ENISA releases the analysis and recommendations for CIIP

European Network Information Security Agency (ENISA) published  a study “Stocktaking, Analysis and Recommendations on the Protection of the CIIs” which overviews the situation in seventeen EU Member States. According to the survey, in most of the surveyed countries, the responsibility for protecting the national critical information infrastructures (CII) falls on cybersecurity authorities, emergency agencies or national or national regulators, rather than on intelligence agencies. Majority of national authorities bare responsibility for operational aspects of CIIP, while some of them also contribute to strategic planning and decisions such as strategy papers or legislation. Legal responsibility for CII operators appears to be strongest in telecommunication, energy and finance sectors, though this varies across the surveyed countries. The study also reports that cooperation with private sector is high in most countries, even though there often lacks the institutionalised forms for cooperation and public-private partnership (PPP). The study also provides a number of recommendations, including institutionalising the PPP, establishing mandatory incident reporting, conducting national risk assessment, and looking for incentives to the CII operators to invest in security.