controls.

It is important that providers of electronic communications take the appropriate measures to address major security concerns. A key conclusion seems to be that while all IT security basics are covered, the achievement of the next level of maturity is impeded mostly by lack of sustainability mechanisms, i.e. repeatable processes and the regularly maintained documentation.

The main recommendation for the providers - based on the reported deployment of security measures - is to pay additional attention to sustainability and efficiency. This is best achieved by the adoption of Service Management frameworks and creating a series of processes that include measurement and periodic reviews of security controls and capabilities in all domains.

Full report is available here

For interviews and press enquiries please contact  Tel.+30 2814 409576



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


#SaferInternetDay: Be the change - Unite for a better internet

Tue, 02/07/2017 - 11:35

Find out what is happening in your country by checking Safer Internet Day website.

Follow the activities on twitter #SID2017 #SaferInternetDay

For online resources visit and check the European Commission's activities on Better Internet for Kids and Information by the EC.


Furthermore, on the occasion of the day, ENISA issues its new studies on privacy and security in personal data clouds, cyber hygiene practices and a report on the deployment of the 2016 European Cyber Security Month. To find out more in specific areas of interest go through ENISA’s reports and training material.



Privacy and Security in Personal Data Clouds

Under its 2016 work programme, a new study on privacy and security in Personal Data Clouds, also known as Personal Data Vaults or Personal Data Stores, aims to identify the different architectures and components of PDCs and lay out their privacy and security challenges.

Personal data clouds (PDCs) aim to provide end-users the typical data collection and storage capabilities of data management systems, and also to help end-users regain control over their data. PDCs are ideally embedded by privacy-enhancing elements allowing users to determine on their own how they want their data to be managed - in and outside of the solution - and with whom these should be shared.

The study presents a “state of the art” analysis of the security and privacy features of PDCs based on an empirical analysis of various applications that fall under or are close to the definition of PDCs. The report assesses to what extent current PDC solutions - either available on the market or in a research and development phase - are supported by functionalities that enhance the level of security and privacy offered, by enabling  users to take decisions over their data and, ideally, apply them (user centric model). Given that mobile health applications have been gaining considerable attention nowadays, the study particularly identifies privacy-enhancing features adopted by certain PDCs in the health sector.

For the full report


Cyber hygiene practices

Cyber hygiene is a fundamental principle relating to information security and, as the analogy with personal hygiene shows, is the equivalent of establishing simple routine measures to minimise the risks from cyber threats, specifically for SME’s. Good cyber hygiene practices can drive increased immunity across businesses. However, the variation between national practices leads to uncertainty and confusion over what needs to be implemented. A uniform approach to cyber hygiene which allows businesses to establish security trust across national borders would drive improvements across the board.

Full report available online


European Cyber Security Month 2016 – Deployment report

The European Cyber Security Month (ECSM) is a key part of the EU's Cybersecurity Strategy to increase people's awareness of the key role they can play in ensuring the security of networks and information systems. The primary purpose of cyber security awareness campaigns is to influence the adoption of secure behaviour online. Last year’s ECSM took place across 32 countries focusing on security in banking, cyber safety, cyber training and mobile malware.

For more info visit and

"Cyber security is a shared responsibility – Stop. Think. Connect."

 Full report available online


For press enquiries please contact Tel. +302814409576




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Challenges of security certification in emerging ICT environments

Mon, 02/06/2017 - 15:03

ENISA issues today its report on the Challenges of security certification in emerging ICT environments. The report is targeted at EU Member States (MS), the Commission, certification bodies and the private sector, and provides a thorough description of the cyber security certification status concerning the most critical equipment in various critical business sectors.

The study contains information on the certification of devices in five business sectors namely, electricity, healthcare, information and communication technology, railway and water transport. It describes the situation in the EU, and discusses the advantages and challenges towards a more harmonised certification practice.

The key finding of the report, is that every sector has its own functional and security challenges, which makes the target of a common certification framework a challenge in itself. Based on desk research and expert validation, an analysis is done to study the existing frameworks and standards, and to identify certification drivers, best practices and candidate products for certification of the five selected sectors. Finally an aggregated table is provided, which shortly reflects the certification drivers, the market situation and the recommendation for certification for each identified device.

For the full report

For  interviews and press inquiries please contact , Tel. +30 2814 409576



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


The power of sharing: ENISA report on cyber security information sharing in the energy sector

Fri, 02/03/2017 - 14:22

The report first identifies existing CSIRTs (Computer Security Incident Response Teams), ISACs (Information Sharing and Analysis Centres) and information sharing initiatives in the energy sector, analyses problems and shortcomings, and identifies good practices to facilitate the cyber security information sharing in this sector. Furthermore the report provides recommendations to address identified problems and shortcomings.

Key findings include:

• Trust is a key component of information sharing.

• Participants in information sharing initiatives, are more committed and willing to contribute with information when their organisation backs them. Time, resources and knowledge, are some of the constraints faced by the participants that may hinder information sharing.

• Only few energy sector specialists have in-depth understanding of both the complexities of the energy systems and cyber security.

• Energy security issues are often addressed only at the Member State level, maintaining for example a national focus only, without taking into account the complexity of the interdependence of Member States in multiple aspects of the energy area, including cyber security.

• The legal and policy context is complex and fragmented.

• The quality of the shared information is not always at the required level, due to inconsistent use of the applicable taxonomy for example.

• There is a need to create public-private partnerships when sharing information.  

• Information is shared between heterogeneous players.

• Many companies in the sector give more importance to the safety of their physical infrastructure than to the security of their computer, process systems and data.

• Few good practices have been identified on the subject, and the current information sharing initiatives lack visibility within companies in the energy sector.

The report is primarily addressed at national and governmental CSIRTs and other types of CSIRTs with activities and constituencies in the energy sector. Policy and lawmakers, notably the European Commission at the EU level, public and private organisations with an interest in NIS, and interested parties engaged in information sharing initiatives within the energy sector - including energy operators -  are also intended audiences.

Full report available here

For press enquiries please contact, Tel. +30 2814 409 576


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA online training material updated and extended

Thu, 02/02/2017 - 12:25

The new training material provides a step-by-step guide on how to address and respond to incidents, as an incident handler and investigator, teaching best practices and covering both sides of the breach. The material is technical and aims to provide a guided training both to incident handlers and investigators, while providing lifelike conditions. The training material mainly uses open source and free tools.

New topics in the training material cover the following aspects of Forensic Analysis:

  • Local Incident Response
  • Network Incident Response
  • Webserver analysis

The material can be found online.

Furthermore, the updated training material provides material necessary to perform table top exercises in the areas of:

  • Incident Handling Management
  • Developing CSIRT Infrastructure
  • Recruitment of CSIRT Staff

More info available online.


For interviews and press enquiries please contact Tel. 2814 409576


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA study into taxonomies for incident detection and prevention

Mon, 01/30/2017 - 12:45

The study i) performs a qualitative assessment on an indicative taxonomy landscape, ii) identifies use cases that would benefit from the use of taxonomies iii) provides a comparison among a variety of related and unrelated taxonomies in order to identify commonalities and differences iv) analyses the complexity of taxonomies in terms of malware incidents in order to illustrate the different ways of describing the same context available in the current landscape.

In particular, for each use case a requirement that a taxonomy should fulfil was identified. These use cases include: i) recording events from different sources, ii) automatic de-duplication, iii) ability to export in other taxonomies, iv) ability to aggregate and search events in the data, v) ability to exchange data with other CSIRTs, vi) feeding threat intelligence and vii) incident report management.

Good practices and recommendations

A set of good practices which take into account the shortcomings of taxonomies, as identified by CSIRTs during the study, highlight that:

  • the top level categorisation of a taxonomy should be simple
  • the categories within a taxonomy should be mutually exclusive
  • taxonomies should support performance measurement
  • taxonomies should have an appropriate level of ease of use

Key recommendations include:

  •A centralised repository for hosting all relevant taxonomies along with their versions should be set up by ENISA. This would be a great benefit to the CSIRTs community as it would not only allow the selection of appropriate taxonomies for specific use cases, but it may also provide a general overview of what taxonomies or variations thereof are used by CSIRTs, which may be particularly useful in keeping statistics.

 •A small set of common taxonomies should be agreed upon by CSIRTs at the EU level for specific use cases. This would provide examples of taxonomies based on the requirements of the CSIRTs network, which can be either implemented or used to implement a modified version of the taxonomy, saving time and effort that would be spent into researching taxonomies.

 • “Other” or “Unknown”, “Tag” field should be used by the owners of taxonomies as an indicator to revise taxonomies, or if there is an increase in that category with incidents or events of the same type. For example, in a case involving ransomware, it is relevant that it should be categorised as ransomware, but also the type of ransomware (such as crypto locker, etc.), if the same tag is repeatedly used then it might also indicate the need for a new field.

 •A roadmap towards standardised exchange formats in the CSIRTs community should be established at the EU level by the CSIRTs network. Such a roadmap should at least consider having CSIRTs agree use cases, definitions and concepts from an operational point of view for each use case; perform quantitative assessment (in addition to the qualitative assessment in this study) on the taxonomies used, a centralised repository for taxonomies, and a list of tags/values that can apply across taxonomies.

Key conclusions of the study, highly relevant for CSIRTs, indicate that:

  •  Taxonomies currently lack terms to properly handle the following: the impact of an incident, incidents with no malice intended, explicit fields for ransomware, whether the incident is confirmed, and the differentiation between intrusion attempts and intrusions.
  • The identified areas for potential improvement of existing taxonomies are based on the complexity, contextual information, mutual exclusivity or ambiguity, performance measurement, impact, sensitivity, confidentiality, and purpose of taxonomies

  • There is currently no consensus on concepts and definitions related to taxonomies. Clear definitions reflecting the operational interpretation of the CSIRTs should be considered as a key success factor towards increasing cooperation between EU Member States.


Full report available online

For interviews and press enquiries please contact Tel. +302814409576


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Security for Privacy on Data Protection Day

Fri, 01/27/2017 - 14:12

The date marks the anniversary of the Council of Europe's Convention 108 on the protection of personal information, the first legally binding international law in the field of data protection.

Guidelines for SMEs on the security of personal data processing

ENISA shares some of its work in the field of data protection and privacy, with a focus on the  security of personal data processing. The latest report on 'Guidelines for SMEs on the security of personal data processing' attempts to assist in the implementation of the personal data protection regulatory framework by promoting the adoption of security measures to protect privacy.

According to the General Data Protection Regulation, security equally covers confidentiality, integrity and availability, and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take, in order to manage the risk. On this basis and as part of its continuous support on EU policy implementation, the report focuses on SME’s, acting either as data controllers or data processors, and facilitates their understanding on personal data processing operations, and subsequently, on the assessment of the associated security risks.

The objectives of the study are to facilitate SMEs in understanding the context of the personal data processing operation and subsequently assess the associated security risks. Based on that, the study also proposes possible organizational and technical security measures for the protection of personal data, which are appropriate to the risk presented. These measures can be adopted by SMEs in order to achieve compliance with the General Data Protection Regulation (GDPR).

Full report available online 

Further work on privacy and data protection by ENISA include:

PETs controls matrix

PETs controls matrix, a systematic approach and tool for assessing online and mobile privacy tools for end users. The ‘PETs control matrix’ can facilitate a standardized and clear presentation of different privacy tools, supporting in this way the possibility of comparative assessments. More in the following link.

Annual Privacy Forum

ENISA’s Annual Privacy Forum (APF) is to be held on the 7th and 8th June 2017 in Vienna, at the University of Vienna, Faculty of Law. The event provides a forum to academia, industry and policy makers for discussions on privacy and data protection topics. The Call for papers for the 2017 APF is now open. Submission until 31st of March 2017.

Stay connected through the RSS feeds, #PrivacyForum_EU on twitter, and the dedicated site



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Being smart about cybersecurity: ENISA at Omnisecure conference

Wed, 01/18/2017 - 15:15

Image source courtesy Omnisecure

ENISA participated this year in a number of sessions throughout the conference in the areas of National Cyber Security Strategies (NCSS), the NIS Directive, the Payment Service Directive (PSD2). The Agency also related these areas to other policy areas through its approach to Cybersecurity Stakeholders and EU cooperation, taking into account the financial impact on the various actors.

ENISA’s key role in NCSS include leveraging existing knowledge and expertise the area, assisting the MS in evaluating current strategies and the development of new. Furthermore the agency promotes EU cooperation through the CSIRTS network and the EU Cooperation Group on NIS. The agency also assists EOS and DSPs on the smooth implementation of the NIS Directive. 

Smart areas studied by ENISA this past year include automotive cyber security, putting forward specific recommendations for the cyber security and resilience of smart cars, and the launch of the CaRSEC (Cars and Roads SECurity) expert group. The Agency has produced a study on securing smart airports as a guide to airport decision makers and airport information security professionals.  The study aims to provide airport operators with a start-up kit to enhance cybersecurity in smart airports, identifies gaps in different areas, and future steps to enhance cybersecurity in the field.

In the finance sector ENISA has looked into the most used payment applications to identify good practices and help the industry in secure mobile payment applications. A report on blockchain looks into the cyber security benefits and challenges of the technology taking into account the most promising implementations and use cases.

In the area of privacy, ENISA has developed the ‘PETs control matrix’ which works as an assessment framework and tool for the systematic presentation and evaluation of online and mobile privacy tools for end users.

Other relevant studies and recommendations by ENISA on the themes of the conference include securing smart homes, secure adoption of cloud for Governments, smart transport and smart cities.


For interviews and media enquiries please contact, Tel. +30 2814 409576

More about Omnisecure and event images



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


PETs control matrix: A systematic approach for assessing online privacy tools

Tue, 12/20/2016 - 13:26

The defined framework relies on a set of assessment criteria, which can be broken down into specific parameters and assessment points, acting as indicators of certain properties and features of the tools. A distinction is made between generic criteria (applicable to all tools) and specific criteria (addressing technical characteristics of different categories of tools). For the purpose of this work, the following categories of PETs have been considered: secure messaging, virtual private networks (VPNs), anonymizing networks, and anti-tracking tools (for online browsing).

The ‘PETs control matrix’ is the implementation of the proposed methodology into a practical tool that can be used for performing the assessment of a PET and presenting the relevant results. As such, it comprises different sets of detailed assessment questions (and relevant closed sets of answers) corresponding to the predefined assessment criteria.  In this way, the ‘PETs control matrix’ can facilitate a standardized and clear presentation of different privacy tools, supporting in this way the possibility of comparative assessments.

For the full report

For Annex 1 (assessment questions)

For Annex 2 (Excel tool - WIN version)


For press enquiries
please cotact Tel. 2814 409 576


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Annual Privacy Forum 2017: Call for papers

Tue, 12/20/2016 - 13:04


ENISA’s Annual Privacy Forum (APF) is to be held on the 7th and 8th June 2017 in Vienna, at the University of Vienna, Faculty of Law.

Call for papers for APF 2017 is now open. Submission until 31st of March 2017.

Papers presenting original work on the themes of data protection and privacy and their repercussions on technology business, government, law, society, policy and on law enforcement. An inter-disciplinary approach is high in demand for APF2017 to contribute to bridging the gap between research, business models and policy much like proposing new models and interpretations. APF2017 seeks contributions from policy makers and implementers, Data Protection Authorities, industry, consultants, NGOs and civil society as well as law enforcement representatives.

For detailed information and the aspects with which research and opinion papers should deal with are available at:

Student Papers. In order to promote participation of young researchers, the submission of papers by students is encouraged. These papers will be treated as thoroughly as full papers, but can be shorter (up to 4000 words) and reflect novel thinking that might not have been fully elaborated just yet.

Short Papers. In addition to student papers, short papers are invited as this call is open to anyone who has a sketch of an idea, opinion or a call for collaboration. Short papers should be up to 4000 words and should not overlap with work published elsewhere.

For more information
please visit: Annual Privacy Forum 2017 - Call for papers

Previous APF editions

Privacy tools, security measures and evaluation of current technologies under the spotlight at this year’s Annual Privacy Forum

2015 Annual Privacy Forum focusing on Privacy Enhancing Technologies

Annual Privacy Forum 2nd edition starts today in Athens

Successful conclusion for the First Annual Privacy Forum

Stay connected
through the RSS feeds, #PrivacyForum_EU on twitter, and the dedicated site

For press enquiries please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Cyber security key for the successful adoption of mobile payments

Mon, 12/19/2016 - 09:33

ENISA assessed the most widely used payment applications and their security models to identify good practices. The identified results, validated in a workshop in November 2016, provide some key recommendations included in this report. These include:

  • Customers should adopt minimum security measures when using mobile payment      applications
  • Vendors should provide more visibility of the security measures in applications
  • The mobile payment chain must maintain its security posture irrespectively of  the players involved

Mobile payments provide convenience of use; as it allows customers the freedom to make payments at any given time without the use cards. Mobile payments are expected to grow by 80% percent[1] on a yearly basis in the next five years, but the security of mobile payments applications still remains a key concern.

A key challenge identified is maintaining the security of mobile operating systems at a sufficient level. Mobile OS provide good security when applied, but many customers are not aware of these, and therefore do not use them. Another challenge is the security of the mobile payment chain, the assurance of which is paramount for the successful adoption of mobile payments.

In the context of the NIS Directive[2], ENISA assists Member States and the European Commission by providing expertise and advice, as well as developing and facilitating the exchange of good practices, with the ultimate goal to enable higher level of security for Europe’s critical infrastructure, including finance.

ENISA continues its work with the European Central Bank and the European Banking Authority providing its assistance and expertise on information security issues in the finance sector.  The Agency is also engages with industry through various working groups in the area of finance to exchange information and good practices in information security.

  Full report available online
For interviews and press enquiries please contact Tel. 2814 409576    





Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


The importance of cryptography for the digital society

Mon, 12/12/2016 - 16:20

Within the context of proposals to weakening encryption to facilitate the work of law enforcement, ENISA outlines in seven key messages, the challenges which result from such an act, lowering trust in online services and the smooth implementation of the Digital Dingle Market and EU industry. In the paper it is identified that weakening encryption can affect other aspects of cryptology, and a cost benefit analysis should be deployed prior to any legislation put forward.


ENISA sees that:

  • The use of backdoors in cryptography is not a solution, as existing legitimate users are put at risk by the very existence of backdoors.
  • Backdoors do not address the challenge of accessing of decrypting material, because criminals can already develop and use their own cryptographic tools. Furthermore, new technologies are now being deployed making lawful interception in a timely manner very difficult.
  • Judicial oversight may not be a perfect solution; as different interpretations of the legislation may occur.
  • Law enforcement solutions need to be identified without the use of backdoors and key escrow. It is very difficult to restrict technical innovation using legislation.
  • History has shown that technology beats legislation, and criminals are best placed to capitalise on this opportunity.
  • The perception that backdoors and key escrow exist, can potentially affect and undermine the aspirations for a fully embraced Digital Society in Europe.
  • History has shown that legal controls are not always successful, and may harm and inhibit innovation, as seen with previous US experience.


ENISA collaborates closely with Europol, with the development of an expert working group on the topic, discussing on technical options to meet the needs of law enforcement while advocating the need to maintain strong encryption.

ENISA’s latest opinion paper is available online



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


EU Agencies meet at the European Parliament

Tue, 12/06/2016 - 14:57

courtesy #euagencies

High-level speakers of the day included Martin Schulz, President of the European Parliament, Kristalina Georgieva, Vice-President of the European Commission, and Herman Van Rompuy, former President of the European Council.

ENISA – the EU cybersecurity Agency – participates at the two-day meeting, sharing with counterparts the role and the contribution of the Agency to the Digital Single Market for the benefit of citizens, consumers, enterprises and public sector organizations in the Union. The agency is represented by the Executive Director, Udo Helmbrecht and the Head of Administration, Paulo Empadinhas.

The conference emphasizes the benefits EU Agencies bring to the economy, stakeholders and policy-making in Europe.

During the first day of the conference four sessions place focus on i) boosting jobs, growth and investment, ii) citizens first iii) justice and home affairs and an iv) innovative Europe. Two new studies carried out by the European Parliament on the impact of the EU Agencies in the EU will be presented during the meeting. The conclusions of day-1 will be presented the following day outlining the way forward.

Read the full press release



The EU Agencies Network: The 45 decentralised Agencies and Joint Undertakings of the EU closely interact and cooperate within the EU Agencies Network, a pan-European network, set up by the Heads of EU Agencies, as a collective voice for the Agencies to coordinate, exchange information and agree common positions of shared interest.

For more information:

For more details about the Forum, see the Agenda.

Follow the EU Agencies and the event on Twitter via #EUAgencies and #euagenciesforum

Click here and find out more about how the 45 EU Agencies and Joint Undertakings.

Watch videos about the EU Agencies on YouTube here.


EU Agencies press contacts:  and

For press enquiries and  how ENISA contributes to the EU please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA on advancing cybersecurity capabilities and cooperation at ITU regional meeting

Wed, 11/30/2016 - 18:28

On the 29th and 30th November 2016 in Bulgaria, ENISA together with the Telecommunication Development Bureau (BDT) of the International Telecommunication Union (ITU), and the Ministry of Transport, Information Technology and Communications of the Republic of Bulgaria organised the Regional Cybersecurity Forum for Europe.

High-level representatives from forty-three European countries from government, public and national authorities, policymakers, service providers, academia, and cybersecurity experts looked into the challenges, good practices, regional cooperation and information sharing in cybersecurity, with a special focus on National Cybersecurity Strategies (NCSS) and National CSIRTs.

Following the welcome notes of Ivaylo Moskovski (Minister of Transport, Bulgaria) and Jaroslaw Ponder (ITU), ENISA’s Head of Core Operations Dr Steve Purser, in his keynote address, gave an overview of the Agency’s activities in the related fields and how it actively contributes and supports the Member States develop cyber responses through trainings, exercises, supporting CSIRTs and the development of NCSS. The recently NIS Directive lays down the requirements to achieve a higher level of security in the Union. Within this frame, Member States are required to establish a national NIS strategy and CSIRT(s). “Cooperation and trust are key to protect critical infrastructures and to advance cybersecurity capabilities across Europe.” said Steve Purser.

More information about the meeting is available online

For interviews and press enquiries please contact



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Udo Helmbrecht speaks about the need for a strong cybersecurity environment at Think Digital Summit

Wed, 11/30/2016 - 14:44

The impact of the Digital Single Market was at the epicentre of The Think Digital Summit together with Commissioner for Digital Economy G. Oettinger, Belgian Deputy Prime Minister Alexander De Croo, and MEP Marietje Schaake on Tuesday 29th November 2016, in Brussels.

ENISA’s Executive Director, Udo Helmbrecht together with representatives of National Authorities, industry and academia discussed about ‘Cyber space and security for business’, looking into the challenges, threats and the need for cooperation in areas of critical infrastructure such as energy, health, transport and finance and between the public and private sector.

Udo Helmbrecht, who was a speaker at the conference, said: “Finance, ICT and energy sectors have the highest incident costs. Cyber incident figures show up to 1.6% GDP loss in some EU countries. Furthermore, cyber-crime capitalisation in 2016, would reach the level of the second most valuable US company[1]. Legislative initiatives, secure network structure, encryption and standardisation can support towards a strong EU cybersecurity environment”.

The Think Digital Summit is an initiative of European Business Summit. More:    @ebsummiteurope  #td2016

Related material:

ENISA report on cost of incidents

ENISA opinion on encryption  

ENISA-Europol joint statement on encryption 

ENISA opinion on cybersecurity as economic enabler 

ENISA’s work in eIDAS Regualtion 

For interviews and press enquiries
please contact



[1] Source: Bloomberg cybercrime cost from Allianz Cyber Risk Guide



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA at Bitkom hub-conference: Feeling secure about your smart device?

Wed, 11/23/2016 - 09:45

This year the Agency shared insights on IoT cybersecurity and smart environments, and showcased a live-demo on securing smart home devices.

The live-demo session, which was presented for the first time, focused on how to securely select, manage and operate smart devices while demonstrating the applicability and cost-effectiveness of good practices. Smart locks served as a representative example of an IoT device. ENISA’s experts illustrated the potential risks presented in products, and proposed a series of recommendations and practical measures to hinder exploit and promote secure use.

Prof. Udo Helmbrecht, Executive Director of ENISA said: “In order to capitalise on the benefits of IoT we need to focus on security and resilience. ENISA works together with industry and the private sector to identify relevant risks and challenges and develop best practices”.

According to ENISA’s studies the main reasons behind the increased cyber security risks associated with IoT, include the lack of a security mindset and standardization, short rollout times for IoT product development, limited device resources, and minimal update mechanisms. These shortcomings can have a strong impact[1] on security. ENISA is active in the IoT domain and has released relevant reports in this area. The Agency believes that the early adoption of its proposed good practices can help boost citizens’ trust and confidence in IoT solutions and pave the way for their wider deployment.

Find out more about ENISA’s work at Bitkom hub-conference:

ENISA’s recommendations at Bitkom in an infographic

For interviews and press enquiries please contact Tel. +30 2814 409576

[1] the IoT-enabled Mirai botnet, that was able to take down parts of the Internet (Dyn DDoS attack)



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Growing need for a common security framework, says ENISA Head of Administration at international cybersecurity conference

Thu, 11/17/2016 - 12:37

Image courtesy


ENISA’s Head of Administration, Paulo Empandinhas, was present together with international partners and institutions, and government representatives.

Paulo Empadinhas participated in the panel on "Constitution, State and Cyberspace: Contradiction in terms”? where he spoke on the ‘general data protection regulation and IoT, and the impact in the EU chart of fundamental rights’ explaining the harmonisation, simplification and update in the technological advances that the reform brings.

“Trusting IoT requires a coordinated effort from all actors, as IoT brings smartness and new security challenges” said Paulo Empadinhas. Defining security management at the organisational level, developing information exchange on threats and risks and promoting a common cyber security framework are key to secure IoT. Security concerns include the fact that manufacturers don’t invest in security and the difficulty to secure the entire lifecycle of products, while the notion of security and privacy are closely linked. With this in mind, ENISA proposes the establishment of security procurement guidelines, a framework to evaluate the security of products, and the support of security-driven business models. “There is a need for specific IoT security framework, as safety is a new parameter which needs to be integrated which goes beyond technical requirements. Cross-sector baseline capabilities, public-private collaboration and sectoral guidance, as developed by ENISA, help in this direction” said Paulo Empandinhas.

The event hosted key figures including the Secretary of State for the Presidency of the Council of Ministers Miguel S. Roque and the President of the National Commission for Data Protection Filipa Calvão.

For more information on the event Cyberlaw Research Centre and Institute of Legal and Political Sciences



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Updated Good Practice Guide on National Cyber Security Strategies by ENISA

Mon, 11/14/2016 - 15:20

ENISA publishes its second National Cyber Security Strategy Good Practice Guide, providing an update to the 2012 ENISA guidebook on the design and implementation of a National Cyber Security Strategy (NCSS).

This guide includes an update on the different steps, objectives and good practices of the first edition, and analyses the status of National Cyber Security Strategies in the European Union and EFTA countries. The key aim is to support EU Member States in their efforts to develop and update their NCSS.

Furthermore, the guide proposes a NCCS lifecycle, with a special emphasis on the ‘evaluation and maintaining’ phase. It presents six steps for the design and development of a NCSS and sixteen objectives for the implementation of the NCSS.

The guide can be used as a tool by governmental bodies that are responsible for cyber security strategies. It highlights good practices, identifies gaps and challenges, and suggests key performance indicators (KPIs) for the evaluation phase. It concludes with a set of recommendations on how to proceed with the development and maintenance of a NCSS.

The guide is targeted at public officials, policy makers and entities involved in the lifecycle of the strategy such as private, civil and industry stakeholders.

The recently adopted NIS Directive requires all EU Member States to develop and adopt a NCSS. For this reason, the guide will particularly assist countries that don't have a strategy already in place, through the design and implementation phase, while assist countries which have a strategy, to update and strengthen their NCSS.

The National Cyber Security Strategy Good Practice Guide  is available online.

For press and media enquiries please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Europe’s talents compete at the European Cyber Security Challenge!

Thu, 11/10/2016 - 16:50

image courtesy if(is)

Teams measured their technical and cooperation skills in attacking and defending computer systems, leading the team from Spain to victory, with Romania and Germany reaching the 2nd and 3rd position respectively.

Participants were welcomed to the challenge and were handed their awards by Prof Pohlmann, Thorsten Menne of the Ministry of Innovation, Science and Research of the State of North Rhine Westphalia and the Head of ENISA's Core Operations Department, Dr Steve Purser. Zinaida Benenson, Sn. Researcher, IT Security Infrastructure Lab, University of Erlangen- Nuremberg, in her keynote speech spoke about why ‘hackers are better psychologists than security experts’.

Teams had to deal with vulnerabilities in web applications, binaries and document files, solve crypto puzzles and hack hardware systems. During the three days of the competition participants had the chance to further interact and attend to teambuilding activities, providing the opportunity to make connections with industry and gain insight into the professional IT security field. 

The European Cyber Security Challenge 2016 Final, hosted at Germany, was attended by teams from Austria, Estonia, Germany, Greece, Ireland, Liechtenstein, Romania, Spain, Switzerland and United Kingdom.

Next year’s challenge is planned to take place at Malaga Spain in November 3, 2017.

A call for participation at the European the Cyber Security Challenge 2017 will be issued before the end of 2016. Please refer to ENISA if you wish to receive further information. Get ready to be the next cyber talent!

Follow on Twitter: @enisa_eu,  #EUCSC2016



European Cyber Security Challenge 2016 award ceremony photos

European Cyber Security Challenge 2016:


For press and media enquiries pleace contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Register for workshop on cybersecurity in eHealth

Wed, 11/09/2016 - 09:35

ENISA together with the Austria/Vienna Hospital Association is organising the second ENISA eHealth workshop to support the Member States and raise awareness and on the topic.

The event takes place in Vienna on the 23rd of November. Topics to be discussed span from policy and regulation, to the important technological advancements ICT brings in healthcare.

Some of the designated speakers include:

  • Dr Ben Kokx, Phillips, presenting standardisation activities for medical devices and IoT
  • Dr Dimitris Glynos, explaining how easy it is to actually hack a smart medical device
  • Dr Korpelainen Juha, explaining how a smart hospital is built from scratch
  • Mr Roger Lim, EC DG SANTE, giving an overview of the policy activities for eHealth in the European Commission and the eHealth Network.

Guest speakers will be sharing views during the eHealth security workshop.

To register please visit the link

Workshop agenda

For more information:




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items: