 Good afternoon all. My name is Richard Brown from the National Cyber Security Centre here in Ireland and welcome to another IEA afternoon session. This afternoon we have a particularly interesting one. We have Johan Lepasar from NISA, the European Network and Information Security Agency. For those of you who aren't aware, NISA have been around for more than 15 years now, but in the last year and a half they've gotten a much more dramatically expanded mandate set of new roles and they've also been put on a much more firm organizational footing within the commission structure. It's interesting for a number of different reasons to have NISA present at such a level on a day like today because they've taken their place in a very complex set of organizations both within the EU structures without NISA has a role within dealing with a number of different aspects of cybersecurity both in terms of technical advice and support and in terms of organizing and structuring the collective response to cybersecurity incidents but in doing so they play a role along with a large number of other European and non-European entities including for example within Europe, the OSCE and NATO and on a global level the UN. So NISA are stepping into a very crowded field with a lot of entities who play long standing, very firm roles, many of them with national security components, which makes NISA's role particularly challenging. Mr. Lepasar is going to talk today about largely about the EU cyber crisis cooperation framework, which is a critical part of the EU's collective response to cybersecurity incidents, pretty large scale cybersecurity incidents. Mr. Lepasar is going to speak to a set of slides which we'll come to in a second. After that we'll take some questions. I have some and I'm sure people on the panel will as well. So we look forward to hearing Mr. Lepasar's comments and taking questions thereafter. Johan please. Thank you very much Richard and I don't know, it's afternoon in Ireland as well. It's a pleasure to have this opportunity to discuss the EU's corporate response to large scale cross border cyber crisis but also to look at what the framework for this response in the EU is now, how it has developed, who are the actors and what is the role of the agency. So I want to thank Richard for this very good introduction. However, I just have to make one caveat. Now, I do the presentation as well as I can, but I also invited two of my colleagues to join me. So I have the most of us who is the head of operational security in the EU. So if you have very detailed or specific questions, I hope that the most of us can can also help me and assist me to answer them. And I also have Laura Hovenig, who is actually, despite the Belgian name, self identifies herself as an Irish woman. So I have a local, let's say, British head as well, from Ireland. So if you don't mind, I will just go straight to the presentation and we can have a Q&A as Richard's proposed afterwards. So I'll try to share my slides. I hope that everybody sees them. Please. It works fine, Juan. It works fine. Excellent. So in the last five or six years, let's say the EU has taken quite a lot of steps forward in order to secure the European cyber space. And I've just used two quotes from the previous president of the European Commission and the current president of the European Commission to showcase that there has been a big priority from the political level of the EU to look at security and look at what Europe can do in order to boost our resilience and make sure that we improve information sharing, not only between member states but between different actors in the field. And we build up step by step a collective incidents response involving the member states but also the EU actors. So you have the quote from Jean-Claude Junker from Tallinn Digital Summit that was held in September 2017. And then two years later, a quote from President Ursula von der Leyen, both highlighting the need for more cybersecurity at the European level and President von der Leyen also making a call for an enhanced European cybersecurity agency. The EU framework was built up during the past five years and it involves a number of legislative pillars, I would say. So we have the Cyber Security Act that entered into force last summer 2019 as Richard said, this brought about a huge expansion of the mandate of the EU Cyber Security Agency. But we also do have the NIS Directive, so the Network Information Security Directive that looks at critical infrastructure of Europe and how it should be protected from point of view of cybersecurity. The NIS Directive entered into force as well in 2018, it was adopted by the member states in the parliament in 2016. And what the NIS Directive does, it essentially establishes a kind of a risk management framework for these critical sectors. But it also, and I think I'll go through it afterwards as well, it also establishes a network of national computer emergency response teams. And this network has really become an instrumental pillar of European cyber crisis response. Recently and in parallel with the Cyber Security Act, the commission also launched a blueprint, which is a kind of a framework for coordinated response to large scale cybersecurity incidents and crises, trying to pinpoint the different layers of cooperation and how they should synergize their actions. And we also have the Cyber Diplomacy Toolbox, and I think that's quite famous as well, has been used in order to, it could be used also in order to impose sanctions as response to cybersecurity attacks. However, today I will focus on the three main, let's say, legislative pillars plus the blueprint. So I look at the Cyber Security Act, the NIS Directive and the political framework. I mean, not so much look at the Cyber Diplomacy Toolbox, partly because the mandate of NISI is really focused on the internal market. So when we talk about challenges for cyber crisis management, of course, at the union level, one of the big challenges that Richard alluded in as well is that cybersecurity is part of a national security dimension. And of course, that means that member states play a key role and an important role which should be recognized by all other actors. However, I think it recently, member states also have understood that this, let's say the effectiveness of cybersecurity response at national level depends on the effectiveness of the overall framework at the European level. So let's say 15 years ago there was a tangible tension between the operation, cooperation elements in the national level and the union level. And this, I wouldn't say that it has disappeared completely, but there is more and more willingness to cooperate at the union level, and they're more and more understanding the need for it. However, on some of it, of course, when we look at the specific challenges for cyber crisis management, and one of the biggest issues that it requires continuous vigilance, 24 sever understanding of the terrain and the developments on the terrain. The second big issue is, of course, trust between different communities and stakeholders that are involved. And this trust needs to be built day by day through collaboration. Third big issue is information flow, but also the way that information is gathered and synthesized and the requirements for this on the different layers that operates within the cyber crisis management. So we normally differentiate between technical, operational and political layers. And of course, finally, the big issue in this complex environment is as well to avoid duplication of reference, the number of actors and the number of players in mold, so how to do that. So these are the, let's say, at the outset, the main big challenges. And now I would like to just talk you through the actors and then the framework in more specific format. So when we look at the EU cyber crisis collaboration, who are the players at the different levels? So first we look at the technical level. So, and as I mentioned, there the baseline on, let's say, the foundation is the computer security incident response teams, which are formed nationally. And when they collaborate, they are called the CSERT network. So this is really the experts, you can call it the nucleus of European cyber army. They are at the forefront of any kind of an incident nationally, but also at the European level. We do also have the computer emergency response team for the EU institutions bodies and agencies to the CSERT EU. They are part of the technical level, but they're also part of the operational level because they have also a role in the blueprint. Now, when it comes to the operational level, of course, the agency, now with the Cyber Security Act as a very clear mandate to support and synergize the activities of different actors at the operational level. We have the European Commissioned Services like the CSERT EU, but also the IG Connect, the IG Digit. We have the Cyber Crisis Liaison Organization Network, which is called Cyclone. And the Cyclone Group is essentially the network of national cyber security authorities like the BSI in Germany or ANSI in France, or where Richard belongs to in Ireland. Then we have the EU INSEN, which is the European Union Intelligence Institution Centre. It's an intelligence body of the external action service at the European level that provides insight and cyber awareness. And then, of course, there is European Cyber Crimes Centre, the EC3 in the Netherlands attached to the Europol, which coordinates cross-portal law enforcement activities against cybercrime. And at the political level, of course, we have the European Commission in form of the College of Commissioners. We have the European Council and the Council of Ministers at the EU that can be convened. We have the European Union External Action Service. And finally, of course, the Integrated Political Crisis Response Mechanism. So quite a lot of players and layers. And how they all interact, that's the slide that I try to explain now. Of course, in the nucleus of it is the contents of any kind of cyber collaboration, which means that how do we observe the cyber ecosystem? How do we orientate ourselves? How do we make decisions at the European level? And how do we act? All these different layers have a role to play and an effective preparedness entails the adequate support to the existing cyber security bodies in order to accomplish these missions. The three-layer structured approach of cyber crisis response in the blueprint essentially looks at the technical operational political level. And it recognizes that all these levels and all these actors have their different areas of activity, but they are interdependent. And that's what the blueprint tries to accomplish is that interdependence means that we need to collaborate and collaborate among three main issues. Firstly, to create common situational awareness. Secondly, look at how we can coordinate our response to any kind of a cyber crisis. And finally also how we communicate coherently to the European public regarding crisis which are cross-border and at large scale. So these are the aims of the blueprint. And of course, this is something that the agency tries to assist in. We do that in a number of ways, but the main issue is of course exercises. So these are the best way how to bring all the actors together and how to test the capabilities and their capacities to collaborate and cooperate with each other. So we have actually two exercises for scene for the next six months. One for the Cyclone group that will happen in September. Where also Island will participate. And the other one to look at building the standard operational procedures on operational cooperation, reaching the political level and covering also communications at the end of November. So this is something very tangible that Anisa does. And the question of course is how Anisa or the agency itself is positioned vis-à-vis all these actors. We do act as a secretariat for the Cyclone group. We give them active support for cyber crisis coordination, but also help them to create the situation awareness. Vis-à-vis the C-Cert community, we also play the role of the secretariat and we again support them for incident coordination and creation of a common situation awareness. Vis-à-vis the commission. We of course assist and advise them as regards to developments in the cyber security field. And the Cert EU, this is something that I'll come back to. I would call it, let's say, a structural cooperation framework between Anisa and Cert EU that is now being built up, which is not only about situational awareness, but also about capacity building and how to provide better technical assistance to member states. So all these roles were strengthened with the Cyber Security Act that entered into force 2019. And I just referred to one article and I think it's a constant theme in this operational and cooperation field. This is the article 7, which gives Anisa the mandate to cooperate at the operational level and establish synergies between EU bodies and agencies and actors, but also between EU and national level. Especially when it comes to exchange of know-how and best practices, but also provision of advice and guidelines so that when crisis hit, everybody knows what their role is. And to establish practical arrangements in order to make sure that in times of crisis we do have standard operational procedures ready. Now I would like to perhaps go a few more details about the CSAT network, which as I mentioned was established by the NIS directive in order to contribute to developing confidence and trust between the member states and to promote swift and effective operational cooperation. We currently have more than 39 incident response teams which have been appointed into the CSAT network and we have more than 250 team members registered in the CSAT network infrastructure. They've held more than 11 meetings, plenary meetings and these kind of regular network has actually been very, very helpful in building the operational cooperation and operational response capacities at the union level. The exchange information they build consistently trust, they improve the handling of of course border incidents and also they discuss among themselves how to respond in a coordinated manner to specific incidents. What we did for example during the COVID-19 is that the CSAT network was put on alert mode and that was very, very helpful for all parties involved. Because the level of information sharing at the between the technical experts is something that really enables member states to prepare PETSA for any kind of potential incidents. Enisa as I mentioned as well has a number of roles with the CSAT network. We play the role of the secretariat, but of course the little honeycombs that you see they try to essentially summarize the different roles of Enisa with the CSAT network. So we do help them in organizational and technical matters. We help them in developing the standard operating procedures. We also keep a liaison with the CSAT network with the cooperation group that was created via the NIS directive. So perhaps few words about the COVID-19 situation. We did not see a cross-border large scale cyber crisis which was related to COVID-19. We did see an uptick of cyber incidents. For example there was a 677% increase of phishing attacks. Health sector as a sector of course was at the forefront of it, but most of it were opportunistic cybercrime. So we didn't really see huge full-scale cyber crisis in Europe and partially I would say that this was due to the fact that the CSAT network was put in alert mode and the technical exchange of information and the technical cooperation that has now taken place over more than five years has been very useful in building the resilience and building the collaboration between the member states. So for example in the COVID-19 context we also reached out to several of the actors that I mentioned in this big diagram so that we brought all these actors together and started to exchange weekly information about the cyber situation. And we called them essentially info hub reports and that was very useful for not only for different actors in mall but also for different sectors to understand better the cyber threat landscape and take precautionary steps if necessary. So this COVID-19 scene also helped us to utilize the situation in order to play through the blueprint and to see how information can be exchanged between the different layers, the technical, operational and political layer. Maybe a few words more about the cooperation between ANISA and CERT-EU. This is again something that is foreseen in article 7.4 of the Cyber Security Act which requires ANISA to set up a structured cooperation with the CERT-EU in order to assist member states in a number of activities that are related to operational cooperation like capacity building but also looking at long term strategic analysis of cyber threats or helping or assisting member states in the technical assessment of cyber incidents. This kind of structured cooperation is now being set up as we speak essentially so both ANISA and CERT-EU governance structures are engaged in dialogue in order to set a framework for it and we hope that in October this year that will be endorsed. It will also include a setting up of an office for ANISA in Brussels so where CERT-EU is situated because that's the best way how we can utilize different synergies in these tasks. And of course once this office is set up it could also play a role in other future developments vis-à-vis the operational tasks that are given to ANISA by the Cyber Security Act. And one of them of course is the concept of the Joint Cyber Unit which is something that the President of the European Commission has outlined in the beginning of her mandate. And indeed if we look at the concept of it it is clear that though we have now these two legislative pillars that deal with cyber security we do have the blueprint as a political framework for looking at how these different actors who are in the field can better cooperate. We do lack the coherent response mechanisms at the European level. There is a fragmentation in EU response landscape and of course there is also a lack of an overview of capabilities or skills that could be utilized in this response. So the Joint Cyber Unit could have a role in coordinating and bringing the activities together. It could look at the cyber threat intelligence and consolidate a single view around it. It can better interlink the technical operational and political layers, have a role in rapid reaction. That doesn't mean that it takes over the obligations and role of the member states but really to coordinate any kind of response at the union level. And it can act as a platform for cooperation, rapid information exchange between existing cyber security bodies. And ISA due to the Article 7 mandate of course can help in a leading role in setting up the Joint Cyber Unit, leveraging also the structural cooperation with the CETU but also looking at other activities within the mandate of the ISA. And there are quite many. Of course first there is the operational and cooperation mandate where we support member states with respect to operational cooperation with the CETU network. We provide them with assistance in response to requests if necessary. We also contribute in developing a cooperative response framework for union and member states for large scale cross border incidents and crises. But we also do have a number of other tasks which are relevant with the Joint Cyber Unit and for any kind of EU cyber crisis cooperation framework. Firstly of course Article 9 again from the Cyber Security Act gives any such task of performing long term strategic analysis on cyber threats and incidents in order to identify emerging trends and help prevent them. We have a huge role in capacity building. Every second year we organize pan-European exercises. Actually this year should have been in the health sector which due to COVID-19 situation we slightly postponed and changed. But the fact that these exercises was foreseen to take place that of course help member states also to prepare a bit and look at the capabilities that the health sectors now have. However in the capacity building it's not only about exercises. We do assist not only EU institutions but also member states to improve the prevention detection analysis of cyber threats and incidents. And to look at all their capabilities that they have to respond to such threats and incidents and what can be done in order to raise the level of cyber security across the fields. So we offer trainings but also look at guidelines and best practices. I mentioned standard operational procedures and etc. We look at skills development as well for example. Then Article 11 research innovation. We advise the union and the member states on research needs and priorities with the view to enabling effective response to current emerging risks and cyber threats. And of course last but not least we have a role also in engaging with the private sector and building a partnership with private sector stakeholders who do have a stake in making sure that Europe is cyber secure. Now private sector entities are not part of formal governance structure. This is of course something that perhaps in the context of the giant cyber unit can be this can be addressed further because for quite often they are at the front line of any kind of cyber incidents. Whether they are detecting any kind of malicious behavior in their own networks or services or they see it on the ground. So having a good cooperation collaboration between the private sector entities and the public sector entities in order to enhance any kind of EU cyber crisis cooperation framework would be essential. And I would like to actually finish my presentation here and I'm very happy to take any kind of a question or comment should you have one. I also would like to ask whether the most in this my head of unit for operational security has anything to add to to what I've already said. Thank you very much. You and thank you very much. And thank you for a very useful presentation. I'll ask people if they would to put their questions or any questions they haven't in the, you know, in a box, and I'll pick them up as I go along this three there already but I'm going to exercise my, my private of us here to ask one very specific one first. First as we go on and on the joint is the joint cyber unit. I mean we know this is very much an ambition of the new commission and that Pripyi is on the line on, on terms of how, how this should come into effect, but I have a very practical question in terms of how it'll actually really improve the response to cyber security instance across the European Union. In two ways, I mean the first thing is from our own operational experience, the speed at which the European Union collective response mechanism can spool up and get ready and in your members previous experience during one cry, for example, are not Petya, the national response and our national response was many hours old before the European response woke up. And we're not unique in that everybody was was ahead of that process and trying to coordinate across a large number of member states, some of whom may have very little interest or involvement in an incident, some of whom may be very heavily involved would be very challenging. The other question I would have around that is much of the information related to incident response is either national security sensitive, or it is heavily commercially specific. It is a company with a problem it is an entity with an issue. How does, how will the joint cyber unit, and I know it hasn't been announced yet we're waiting on the details of it obviously, engage with those kinds of challenges in a real time environment. They're all very pertinent, good questions. I mean, first of all, when it comes to response, the, let's say the first responders will always be the national authorities and the joint cyber units does not aim to take their role away. I think the question is how do national authorities can respond better within with having a knowledge that they are within the European framework, and what might happen in the neighborhood might also affect them and how do they gain insight into this information. So the key really is the common situational awareness, the understanding and what goes on, and having, let's say, the necessary knowledge and awareness in order to do your job, which is to respond. Of course, there might be also cases. And we've seen that the coordinated EU response might make sense as well in order to protect critical infrastructure, for example, which is quite often cross border. So you need some sort of cooperation in there, and preparing for that and building for that in terms of developing trust between the different players and having the cooperation collaboration mechanisms ready so that they can be utilized if it's necessary, is something that joint cyber units should aim at. And this brings added value to what member states are doing. And again, as I started, the big challenge is that as you know yourself, it is about national security quite often. So the question there is, this is something that we need all to respect and see how we can help member states to take their national security seriously and essentially act upon it. Thank you. I have two questions from General Herron on the same issue. And I think his second question is pertinent. He asks, is there an appetite amongst member states to form a GCU? I don't answer that on your behalf. It depends. It depends on what it is. I think UN, you've already commented on that specifically in terms of exactly what the Commission hopes it will bring to bear. There's another question here on the UN process. I'll come to that at the end on the UAWG and the current UN processes are on cyber security and cyber diplomacy. We have a national involvement in that as well, obviously. We have a question here from someone on the role for cyber security and rapid response teams working on a cross-border basis. Do you think that could be an outcome of the JCE? I know some member states historically very much had an interest in that, including member states close to your homeland. Yes, I think it could be part of the JCU framework to have a trusted and vetted pool of experts' technicians who perhaps can be useful to tap into when you have a crisis back home. Again, there is a limit to this. In the end of the day, I'm not a cyber security engineer myself, but everybody tells me you don't let other people inside your systems. But do you value advice in a friendly format, let's say, or just have a mirror sometimes to reflect whether your activities and actions that you have taken in order to respond are adequate enough? So these kind of things do pop up from time to time. We've had requests from member states to provide assistance, so we've seen the need for it. It's not something that is theoretical, it's quite practical. And to be clear, we already have a pool of experts. I mean, we talk about the CSERT network, so it's 250 technicians. It doesn't seem a big number, but they are very knowledgeable and they know what they're doing. And they do build trust with each other by collaborating and cooperating on a regular basis. And that is what is necessary. Also, when we look beyond national search, we do have sectoral search. So we have people working within our private sector providers, service providers, who also are part of this community. So I think it is a bit wider and we could find ways how to perhaps organize this community in a way that if sectors of member states are in need, they could, if they themselves request, tap into this resource. It makes perfect sense. I just add to that in terms of the CSERT network. Our experience of it is that in and of itself it's a hugely valuable tool. It's a way of exchanging information and making contacts. But where it really comes into its own is in terms of sharing information and best practice offline. So it's the contacts made during the CSERT network meetings that allow you to follow up with tools, specific developments on best practice on developing new tools to deal with very specific challenges. And it allows member states to network in a very real operational way very quickly. Just to reconfirm something I should have said at the outset, this entire session is on the record. So obviously everything we say is on the record. Those of us working in cybersecurity have to work on other bases anyway. Unfortunately, the, there's a question there. I mean, from Fanaka, I'm missing the name, I'm sorry, on the current UN process to setting norms. It doesn't need to have a view on how that process is going and where it should end up. What do you see of the role for the European Union in cyber diplomacy in the future? I mean, is it key development in terms of sanctions and everything else? I think EU has been quite busy in building up the cybersecurity framework internally. I think, and it's very important that we do have not only the network information security director but also cybersecurity act, so that we have these legislative pillars. And if we look what EU can achieve when it defends its values globally, I think it is something worth noting that, for example, in the context of privacy protection, the EU has been leading in terms of establishing certain principles that have now become, I would say, global. And I think we have an opportunity there also to do a similar exercise in cybersecurity. Now, we do want to have a cyberspace that is based on law and good behavior. So the EU and process is a good one, but I think in the end of the day, what the EU must do is to make sure that we act upon our values and we do promote our understanding of how cyberspace should be utilized and what is acceptable behavior, what is not acceptable behavior. So I think we do that in the right, let's say, sequencing, firstly establishing a clear framework inside Europe and then looking at what happens globally. Absolutely. I mean, just to add from a purely national perspective, the European Union has played a really important role in the development of international internet governance policy as well. So the European Union through coordination at ICANN and other international organizations plays a critical role in developing international norms across the internet in general. Cybersecurity is another very good example where it's a coordination function within Europe allows European Union member states pooled or collective sway if you like on the global stage. And I'm talking about the UN Security Council as well as another example of this and deliver real change. So if you look at as far back as we sit in 2012, where the European Union and other operating as a group, and we hold their interested states managed to preserve the internet in much the way it is right now free, open and secure. And that challenges is not going away as people will be fully aware, unfortunately. Switching gears really quickly. Bob Semple has asked a very specific question of about board members, public and private. So he asked how do you assess the level of awareness of board members in understanding and appropriately governing cyber risks control resilience in their organizations. Now, for most of you, that's a really asinine question, but for those of us who are unfortunately involved in the application of the NS directive process. If you have a follow up question on this, this is utterly critical, because one of the fundamental challenges the European Union as a whole is facing in the application of the NS directive is to ensure a single cohesive level of cybersecurity critical infrastructure. We're talking about a small pool of companies at the European level, but it is the ballgame. So you and I'd be delighted to hear what you have to say. The understanding of how the NS framework has actually affect the actions of companies and whether it has broad change is something that we are now looking at the agency actually launched in summer. I call, you know, to build up a study or analysis of how the NS has triggered investments in the critical sectors, but also looking at more broadly of, you know, what is the, as you say, what is the understanding of board members about cybersecurity. I mean, unfortunately, so far we don't have, we lack a kind of a regular monitoring tools in order to understand it, but this is something that the agency now wants to develop kind of an index or a benchmark that you could use in order to look how the cybersecurity has developed, not only over the past years, but also how will it develop in the future, whether we have managed to increase the overall level of cybersecurity or whether we are still lacking behind in a number of areas. So I don't want to give you the the quantum response now because I'm waiting for the outcomes of this study, but this is something that the agency will now probably undertake as a regular exercise and not only in terms of investment but precisely how companies understand the critical elements in the NS directive, what policies they have adopted to actually bring change about whether it's followed up by investments and whether we can actually detect change on the ground as well. I mean, every year we have new stories coming in and every year the the stories very similar, more cyber attacks, increasing, more complex. So that doesn't change, but what change in terms of response, we don't really see that yet. I mean, we do have some evidence that we become more resilient, that we take our role more seriously, that there is more systematic approach in order to tackle these issues, but we don't have good metrics. So that is something that the agency now wants to develop. Yeah. Oh, again by means of national response. First of all, I completely agree. The, this goes back to the very fact that the NS directive is heterogeneous in this application. Everybody has their own set of security measures. So a single benchmark to Bob's question is going to be very difficult to define that in an ESA level. Secondly, there is a real timing issue here for us. We're running into a review of the NS directive now, but we're only two, two and a half years into the application of the directive itself. And we're seeing in our own domestic application that is a very, very understanding and bringing everybody up to the same level takes time and it takes the application of audits and legal tools and all of the things you'd imagine. So this is not going to be a simple process. It's going to be interesting one to discuss in the in the context of review and any draft legislation thereafter. I'm switching gears very quickly. We have a specific question here from Irene Leroy about the, about the communication from the Parliament. Sorry, from the commission to the Parliament about the risk of foreign dependence in the IT field. And the question is about cyber autonomy for the critical infrastructure sector. I'll broaden that briefly if you wouldn't mind. There's been a very significant amount of discussion over the last five years, I suppose in Europe about the idea of European digital strategic autonomy. And writ large, this is a number of implications potentially from Member States. And this is a very specific question about IT. We could make the, we could make it even more specific and talk about 5G for example. If you take the discussions we're all having around 5G and hours have been extend for a long time and we're nearly there to the end of the process. Now, what does that mean for the rest of IT? What does it mean for cloud computing? What does it mean for the physical infrastructure we rely on to run our other critical infrastructure? And where does this go at the European levels? That's a big question. Sorry. I think the big framework issue is that Europe should not be naive about its strengths nor its weaknesses. And I think we've seen that over the past two years when it comes to the 5G that we do have, if necessary, we can pull our act together and find the ways how to transparently and openly, but also I would say in a way that reflects the protection of European interest and values, build up a framework in order to assess any kind of risks in new emerging technologies or in existing technologies and also see how these risks then can be mitigated at the national and EU level. So for the 5G, of course, this has been at the forefront. The 5G risk assessment which was based on the national risk assessment was concluded last year. We developed the toolbox, which is essentially a set of technical but also strategic measures that can be taken at the national member state level. And we just recently concluded a review, not of the review of the toolbox, but the review to understand how this toolbox has been implemented. And we've seen that, of course, things that take time, but once you get the train in motion, you know, the general direction is very positive. So you do take measures both national and EU level in order to increase the resilience of this future critical framework. So 5G is one area. So how do we operate with others? I think the 5G templates is not always useful in order to follow other areas. But for other, for example, you mentioned cloud, we might have other tools. So Anisa was requested by the Commission to come up with the draft certification framework for cloud service providers. We have been now looking into over a half a year. We convene an expert group that does a good work, but and we hope that by the end of the year, we will have something more solid ready. So you can also address these, let's say gaps or issues via a certification tool. The certification tool is voluntary, but there remains the question whether, for example, within the framework of the NIS review, once a European certification framework established, should the operators of essential services adopt it? I mean, does it remain a voluntary solution then or would it be something that is a benchmark that they should follow? And I think we also will have a discussion whether the cloud service providers will be part of the tier one service providers in the context of the NIS directive, whether they will become, let's say, part of the critical infrastructure in Europe. So we don't have yet all the answers, but we do have the tools in place. And I think what is important is that we also have a very clear policy line, which is not to be naive about it and do adopt measures across the field, across not only within the context of cybersecurity, but also in the context of how to build competitiveness within the internal market, how to look at our industrial policies or research innovation policies, because these are also part of the answer. I tend to agree completely. Yeah. I mean, there's a lot in the question. That's a very comprehensive answer. Thank you. We have a very specific question here about defense from Mary Cross asking if NISA is contributing through the EAS or otherwise to member states, military capacities and cybersecurity. I think I know the answer, but please. Yeah. Well, NISA is an internal market agency. So the baseline of my operations is, of course, the internal markets, making sure that we can raise the resilience of the products, the services that are put on the internal market, that we make sure that the critical infrastructure that supplies the services from one number state to another is protected in terms of cybersecurity. We do now have a mandate also in operational cooperation and operational fields. So we do assist and help coordinate any kind of an action between the member states and the EU bodies when it comes to response to large scale cross border crisis. And of course, this is an area that touches upon national security, as I mentioned as well. Now, we do not act as an agency in defense because that's outside of our remit, but we do have a clear understanding of the ecosystem and we do cooperate and collaborate with the bodies who are in mold. We have a memorandum of understanding between the four agencies. So it's NISA, it's the EU, it's the European Defense Agency to undertake actions on a yearly basis in order to look at capacity-building activities that we do, look at the awareness-raising activities that we do also build up and help to build up the common awareness. Across the board. So we do this, but we all have our own remits. So I would not say that we act in the area or in the domain of defense. No, we don't. Thank you. If I might, Mary, as well, just to point out, when the cyber-military and off-military is a very vexed question, and it's like, let's go with Johan's answer, it covers it very well. I have a question from James Cafery and for the purposes of transparency. James is a staff member in the Department of Communications on digital sovereignty and operational cooperation with U.S. multinationalists. Is there a potential policy impact from a push towards greater European digital strategic autonomy on international cooperation with these companies? And it's particularly challenging when, I mean, potentially you're looking at a situation where Europe might be requiring member states to put in new certification frameworks on cloud computing and potentially other digital services, and yet at the same time require certain other types of ongoing cooperation and other matters. Well, again, I mean, there is no, it's a bit of a question whether I believe that the rules and the framework that we are building is fair for everybody, or will it, in case some parties consider it as being detrimental to their interest, would they retaliate? I mean, in my point of view, I think we should be rather agnostic to this. I mean, we should build a framework that we believe makes sense for us, which is to expand and open and lets everybody to operate in Europe according to the rules that we set up. So I don't, you know, I don't want to name any third country players, but as long as they follow the rules, as long as our risk assessment vis-à-vis them points that there are no big issues, I don't see a problem. So, but I think it's important to maintain a rule-based cybersecurity framework in Europe in future, but a rule-based also, which is not naive. So we have seen how third country players have misused some of the gaps that are existing in the framework, and that's not for the benefit of European society, nor for European economy. So we do need to upgrade and patch the framework, you know, for this to be top notch and resilient, in a sense. So it's a kind of a rule-based game. You know, some might not like the rules, but these are the rules. I mean, just to reinforce that, I would agree completely. One of the real strengths of the European Union that we've all known and understood for a long time is the rule-based, transparent nature of its transactions. So if you look at something as resilient as GDPR, which has had essentially global implications in a very transparent way, it's a really useful example of how the European Union can exert soft power on a global basis. And the same thing applies in cybersecurity, but particularly what's of particular interest in the last while is the extent to which the European Union can operate politically, collectively, when it comes to a challenge like 5G security. There's been maybe not a complete course along the same line, but very, very similar moves by a large number of member states at senior political level, around the same end goal, which is greater European autonomy and security. So I think the European Union has developed very significantly in that regard in the last while, and I think we've completed your response. And on the same line, we've got a question in, sorry, Thorlick Dean has made a comment about public health and 5G and disinformation on that being an issue. We might come back to disinformation at the end if we have a minute, but there's a question here about NATO. Andrew Rue has asked about the development of cybersecurity under NATO. He's mentioned the operation of cyber threats under Chapter 5, I presume Article 5 of the treaty. Is the tendency of member states to gravitate towards NATO and the US letter, brother? Could that hamper the emerging collective effort at the European Union level? Is this one or the other type of situation in your mind? Let's say, I mean, for me, cybersecurity is a very practical issue, and it comes down to very specific infrastructure that you have in place or services that you have or try to maintain. And of course, part of it is very much linked to national security and defence, but other parts of it are linked to how your economy and society functions. So I wouldn't say I wouldn't draw this line of member states gravitating more towards NATO or EU when it comes to collective cyber response. They need to do both, and they're doing both. And we also have member states who are not part of NATO, Ireland also. So it's a question of maintaining a good overview and making sure that all the critical sectors and the critical infrastructure is protected at adequate level. I agree completely. I believe you said the fact that Ireland isn't a member of the European Union. We all have a collective response at a national level to security issues of this type. And sometimes they're in our space about resilience and defence of civilian infrastructure, and sometimes they're military and they're very uniform. And it's a different field, but very much related to what we do. And that's great. Johan, we have taken up an hour of your time, and we're just about done. Do you have anything else you want to add before we close? I don't have anything to add, but I just wanted to thank everybody for their very good comments and questions. I think it's a moving terrain. Operational response at the union level is something that is very, very new. We're still building it up. So these kinds of exchange of views and Q&As, actually, they help also to clarify the picture, but also to understand better what is the added value that the union level action in this field can bring. So thank you very much for your comments and questions. And thanks Richard for inviting me. Thank you very much, Johan. And I just to reiterate exactly your point. Anisa is a cog in a complex set of organisations that play a critical role in security, not just of the European Union, but of the services that millions of people live depend upon. And how we all collectively engage at a European Union level is going to be critical to the development of future security solutions. So, you know, we look forward to working with Anisa both at the working group level in terms of any future legislation, but also operation. Thank you. Thank you very much.