/image%2F1027532%2F20160806%2Fob_c45e21_fb-portada)
Graphic credits: GSD
This is why cyber know-how and expertise, as well as services and protection measures are for the most part provided by companies.
Many European Union Member States have published or are in the process of publishing an NCSS (National Cyber Security Strategy). Of these, several have also updated their strategies since their first edition. NCSSs aim to ensure that Member States are prepared to face serious risks, are aware of their consequences, and are equipped to appropriately respond to breaches in the network and information system. However, it is not always clear if and how the effectiveness of these strategies is evaluated.
Evaluation can be interpreted as a tool to assess if and how well the expected objectives have been achieved and whether the costs involved were justified, given the changes which have been achieved.
The European Commission understands that “there are still gaps across the EU, notably in terms of national capabilities, coordination in cases of incidents spanning across borders, and in terms of private sector involvement and preparedness”. The 2013 EU Cyber Security Strategy (EUCSS) asks to “encourage good practice in information and network security” to assist and support Member States in developing strong national cyber resilience capabilities, notably by building expertise on security and resilience of industrial control systems, transport and energy infrastructure.
One of the most important aspects covered in the national strategies is the governance of critical information infrastructures; currently 18 out of 20 Member States’ strategies include CIIP as an objective.
Collaboration with the private sector is not achieved through a formal way. Specific settings are introduced like working groups, public-private partnerships and in some cases even through legal procedure to make sure that all relevant stakeholders are involved in the critical information infrastructures protection.