European Union Agency for Network and Information Security

Tips for secure user authentication

Thu, 06/04/2020 - 10:30

We are living in an era of large-scale data breaches. More and more high-profile companies are hacked; as a result, the personal data of millions of customers is leaked online.

Cybercriminals with different motivations and interests take advantage of this data in order to mount attacks at both individuals and other organizations. As passwords are still the main method to authenticate users to platforms and systems, this article aims to provide tailored recommendations for improved cyber hygiene.

Risks to passwords

 Today, passwords can be stolen in multiple ways, including:

  1. Social Engineering attacks such as phishing credentials using fake pages, voice phishing (so-called Vishing), shoulder surfing (e.g. peeping behind a person who is typing their password on a laptop) and even retrieving handwritten passwords from post-it notes.
  2. Stealing using specialized software or physical keyloggers. Some of these attacks require a physical presence or proximity to a laptop or a device.
  3. By intercepting communications, using fake access points or by leveraging man-in-the-middle attacks (MiTM) at a network level, more prevalent in public WiFis found in hotels, cafés, airports, etc.
  4. Brute-force attacks on passwords by trying all the combinations, dictionary attacks or by simply guessing the password.
  5. Retrieving passwords directly from data breaches and leveraging them using password spraying techniques to other legitimate services.
Recommendations to improve password security
  1. Activate multifactor authentication functionality whenever possible for all of your accounts.
  2. Do not re-use your passwords. Cybercriminals work under the assumption that many users re-use passwords, hence their high success rates for compromising accounts.
  3. Use single sign-on functionality combined with multifactor authentication in order to reduce the risk of account compromise.
  4. Use a password manager.
  5. Generate strong and unique passwords or passphrases according to the latest guidelines available, for each individual website and service. This is where password managers come in handy.
  6. Check if any your accounts appear in existing data breaches and act immediately by changing your passwords for the services identified.
  7. Many websites offer password reminder functionalities. Make sure you do not rely on easily retrievable personal information to reset your password, e.g. name of your pet, your date of birth, your high school, etc.
  8. Make use of VPNs or at least mobile access points when accessing e-Banking or other private services from public WiFi.
  9. Be aware of your surroundings in lounges, airports, trains and cafés, and make sure there is nobody behind you trying to snoop your password. This is where screen privacy filters come in handy.
  10. Do not leave your devices unattended/unlocked in public spaces such as hotels, public transport, lounges, etc.

Further Information:

For more security awareness related materials, please visit the website of the European Cyber Security Month (ECSM) awareness raising activity coordinated by ENISA.

Cyber Hygiene best practices can be found in the ENISA Report - Cyber Hygiene.

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic - COVID19.

For press questions and interviews, please contact

European Cyber Security Challenge 2020 - Event Date Change

Wed, 06/03/2020 - 11:00

Due to the worldwide pandemic and the lack of visibility regarding its evolution, the ECSC Steering Committee together with the Austrian national planners and the support of the European Agency for Cybersecurity decided to change the dates of the European Cyber Security Challenge 2020 Finals, scheduled to take place in Vienna this November. 

The ECSC Steering Committee, considering that the organization of this European event brings together more than 350 young people coming from all over Europe, wants above all to safeguard the health of all participants. Furthermore, to give a fair chance to all teams and permit each country to continue with the selection process in serenity, it was decided to amend the age conditions for participation by adding a year in each category.

In light of the above, the 6th edition of the European Cyber Security Challenge (ECSC) will take place in Prague, Czech Republic in 2021. Austria will host the event in 2022.

The annual event brings together top cyber talent from across Europe to network and collaborate, meet with industry-leading organizations and compete against each other to win the ECSC prize. Contestants work on solving security-related challenges on topics including web and network security, mobile security, crypto puzzles, reverse engineering and digital forensics.

About the European Cyber Security Challenge

The growing need for IT security professionals is widely acknowledged worldwide. To help mitigate this shortage of skills, many countries launched national cybersecurity competitions targeting towards students, university graduates or even non-ICT professionals with a clear aim to find new and young cyber talents and encourage young people to pursue a career in cybersecurity. The European Cyber Security Challenge (ECSC) leverages on these competitions by adding a pan-European layer.

The European Cyber Security Challenge is an initiative by the European Union Agency for Cybersecurity (ENISA) and EU Member States and aims at enhancing cybersecurity talent across Europe and connecting high potentials with industry leading organizations.

Further Information:

Further information on how to participate in the upcoming National Challenges and the European Finals, as well as the contact details of the organisers, can be found on the ECSC website.

For general organisational and press questions, please contact press (at) 


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Top ten cyber hygiene tips for SMEs during covid-19 pandemic

Tue, 06/02/2020 - 15:00

Crises like the current COVID-19 pandemic have a serious impact on the European as well as the International society and economy.  Small and medium-sized enterprises (SMEs) are often coping with difficult times.  Unfortunately, cybercriminals often see such crises as opportunities.  Phishing and ransomware attacks are on the rise.

SMEs are also faced with a new reality where employees are working more from home.  This way they become even more dependent on Information Technology (IT) than before.  It goes without saying that protecting these virtual assets is of utmost importance to almost every SME.  According to ENISA, the top ten cyber hygiene topics that SMEs should address, possibly through outsourcing where needed, are presented below:

  1. Management buy-in. It is important that management sees the importance of cybersecurity for the organisation and that it is informed on a regular basis.
  2. Risk assessment. This answers the question: what do I have to protect and from what?  Identify and prioritise the main assets and threats your organisation is facing.
  3. Cybersecurity policy. Have the necessary policies in place to deal with cybersecurity and appoint someone, for example an Information Security Officer (ISO), who is responsible for overseeing the implementation of these policies.
  4. Awareness. Employees should understand the risks and should be informed about how to behave online.  People tend to forget such things rather rapidly, so repeating this every now and then can be valuable.
  5. Updates. Keeping everything, meaning servers, workstations, smartphones, etc. up-to-date is key in your cyber hygiene. Applying security updates is part of this process.  Ideally, this whole process is to a certain level automated and the updates can be tested in a testing environment.
  6. Backups. Prior to doing these updates it is vital to have good backups in place.  This will also protect the environment from attacks such as ransomware.  Backup the most important data often and think about the cost of losing data during a certain timespan.  Keep the backups offline, test the backups and try to have duplication of the backups.
  7. Access management. Have rules/policies in place for access management and enforce them.  Make sure default passwords are changed for example, that passwords are not shared, etc.
  8. Endpoint protection. Think about securing the endpoints through for example installing antivirus software.
  9. Secure remote access. Limit remote access as much as possible and where absolutely needed, enable it but in a secure way.  Make sure that communication is encrypted properly.
  10. Incident management plan. There should be a plan on how to handle an incident when it occurs.  Different realistic scenarios could be part of this plan.  Get to know whom you could contact when things are problematic, for instance the national CSIRT.


Further Information

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic - COVID19

For press questions and interviews, please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Getting ready for the next security incidents

Fri, 05/29/2020 - 13:00

As of April 2020, more than 500 European incidents response teams are listed in the ENISA CSIRTs by Country - Interactive Map. These teams work on a daily basis to improve the prevention, detection and analysis of cyber threats and incidents.

As envisioned by the NIS Directive and in the Cybersecurity Act ENISA is given the responsibility to assist the CSIRTs Network and the Member States in improving the prevention, detection and capability to respond to cyber threats and incidents by providing them with knowledge and expertise. It is within this context that ENISA launched this project in order to improve the proactive detection of network security incidents in the EU, by:

  • Providing an inventory of available measures and information sources;
  • Identifying good practices;
  • Recommending possible areas for development.

In this respect, proactive detection of incidents is defined as the process of discovery of malicious activity in a team's constituency through internal monitoring tools or external services that publish information about detected incidents, before the affected constituents become aware of the problem.

ENISA published the first version of a study entitled “Proactive detection of network security incidents” in 2011. The current work builds and expands on this. It aims to provide a complete inventory of all available methods, tools, activities and information sources for proactive detection of network security incidents. Such tools are used already or could possibly be used by incident response teams in Europe nowadays.

This study identifies the evolution of proactive detection in EU over time, between 2011 and 2019. It also explores new areas that could help improving operational cooperation and information exchange. The goal is to help both new teams that are starting to use new tools and sources, and more advanced teams to assess their level and identify what they could still improve.

Moreover, this work can be used together with the recently released ENISA training on Orchestration of CSIRT Tools or to conduct more focused peer reviews using ENISA maturity methodology.

The results of the project are divided in three reports and in a living repository hosted on GitHub. The objective is to offer a point of reference for new or well-established teams who need to identify or reassess appropriate measures for proactive detection of incidents.

1- Report - Survey results

  • Survey among incident response teams in Europe;
  • Comparison with the 2011 survey.

2- Report - Measures and information sources

  • Inventory of available methods, tools, activities and information sources;
  • Evaluation of identified measures and information sources.

3- Report - Good practices gap analysis recommendations

  • Analysis of the data gathered;
  • Recommendations.

4- Online repository - GitHub

  • Information sources;
  • Measures and tools.


Proactive detection of incidents:

Further information:

ENISA - CSIRT Services section

ENISA - CSIRTs and communities section

ENISA - CSIRTs in Europe section

Brochure - Bolstering Incident Response in Europe

For more questions you can contact

For press questions and interviews


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Securing smart infrastructure during the COVID-19 pandemic

Mon, 05/18/2020 - 08:00

The  Internet  of  Things  (IoT)  has changed the  way  people  live,  do  business,  and  interact.  Buildings and homes are becoming smarter, more complex and more connected. This massive interconnection leads to new  efficiencies  and capabilities and  unlocks  enormous  value  for  consumers,  organizations  and  cities. Nevertheless, these advantages come with great challenges and cyber security risks.

Securing smart homes and smart buildings from cyber security risks becomes more relevant than ever in the light of the COVID-19 pandemic crisis. People are spending considerable time at home using smart cameras, wearables and telecommunications to remain in touch with their business, doctors, government, school, friends and family. Utilizing modern technology people stay productive for their work and their housekeeping, but they also become more susceptible to attacks from threat actors that are still looking to cash in by exploiting human nature.

ENISA’s Work on IoT and Smart Infrastructure

The Agency has been working on IoT security for a number of years, producing, among other things, work on Security and Resilience of Smart Home Environments, Baseline IoT security recommendations, as well as work in securing Industry 4.0, and IoT software development lifecycle. For more information:

Securing the home

Social distancing has shifted daily habits with activities pertinent to work, education, healthcare, wellbeing and socialisation happening mainly from home. Most of these activities are taking place in digital format and therefore they rely heavily on connectivity and smart home devices. Many consumers are aware that their smart devices could potentially introduce vulnerabilities in their home network and they should configure them properly. However, they struggle to understand what is required of them to keep their smart thermostat or voice assistants secure. Below, ENISA presents some fundamental measures for securing smart devices:

  • Use long passwords, two-factor or multi-factor authentication and, if available, enable biometric features or additional PINs.
  • Use different passwords for each device in your home network.
  • Observe user guides and enable the relevant security features during the initial setup.
  • Enable update notifications and perform updates on a regular basis
  • Avoid introducing sensitive information and be aware of the way your information is used.
  • Turn off and unplug the device when no longer used
  • Configure multiple networks on your router and keep your smart devices on a separate Wi-Fi network.
  • Securely wipe your smart device and use “factory reset” function before disposing or returning it back.
Securing the business premises

Almost overnight, in an effort of implementing immediately social distancing, many employees around the globe started working remotely from home and staying away from offices. Outside of the normal and business-as-usual situation, with applying social distancing rules and personnel working in rotation, employees might simply be less diligent about security practices. It has never been more important to proactively secure smart buildings/offices, which they often control systems or operations like data centers dependent on the availability of air conditioning systems.

Securing networks, monitoring network anomalies, identifying malicious behaviour including social engineering and spear phishing attempts and reviewing IoT security configurations is the way forward and in that respect, ENISA provides the following recommendations in addition to the ones mentioned above:  

  • Enable firewall protection, and ensure corporate network is only accessible from whitelisted services.  
  • Disable unused ports. 
  • Apply network micro-segmentation by creating virtual networks to isolate IoT systems from other critical IT systems. 
  • Enable monitoring and diagnostics and review them regularly.
  • Prepare and update the incident response plans according to the current risks.   

Smart homes and smart buildings have become the digital shelters for all people in social distancing. Securing them is a shared responsibility and everyone should take part in achieving a more secure and resilient digital environment both at home and at work.

Further Information

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic COVID19


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Dependency of Energy Operators on time sensitive services

Tue, 05/12/2020 - 08:00

Energy grids depend on precision timing and communication networks to monitor grid operation and integration. Power data acquisition and synchronization need to share time sources to enable decentralized analysis and effective coordination of power production. However, systems that provide time services are vulnerable to various cyber threats and a possible attack can destabilise the operation of modern power grids. With recent technological advances, there is a proliferation of tools for deploying attacks against the time sources of a utility.

The ENISA Report - Power Sector Dependency on Time Service: attacks against time sensitive services focuses on such an attack scenario by identifying relevant risks and by providing guidelines to ensure consistent time synchronization. In doing so, a typical functional architecture for time-phase data processing on the power grid is presented.

 The study also includes a list of attack vectors of potential threats against communication mediums, protocols as well as sensors and devices of this architecture.

Technical and generic good practices are suggested based on the scenario technologies investigated. The report concludes with key recommendations such as:

  • Designing of modern devices for substation automation (including GPS receivers) with security in mind (vendors);
  • Establishing electronic perimeters and implementing measures against spoofing attacks (operators);
  • Systematic implementation of basic measures for substations (operators);
  • Designing of modern devices to be used for automation in a way that meets universally accepted requirements and implementing of selected security measures through proper standardisation procedures (vendors);
  • Adoption of tools and procedures to enhance the resilience of power grids with respect tomalformed and/ or injected data affecting decision making in modern smart grids (operators).

Further Information

ENISA Report - Power Sector Dependency on Time Service: attacks against time sensitive services

Critical Infrastructures and Services

Threat and Risk Management

For interviews and press questions, please contact press (at)


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Cybersecurity in the healthcare sector during COVID-19 pandemic

Mon, 05/11/2020 - 13:30

The COVID19 pandemic has created a new reality for the healthcare sector globally testing its limits. Adding to the overwhelming situation it is currently facing, the sector has become a direct target or collateral victim of cybersecurity attacks. Malicious actors taking advantage of the COVID19 pandemic have already launched a series of phishing campaigns and ransomware attacks. Hospitals have shifted their focus and resources to their primary role, managing this extraordinary emergency, which has placed them in a vulnerable situation. Hospitals, and the whole healthcare sector, now have to be prepared.

Cybercrime adapts to the world around it. It is hardly surprising that in the beginning of an escalating global pandemic like COVID-19, malware actors have jumped on the bandwagon. The current situation in the EU and worldwide provides a fertile breeding ground for various campaigns. In no particular order, the following conditions are being exploited making the sector even more vulnerable:

  • High demand for certain goods like protective masks, disinfectants and household products
  • Decreased mobility and border closures
  • Increasing reliance on teleworking, often with little previous experience and planning
  • Increased fear, uncertainty and doubt in the general populatio

ENISA can provide some advice to support the sector, taking into account the situational evolution and most common incidents since the beginning of the pandemic.

  • Share the information with healthcare staff in the organisation, build awareness of the ongoing situation and, in the case of infection, ask staff to disconnect from the network to contain the spread. Raise awareness internally in healthcare organisations and hospitals by launching campaigns even during the time of crisis (i.e. to inform hospital staff not to open suspicious emails).
  • In case of systems compromise, freeze any activity in the system. Disconnect the infected machines from others and from any external drive or medical device. Go offline from the network. Immediately contact the national CSIRT.
  • Ensure business continuity through effective backup and restore procedures. Business continuity plans should be established whenever the failure of a system may disrupt the hospital's core services and the role of the supplier is such cases must be well-defined.
  • In case of impact to medical devices, incident response should be coordinated with the device manufacturer. Collaborate with vendors for incident response in case of medical devices or clinical information systems.
  • One preparedness measure is network segmentation. With network segmentation network traffic can be isolated and / or filtered to limit and / or prevent access between network zones.

The whole cybersecurity community is working together to support the healthcare sector as the pandemic develops; national cybersecurity authorities are issuing alerts and guidelines (e.g. the situation in CZ) on potential cyber attacks; in the CSIRT Network MS continuously exchange information and issue situational reports together with the EU Institutions; the private sector is offering pro-bono cybersecurity related services supporting the healthcare sector.

Further Information

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic COVID19


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA contributes to a Council of Europe webinar on cooperating with CSIRTs to counter cybercrime

Fri, 05/08/2020 - 16:00

The purpose of this webinar is to identify ways in which cooperation between criminal justice authorities and cybersecurity actors could improve, including through identification of mutual roles and responsibilities in cybercrime investigations. Information will be provided on the legal, organisational and technical aspects, pointing out current shortcomings and making recommendations to further enhance cooperation.

Date and time

Monday, 11 May 2020 | 09:00 AM GMT

 Duration and format

1h30' | 45' presentations & 45' discussions

The webinar will showcase good practices adopted in the EU, as analyzed by the European Union Agency for Cybersecurity, ENISA.

Expected outcomes

  • Promote the adoption of good practices for an effective cooperation between CSIRTs and criminal justice authorities, including law enforcement officers, prosecutors and judges
  • Discuss on roles and responsibilities, and segregation of duties
  • Present case studies of successful cooperation
  • Engage in discussions and share experience on current challenges and solutions, also in the light of the outbreak of cyber threats related to the global COVID-19 crisis.

Target Audience

The webinar is particularly useful for national/governmental CSIRT staff, law enforcement, prosecutors and judges in charge of cooperation on cybercrime

Agenda and registration

Check out the Agenda and register here:


CSIRTs (Computer Security Incident Response Teams) have an important role in preventing cyber-attacks and in coordinating the technical response at national level. They may help in monitoring and reporting cybercrimes, in sharing technical information on ongoing or past attacks and in securing electronic evidence.

It is therefore essential that CSIRTs and criminal justice authorities put in place an efficient and effective collaboration, where roles, responsibilities and segregation of duties are defined and agreed upon.


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Sharing is caring: technical cooperation across CSIRTs, LE and the judiciary

Thu, 05/07/2020 - 08:00

In particular, the ENISA Report - An overview on enhancing technical cooperation between CSIRTs and LE provides an overview of the tools currently used by the reference communities, analyses their key functionalities, and proposes technical specifications to design a shared platform that could help CSIRTs, LE and the judiciary cooperate closer and share information to respond to cyber security incidents and counter cybercrime. The report gives also some examples of cooperation between CSIRTs, LEAs and the judiciary that showcase the interactions between the different actors and the methodology and the tools used for their cooperation.

Data for this report was collected via desk research and an online survey.  

The main target audience of this report is national and governmental CSIRTs, LEAs, prosecutors, and judges as well as policy makers and professionals in this field. As expected, this ENISA report takes a standpoint that favors cross border cooperation across the EU Member States.

To enhance the cooperation across CSIRTs, LEAs and the judiciary the following recommendations have been put forward:

  • to drive efforts towards and support the development of a common platform, considering all requirements and constraints expressed by the communities;
  • to promote the use of Segregation (or separation) of Duties (SoD) matrices to  avoid overlapping duties across CSIRTs, LE and the judiciary in relation to the sharing information.
  • to consider and promote the adoption of a common digital forensics framework.
  • to assess the suitability of the EU cybersecurity certification framework for cybercrime investigation tools.

This report contributes to the implementation of the ENISA programming document 2019-2021 (Output O.4.2.2 -“Support the fight against cybercrime and collaboration between CSIRTs and law enforcement”). It leverages upon and builds further on ENISA work already carried out in the area of CSIRTs and law enforcement cooperation. Further work in this area, carried out  in 2020, is described in the ENISA programming document 2020-2022.


Further Information:

ENISA Report - An overview on enhancing technical cooperation between CSIRTs and LE

For more information on these reports, please contact: CSIRT-LE-cooperation (at)

More on ENISA’s activities in the area of CSIRTs and communities

For interviews and press questions, please contact press (at)



Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Understanding and dealing with phishing during the covid-19 pandemic

Wed, 05/06/2020 - 13:00
Phishing in the years of COVID-19

Many organisations and companies experience changes in their working conditions lately due to the COVID-19 pandemic. This shift has increased remote activities, such as teleworking. Teleworking furthers the reliance on email for communication, thus creating perfect conditions for email fraud schemes.

Cyber criminals are taking advantage of the pandemic by using widespread awareness of the subject to trick users into revealing their personal information or clicking on malicious links or attachments, unwittingly downloading malware to their computers. They may even impersonate government organisations, ministries of health, centres for public health or important figures in a relevant country in order to disguise themselves as reliable sources.

The emails look authentic and may include logos or branding of the specific organisations.

Coronavirus-related email phishing attacks have spiked over 600% since the end of February 2020 (infosecurity-magazine)

How scammers operate

Malicious email messages that might ask you to open an attachment supposedly containing pertinent information regarding the Coronavirus are likely to download malicious software onto your device as soon as you click on the attachment or embedded link. This software could allow cybercriminals to take control of your computer, log your keystrokes or access your personal information and financial data, which could lead to identity theft.

How to recognize phishing

The emails sent usually:

  • look identical to messages from a reputable organisation (such as a medical or governmental institution),
  • sound urgent or try to spread fear,
  • claim to enclose important information or breaking news,
  • ask you to download and/or click on attachments and links.
How to Protect against Phishing Attacks

There are simple steps you can take to avoid the bait:

1)  Take time to reflect on a request for your personal information and whether the request is appropriate. Do not open unsolicited email from people unfamiliar to you or click on suspicious attachments, which you did not expect.

2)  Never supply any personal or financial information and passwords to anyone via email.

3)  Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action.  

4)  Look for wording and terminology. Apart from phishing, cyber criminals could also trap a specific person via spear phishing using the receiver’s full name. Check for terms and language that is normally expected in the type of email you receive.

5)  Check the email address. Check the sender’s name, email address and whether the email domain matches the organisation that the sender claims to be from. If not, it is probably a phishing attempt.

6)  Check the link before you click. See your emails in plain text to check for the hyperlinked address to see the real hyperlink. If it is not the same as what appears in the email, it is probably a phishing attempt.

7)  Keep an eye out for spelling and grammatical mistakes. If an email includes spelling, punctuation and/or grammar errors, it could be a phishing email.

8)  Be wary of third-party sources spreading information about COVID-19. Refer to the official websites for updates on COVID-19. Fraudulent e-mails can look like they come from a real organisation but legitimate government agencies will never call you or email you directly for this information.

9) Protect your devices. Install anti-spam, anti-spyware and anti-virus software and make sure they are always up to date.

10) Visit websites by typing the domain name yourself. Most businesses use encryption and Secure Socket Layer (SSL) / Transport Layer Security (TLS). If you receive a certificate error while browsing, consider it as a warning sign that something is not right with the website.

What happens if I became a victim of phishing? 
  • If you have clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software and run a scan.
  • If you entered login credentials to access information, change them immediately.
  • If you have provided your bank details, contact your bank or credit card company.
Take actions

COVID-19 has affected millions of people around the world, while its long-term impact remains to be seen. However, protecting ourselves against coronavirus-related scams is both a feasible and essential step. If you receive a phishing email, you should:

  1. Report it to your IT department by forwarding it as an attachment.
  2. Delete it.
  3. Notify the organization being spoofed in order to prevent other people from being victimized.
Further Infomation Discover more tips and resources in the ENISA COVID-19 dedicated page 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


What is a CSIRT and how can it help me?

Mon, 05/04/2020 - 08:00

With the COVID-19 outbreak, many SMEs and businesses had to make a giant and fast leap into remote working, completely relying on the Internet for their business models. This means facing everyday a new kind of cyber threat by enabling employees to work online from home, buy and sell goods online and rely on virtual meetings for everyday decisions. Citizens are also heavily depending on the Internet to maintain contact with other workers and their loved ones, stream content and news, use e-health services, online shopping, schooling and every other activity that has been moved online. Even if far away, we have never been so close.

There are currently more than 500 Computer Incident Response Teams (CSIRT) in Europe covering the needs of large companies, SMEs, private citizens, governments, research and education institutions. These teams are at the front line to respond to cyber security incidents and attacks. ENISA offers an interactive map of currently known Computer Security Incident Response Teams (CSIRTs): the CSIRTs Map. This tool can help  identify the right team for businesses and consumers facing cyber incidents and attacks and dealing with this giant leap into working from home.

Moreover, since 2017, European Union Member States have established a new and unique level of EU cooperation in case of large scale and cross border cyber security incidents: the CSIRTs Network. The first piece of cybersecurity legislation in the EU, known as the NIS Directive, established the CSIRTs Network, which is composed of incident response teams appointed by the Member States and the EU institutions. These teams are responding to cybersecurity incidents in each Member State and work together to protect EU citizens and businesses. During these difficult times for the Union, the CSIRTs Network members continuously exchange cybersecurity related information, which may affect European business and citizens. The Network is ready to respond to COVID-19 related cyber threats. A weekly report to the EU and MS higher levels/and their constituencies is produced by the Network, providing summaries and recommendations on how to face the cyber threats related to the outbreak.

The goal of the CSIRTs Network is to enable its member to cooperate, exchange info on cyber threats, improve the handling of cross border cyber incidents and respond in a coordinated manner to a situation like the one we are facing today. The CSIRTs Network objective is to provide the highest level of incident response in Europe. In case you do not know already the CSIRTs Network member for your country, please visit the dedicated website CSIRTs Network and check out your appointed CSIRTs Network member website, where you can find information and advisories on how to deal with COVID19 related cyber threats in your national languages.

In case your company wants to set up an incident response team, since 2004, ENISA has been supporting the Incident Response community to build and advance capabilities by providing capacity-building opportunities and by publishing over 70 dedicated studies and practices. You can find all them on the ENISA website under the Publication session together with more than 40 dedicated trainings free for download and use covering four main areas: Technical, Operational, Setting up a CSIRT and Legal & Cooperation. The goal is to support EU Member States and businesses to protect the Digital Single Market, raise the next generation of cybersecurity professionals, improve national incident response capabilities and help operators of essential services, digital services providers and businesses to prevent incidents and protect assets in their networks.

In case your company already has an incident response team, you can assess where it is and how it can further advance by using the ENISA CSIRT maturity assessment model and evaluation methodology with the online tool: CSIRT Maturity - Self-assessment Tool. The team can also join the Reference Security Incident Taxonomy Working Group, a community effort to create a common language to exchange data regarding cyber security incidents. So please make use of ENISA resources to foster better cooperation and information sharing and work with us for stronger cybersecurity incident response in Europe.

Further information:

ENISA - CSIRT Services section

ENISA - CSIRTs and communities section

ENISA - CSIRTs in Europe section

Brochure - Bolstering Incident Response in Europe

For more question you can contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Training material to enhance cooperation across CSIRTs and Law Enforcement

Tue, 04/28/2020 - 15:00

This training material focuses on the following four thematic areas of the CSIRTs and LE cooperation:

  1. Behavioural aspects, in particular the different approaches to problems, modi operandi,  mentalities and ‘languages’ of the different communities;
  2. Legal and organisational aspects, among other the challenges related to the diversity of legal systems and legal provisions of the Member States;
  3. Technical aspects, including ongoing efforts towards a broader adoption and use of a common taxonomy and common tools;
  4. Cooperation across CSIRTs, LE and the judiciary, covering areas such as data retention, sharing of personal data (including IP addresses) and confidentiality of criminal investigations as well as admissibility of digital evidence.

For each of the above-mentioned areas, a handbook (documents for the trainer) and a toolset (document for the trainees) have been prepared and published.

Access the ENISA's Training Material on Cooperation across CSIRTs and Law Enforcement 

The intended target audience are CSIRTs (mainly national and governmental CSIRTs but not limited to them), LE, possibly the judiciary (prosecutors and judges) as well as individuals and organisations with an interest in Cybersecurity.  

Furhter Information:

For more information on these reports, please contact:

More on ENISA’s activities in the area of CSIRTs and communities

For Interviews please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Tips for selecting and using online communication tools

Mon, 04/27/2020 - 10:00

The coronavirus outbreak has affected and changed the way small and medium sized enterprises (SMEs) across the EU are doing business, both internally and externally with suppliers and customers. Indeed, SMEs face the new challenge of working remotely in a way that it is still productive, efficient but also secure. Online communication tools (including video/audio conferencing, instant messaging, remote document sharing/file exchange, internet streaming) are key to help SMEs follow-up with these novel working regimes. Among other aspects, the security and privacy settings of such tools are fundamental for efficient operation.

Taking into consideration the variety of online communications tools available today, ENISA offers some practical advice to SMEs with regard to the security and privacy aspects that should be considered upon the selection and use of online communication tools.

Tips for the selection of an online communication tool
  1. Make sure that the tool supports encrypted communication. It is especially recommended to rely on tools that support end-to-end encryption and provide sufficient information on applied key-sizes and algorithms.
  2. Opt for a choice that supports centralized management, such as call restriction policy, password policy, virtual meeting rooms and eavesdropping prevention.
  3. Assess the security settings, in particular make sure that the tool supports strong authentication, such as Multi-Factor Authentication (MFA).
  4. Review carefully the configuration options, considering in particular whether the service can be run in-house or relies only on external storage of data; if possible, prefer in-house implementations and ensure that integration with existing business tools and/or Single Sign On (SSO) can be provided.
  5. Read the privacy policy of the tool carefully, in particular as regards the following key aspects: types of personal data stored by the tool; location of the data; possible transfers of data to third countries; retention periods of data; default privacy settings/behaviour of the tool. Make sure that the app does not send data to social media for advertisement or other unwanted purposes. Consult your Data Protection Officer (or your privacy contact person if you do not have a DPO) if available for further assessment in case of doubt.
  6. Utilize available work resources such as work email and laptop to access the service; restrict if possible use from personal devices. In case it is necessary to use the tool from mobile phones, verify the permissions that the tool (app) asks and advise the users accordingly (e.g. for participation to a telephone call, granting permission for access to camera or location data would not be required).
  7. Ensure that only official distributions of the client are used and if it is not possible prefer the use of the web client. Verify that the latest version of the software is used and that security patches are applied in a timely manner.
  8. Make sure all meetings are password protected. Avoid sharing conference links and meeting passwords outside the intended participants. Invite users from within the tool if possible and ask them to refrain from sharing the link. In case that Single Sign On is not supported, advise all users to protect their account by selecting strong passwords and enabling multi factor authentication.
  9. Verify the default settings of the tool and make sure that all users are aware of them. Apply, where possible, default settings that protect users’ privacy (e.g. video deactivated by default, no audio/video recording, no central storage of instant messages, etc.). Refrain from recording the meetings unless there is a specific need for this. In case of recording, ensure that all meeting participants are informed and agree with the recording.
  10. Advice the users to use the chat, audio, camera and screen sharing functions wisely. For example, it advisable to not use video on a call when it is not needed. Moreover, users should ensure that only the window they want to share is on their screen and they should prevent their email or chats from becoming visible during meetings. When using video, users should make sure that their background is neutral and does not reveal any personal data of theirs or other confidential information.
Further Infomation Discover more tips and resources in the ENISA COVID-19 dedicated page 

This article was inspired upon a research performed by CERT.LV: the Information Technology Security Incident Response Institution of the Republic of Latvia. CERT.LV operates under the Ministry of Defence of the Republic of Latvia and is part of the EU CSIRTs Network.


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


New Training: on orchestration of CSIRT Tools

Fri, 04/24/2020 - 11:20

ENISA puts great effort into supporting the development of EU Member States’ national incident response preparedness. To that purpose, ENISA updated its CSIRT training material aimed at improving the skills of CSIRT teams. The scope of this new training is to adapt to new technologies and best practices in a fast changing domain.

The updated material will help to reinforce Member States CSIRTs’ operational skills and capacities. It will specifically allow them to manage the constant stream of cyber security events in an efficient way by showing them how to introduce smartly interconnected popular tools in their incident handling processes: the first step of so-called “orchestration” of tools.

 Access the ENISA Orchestration of CSIRT Tools Training Course

The purpose of the training is to educate  Member States by:

  • teaching how some popular tools can be interconnected, leading to a more efficient and better incident response,
  • automatically enriching the information on incidents and events they receive and increasing the amount of data they can share back much faster to their peers.

The new training materials consist of independent modules, each covering a particular combination of tools. The modules not only cover the configuration aspects of interconnecting the tools but also show how security analysts can use these orchestrated tools in their daily duties.

The underlying technical framework developed for this training allows modifying and extending the training courses to adapt to the fast evolving landscape of CSIRT tools and techniques. The training materials are therefore custom made  reusable and future-proof. This is a major novel change in approach to the technical trainings offered by ENISA.

Scope of the training

The training is divided in two parts, each with a different target audience.

The first -part is dedicated to the technical aspects of setting up the orchestration. It allows participants to practice with a selection of commonly used and very powerful open-source tools, such as:

  • MISP; a Threat Intelligence Platform for receiving and sharing information with other security actors;
  • TheHive and Cortex: a case management and team collaboration tool;
  • Elasticsearch and Kibana: for convenient and scalable storage of security data, query and visualisation purposes.

The second part deals with analytical workflows, focusing on leading simple investigations designed as training scenarios. Each of the scenarios demonstrates how the selection of tools can facilitate a typical CSIRT workflow. The emphasis is laid on the benefits that result from smartly interconnecting multiple CSIRT tools

  • Supporting the CSIRT analysts;
  • Improving the team’s situational awareness;
  • Reducing response times.
  • Easy sharing of own findings with the other security communities of choice.

Another interesting feature is that the approach is modular: the trainer can instantly deploy different sections of the training independently.  The trainer can start with a module that teaches how to connect some tools, followed by an analysis scenario that demonstrates the added value of interconnecting. Every module can be instantly deployed with all tools correctly configured and all the data needed for the scenario in place.

Architecture of the Platform

The infrastructure of the training is based on state of the art open-source containerization and orchestration technologies such as Kubernetes and Helm. This approach allows simplifying future continuous developments by adding new tools, rearranging existing ones and adding more analyst scenarios.

Moreover, the solution can be adapted to work natively in a cloud hosted infrastructure; removing the need for local setup of the environment and streamlining the complete training process.

It was also conceived to be modular by design, allowing thorough customisation of training delivery.

Further information

ENISA Orchestration of CSIRT Tools Training Course

For more information please contact

Encrypted Traffic Analysis: Use Cases & Security Challenges

Thu, 04/23/2020 - 13:30

The objective of the ENISA Report - Encrypted Traffic Analysis is to highlight an oxymoron, the disrupting effects of encryption network security. It examines whether Machine Learning (ML) and Artificial Intelligence (AI) techniques can be a useful alternative for network administrators and security professionals, offering encrypted traffic analysis capabilities without requiring access to decrypted packet payload. It also discusses  the privacy dangers introduced by the inappropriate use of ML and AI, alerting decision makers of potential risks that may lie in the future.


The introduction of network traffic encryption has significantly improved communication security and user privacy. When using technologies, like Transport Layer Security (TLS), most internet users assume that third parties cannot gain access to their communications and companies rest assured that their transactions are safe from interference and eavesdropping.

However, widespread network traffic encryption has reduced the ability of network administrators to monitor their infrastructures. Crippling their success in dealing with malicious traffic and sensitive data exfiltration, forcing them to resort to traffic decryption through proxies.

Research in ML and AI has provided us with useful tools for combating cyberattacks. At the same time, these new capabilities can be misused to lower user privacy, sometimes even with encryption employed.

Scope of the report

 The new report explores the current state of affairs in Encrypted Traffic Analysis.

To that purpose, research and methods are evaluated through the following essential use cases:

  • Application identification;
  • Network analytics;
  • User information identification;
  • Detection of encrypted malware;
  • File/Device/Website/Location fingerprinting;
  • DNS tunnelling detection.

The analysis of these use cases shows that the techniques presented are very promising. While not achieving the same level of confidence as with analysing unencrypted data, in some scenarios the benefits might outweigh the loss in detection accuracy.

The report highlights how the misuse of ML and AI techniques can lower privacy expectations for users, even though they might use strong encryption. One of these techniques is fingerprinting. Certain properties of encrypted data may allow the creation of data records mapping the properties to corresponding files or websites, providing ways to infer which files, songs, videos, etc. a user is requesting, even though the traffic itself is properly encrypted.

The report also identifies common TLS misconfigurations and bad practices that endanger the confidentiality of communications and users’ privacy, and urges administrators to follow simple countermeasures like:

  • Certification validation and pinning;
  • Minimizing exposed data over HTTP redirects;
  • Deprecating older certificates;
  • Usage of certificate signing and trusted CAs; etc.

These  misconfigurations, which are often easily fixed, deter users from trusting online services and make them avoid online transactions, negatively affecting the Digital Single Market.

Further Information:

ENISA Report - Encrypted Traffic Analysis


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


European Cybersecurity Month: highlights of the 2019 Campaign

Wed, 04/22/2020 - 13:00

Every year, together with the participating Member States, ENISA organises the European Cybersecurity Month, the EU advocacy campaign on cybersecurity for the EU citizens.

2019 saw the deployment of the 7th edition of the awareness raising campaign supported by the European Commission, Europol’s Cyber Crime Centre (EC3), European Schoolnet, and cybersecurity organisations from the participating Member States.

One of the objectives of the 2019 campaign is to ensure end-users and organisations are safe online. The general intention is to help EU citizens develop a basic understanding of the different types of online security and privacy issues. Other objectives of the Cybersecurity Month are:

  • To promote cyber hygiene best practices,
  • To highlight existing recommendations;
  • To increase the participation of EU Member States and relevant stakeholders.

The ENISA - ECSM Deployment Report 2019 reveals the increased impact of the 2019 campaign and the positive outcomes of the activities performed.

Policy Contex

The European Cybersecurity Month is part of the actions designed to implement the provisions of the Cybersecurity Act (CSA), article 10, under Title II, chapter 2 on awareness raising and education.

The CSA mandates ENISA to organise regular outreach campaigns in cooperation with Member States, Union institutions, bodies, offices and agencies.

To that end, ENISA assists Member States in their efforts to raise cybersecurity awareness and promote cybersecurity education throughout the Union.


The purpose of the report is to provide an overview of the activities organised in 2019.  The synthesis of the findings is based on evaluation and performance information gathered via two questionnaires and media monitoring data.

Content & Highlights

The report includes information on planning and execution as well as an evaluation of the campaign.

The 2019 campaign focused on delivery of live social media sessions and gamification sessions. Consequently, ENISA invested in developing digital content for online dissemination and proposed live virtual events and Q&A sessions on Twitter to engage with the public. Morevoer, a total of four social media quizzes were designed and posted every week.

The EU Member States coordinators agreed to organise the event around two themes; cyber hygiene and emerging technology, to allow for extended coverage of each theme and to facilitate the campaign’s measurement.

The 2019 campaign includes a significant increase in the following:

  • Member States participation;
  • Twitter activities with total of retweets that doubled compared to 2018;
  • Total number of views for digital media coverage.

Although there were less conferences and workshops organised by Member States, they attracted nearly three times more visitors than the previous years.

The survey questionnaire sent to the Member States coordinators revealed how well the organisation of the ECSM was perceived. It also showed how the ECSM is considered to add substantial value to the national campaigns and is seen as a practical and positive opportunity to improve collaboration with other Member States.

Target Audience

The report is intended for those public and private organisations, which supported the ECSM or intend to do so in the future. IT security professionals and/or groups who attended events and conferences organised throughout Europe will also find it a useful source of information. In addition, the report targets EU and national policy makers who aim to improve the security awareness for citizens, professionals and IT end-users in general.

Further informations

ENISA - ECSM Deployment Report 2019

ECSM website

ECSM dedicated ENISA website's section


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Underpinning software security: the role of the EU cybersecurity certification framework

Wed, 04/15/2020 - 14:00

Secure software development and maintenance is attracting a lot of attention lately, due to the rapidly increased dependency of everyday products, services and processes to the underlying software.

Quite often, weaknesses behind security incidents and/or breaches materialize due to the lack of adherence on fundamental security principles and techniques. In order to promote increased levels of security and to improve mitigation of known security threats, secure software development and maintenance is becoming increasingly subject to evaluation, and eventually certification.

The ENISA Report - Advancing Software Security in the EU discusses some key elements of software security and provides an overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape. Lastly, it provides a number of practical considerations relevant to the different aspects of software development within the EU cybersecurity certification framework. These considerations include:

  • issues related to the deployment and maintenance of repositories not only for publicly disclosed vulnerabilities but also for shared security aspects of certified products, services and processes;
  • coordination of activities among European Standards Organizations (ESOs) and Standards Developing Organization (SDOs);
  • possibilities to complement EU cybersecurity certification schemes with guidelines for software development, maintenance and operation;
  • consideration of lightweight conformity assessment methods for basic assurance level  as a response to the existing fragmented landscape of software development and maintenance;
  • possibilities to leverage existing experience and expertise and promote the uptake of EU cybersecurity certification schemes

The study was conducted as part of the Agency’s preparatory and support activities in the area of certification of products, services and processes. It is envisioned to be used as a reference document that complements similar ongoing initiatives at National level, during drafting of candidate cybersecurity certification schemes and as a non-binding guidance document for EU cybersecurity certification framework stakeholders.


Further Information

The ENISA Report - Advancing Software Security in the EU

For interviews and press enquires, please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Earning Trust: ENISA on eID and Trust services

Tue, 04/14/2020 - 14:30

In a shift of scope from mere electronic signatures to developed Trust services, the eIDAS Regulation has enabled the use of electronic identification and trust services by citizens, businesses and public administrations alike, to access online services or manage electronic transactions. Both interoperability and mutual recognition of electronic identification schemes across borders have been further enhanced to include five types of trust services, namely, electronic:

  • Signatures;
  • Seals;
  • Time stamps;
  • Registered delivery services;
  • Website authentication certificates.

Since 2013 ENISA has been in the forefront of the developments in eIDAS and has been supporting the Commission and the Member States in the area of trust services by:

  • Making available security recommendations for the implementation of trust services;
  • Mapping technical and regulatory requirements;
  • Promoting the deployment of qualified trust services in Europe;
  • Supporting relying parties and end users to secure their electronic transactions using trust services.

The recently enacted Cybersecurity Act provides ENISA with an extended mandate to explore the area of eIDs included in the eIDAS regulation. Therefore, in 2019 ENISA produced two reports on assessing the relevance of specific standards to the implementation of eIDAs and two reports exploring the harmonisation of security requirements for QTSPs and the technological landscape for eID schemes. 

Towards a harmonised Conformity Assessment Scheme for QTSP/QTS

The eIDAS Regulation requires CABs to be accredited in the framework of Regulation (EC) No 765/2008 [Reg.765, 2008], which is the generic European regulation in relation to accreditation. It furthermore requires that the conformity assessment scheme (CAS) used by the CAB is eIDAS specific.

A specific feature of the eIDAS accreditation scheme recommended by EA, and intrinsically of the eIDAS Regulation as the normative document, is that the requirements against which the QTSP/QTS must be certified are technology neutral legal requirements, expressed in terms of functional objectives. Furthermore, no standard may be mandatorily imposed upon the QTSP for providing QTS in conformance with the Regulation in order not to negatively impact innovation and/or harm competition. In addition, no eIDAS secondary legislation has been adopted to date to reference any standard that would create a legal presumption of compliance with any requirement of the eIDAS Regulation for the QTSP.

As a result, there is a significant margin for policy choices in creating, interpreting and applying accreditation and certification approaches. The difference in the approach and in the assessment effort for accreditation of CABs and for the certification of QTSP/QTS is reported by a vast majority of stakeholders (including EA) as hindering the mutual recognition of accredited certification of electronic trust services.

The report of ENISA aims to propose ways in which the eIDAS assessment regime can be strengthened based on the current regime of the eIDAS Regulation, the stakeholders’ concerns and the legitimate need to move towards a more harmonised approach with regards to the assessment by CABs of the conformity of QTSP/QTSs with the requirements of that Regulation. It focusses in particular on actions towards a harmonised conformity assessment scheme for QTSP/QTS. Proposed actions consider legal instruments, the design of a harmonised CAS, continuous improvement of CAS and recommendations that can be implemented in the short term.

ENISA Report - Overview of standards related to eIDAS

The shift to eID

Under the eIDAS Regulation, Member States have to notify electronic identification (eID) schemes to a designated service of the European Commission. Since 29 September 2018, mandatory mutual recognition of notified eID schemes has come into force. As a notified Member State’s scheme should currently be used to access online public services provided by another Member State, consistent security across these eID schemes is critical.

The study of ENISA provides an overview of the technological landscape for the eID schemes. Such an overview can underpin the development of a framework that will take into account security considerations that are required throughout the electronic identification process, including the enrolment phase, the eID means management, authentication and providers’ management and organisation. The paper also elaborates on topics worth being developed into guidelines to ensure homogeneity and consistency across Europe, including for instance remote identification (which is also a key topic for trust services), the security of mobile-based eID solutions, use of smartphones built-in biometric sensors, admissibility of SMS OTP and certification frameworks. Given the new mandate that stems from the Cybersecurity Act, this report also describes the role of a ENISA in the area of eID schemes.

ENISA Report - eIDAS compliant eID Solutions

Overview of standards: specifying formats of advanced electronic signatures and seals

The eIDAS Regulation provides the regulatory framework in the EU for electronic identification and trust services for electronic transactions in the internal market.  The creation, verification, validation and preservation of electronic signatures or electronic seals relies (among others) on standards specifying electronic signatures and seals formats to guarantee interoperability and their general usability within the Member States and across borders. 

Member States can recognize XML, CMS or PDF advanced electronic signatures based on the formats respectively named XAdES, CAdES or PAdES, or associated signature containers based on ASiC if they meet technical specifications issued by ETSI. ETSI has published a set of European standards (ENs) taking into account the eIDAS Regulation requirements and addressing a number of issues that have been identified, based on the feedback received from the stakeholders, for example during CAdES/XAdES/PAdES/ASiC ETSI Plugtests™ events.

The scope of this document is to assess the suitability of the recently published ENs to meet the eIDAS Regulation requirements for the purpose of updating the list of standards referenced. It also aims at evaluating the consequences of such update and defines the timeline for a possible transition to the exclusive usage of the new ENs.

ENISA Report - Overview of standards relate to eIDAS

Assessment of the eligibility of referencing ETSI TS 119 403-3 in eIDAS

The eIDAS Regulation introduced provisions at the EU level in relation to qualified trust service providers (QTSPs) listed in the Regulation, and to the qualified trust services (QTSs) they provide. Supervisory bodies in the Member States scrutinise and approve Trust Service Providers and the Qualified Trust Services available.

The eIDAS Regulation does not specify any particular accreditation scheme or any conformity assessment (or certification) scheme against which a CAB must be accredited. This results in practice in divergence across conformity assessment schemes used by CABs.

This report concludes that a suitable candidate standard pursuant to Art.20(4) is [ETSI TS 119 403-3], which sets additional requirements for CABs assessing EU QTSPs in addition to [ETSI EN 319 403], and [ISO/IEC 17065] to specify requirements for CABs assessing TSPs.

ENISA Report - Assessment of ETSI TS 119 403-3 related to eIDAS

Trust Services Forum – save the date!

On the 22nd September, ENISA in collaboration with the European Commission is organizing, for the sixth consecutive year, the Trust Services Forum, collocated with D-TRUST/TUVIT CA Day. The event will take place in Berlin, Germany, provided that the current traveling and gathering restrictions are lifted. As in the previous years, the Forum will focus on emerging issues related to trust services across Europe, in the period of the first review of the application of the eIDAS Regulation, and in particular will aim to:

  • Share good practices and experience on the implementation of trust services;
  • Discuss the latest developments on the framework surrounding trust service providers including standards, implementing acts and technical guidelines;
  • Exchange views on identified implementation and operational issues of qualified trust services;
  • Discuss strategies to promote the adoption of qualified trust services.

For more information: Trust Services Forum - CA Day 2020


Further Information:

ENISA Report - eIDAS compliant eID Solutions

ENISA Report - Overview of standards related to eIDAS

ENISA Report - Recommendations for technical implementation of the eIDAS Regulation

ENISA Report - Assessment of ETSI TS 119 403-3 related to eIDAS

ENISA website page on Trust Service

For interviews and press enquires, please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


ENISA publishes a Tool for the Mapping of Dependencies to International Standards

Mon, 04/06/2020 - 13:00


The web tool presents the mapping of the indicators demonstrated in the report Good practices on interdependencies between OES and DSPs to international information security standards.

This report analysed the dependencies and interdependencies between Operators of Essential Services (OES) and Digital Service Providers (DSPs) and identified a number of indicators to assess them.

These indicators are mapped to international standards and frameworks, namely ISO IEC 27002, COBIT5, the NIS Cooperation Group security measures and NIST Cybersecurity Framework.


Due to the digitalisation of services, all major sectors have an increasing level of cyber (inter)dependencies on digital infrastructures and DSPs. Integrating the assessment of (inter)dependencies in an overall risk management process is a complex process, particularly in the case of cross-sector or cross-border dependencies and interdependencies.

The following framework was used to identify, analyse these interdependencies and then define the (inter)dependencies’ indicators.



The tool contributes to the NIS Directive (Article 3) objective for a common and converged level of security in network and information systems at EU level. It does not intend to replace existing standards, frameworks or good-practices in use by OESs.

By using this tool, security experts may:

  1. Describe the interdependencies among OES and DSP in a straightforward  and comprehensive manner;
  2. Easily identify risk assessment practices for the evaluation of the potential impact of interdependencies;
  3. Define good practices for assessing interdependencies stemming from international standards and frameworks.

Click here to access the Interdependencies between OES and EDPS - Tool

Target Audience

  • Operators of Essential Services (OES)
  • Digital Service Providers (DSPs);
  • National Competent Authorities (NCAs).

Further Information

ENISA REport - Good practices on interdependencies between OES and DSPs

The Interdependencies between OES and EDPS - Tool

 For intrerviews and questions              

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


Supporting the fight against cybercrime

Thu, 04/02/2020 - 11:00

In an effort to further enhance the cooperation between the CSIRTs, especially national and governmental, and law enforcement agencies (LEAs), ENISA has carried out a survey and analysis of significant issues at hand that are likely to inhibit cooperation. As ENISA usually takes a holistic view of the policy area of CSIRT and LEA cooperation, interactions with the judiciary have also been taken into consideration to the extent possible.

The result of this study is a Roadmap on the cooperation between CSIRTS and LE.

The fight against cybercrime requires the involvement of Law Enforcement Agencies (LEAs), which supported by CSIRTs are likely to be better positioned to investigate complex criminal structures. This picture is incomplete though, unless interactions with the judiciary are equally taken into account due to the pre-eminent role it plays across the Member States in terms of directing criminal investigations.

When CSIRTs, LEAs and the judiciary cooperate, they face challenges that previously, have been categorized, by ENISA as being technical, legal, organizational and/or human behaviour as they associate with organisational culture. Understanding these challenges is essential in an effort to tackle them, further enhance the cooperation and thus stand a better chance in the fight against cybercrime.

Fighting agains Cybercrime: Roles and duties of CSIRTs, LE and Judiciary

In 2018, ENISA confirmed that CSIRTs, LEAs and the judiciary have complementary roles and that incident handling varies across Member States. The data CSIRTs and LEAs have access to varies, and it affects information sharing between them when they seek to respond to cybercrime. While CSIRTs interact frequently with LEAs rather than with public prosecutors, CSIRTs when collecting and analysing different types of evidence, they are called upon rarely as witness in court, even though material they collect during the incident handling typically supports an investigation and prosecution of a crime.

The data supporting this roadmap was collected via desk research, interviews with subject-matter experts and an online survey. The data collected has demonstrated that CSIRTs, LEAs and the Judiciary come across a range of challenges that are likely to impact their ability to cooperate effectively. The legal framework has been quoted as an impeding factor when seeking to exchange data. Discrepancies in the levels of technical or legal knowledge is another one, as it may make communication challenging. The chain of custody in evidence collection might also be an issue when using methods that might make evidence likely inadmissible in Court. Incident notifications and cybercrime reporting differ across Member States as different legal obligations might have been laid out by national law.


Core areas of further analysis and ENISA recommendations in an effort to improve cooperation between CSIRTs, LEAs and their interaction with the judiciary include:

  • Promoting the use of ‘Segregation of duties’ matrix for avoiding conflicting roles and responsibilities of CSIRTs, LE and the judiciary throughout the cybercrime investigation lifecycle.
  • Developing a competency framework for cybersecurity workforce and education and training policies.
  • Promoting knowledge of digital forensics rules.
  • Promoting interoperability of cooperation tools deployed and conceived considering future technologies.
  • Assessing the suitability of cybersecurity certification for common tools and procedures.
  • Simplifying arrangements by creating internal cooperation procedures to streamline exchanges.
The target audience of this roadmap includes mainly, but it is not limited to CSIRTs, LEAs, prosecutors, and judges. This roadmap builds on past ENISA work and it contributes to the implementation of the ENISA programming document 2019-2021, Output O.4.2.2


Further Information:

ENISA Roadmap on the cooperation between CSIRTS and LE

ENISA website section on CSIRTs and communities cooperation

For more information on these reports, please contact:

For interviews, please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items: