 So, let's go to our topics. A short introduction to Enisa. We were founded in 2005. It was just a period when the European Union was in large from 15 to 20 countries. It was a time when the economy was really running well. We had so many games in Greece, so there was a lot of euphoric at the time. And it was something, if you look at our sector IT, the T-Security, if you look for the Internet, it's just around 15 years. So, we're talking about a short period. And I think the good message behind this, if you talk about Enisa IT Security, it's something that the politicians over the past years took responsibility. They have more awareness. If you go back five years ago, not really everyone, you're going to talk about IT security. But if you look now into the cyber security strategy and into this directive, it shows that you have different areas from the internal security of the digital agenda, from affairs, from action. It shows that the people are discussing this and putting it together as a big picture for Europe. So, we are basically doing two things. We are looking into certain topics, technologies, threats, and what we are really thinking into the future, and then supporting member states and the commission for the legislative processes. The second part is really supporting member states. We go into the member states. We help them to build up computer learning response teams so they have questions in the legislation. Because this is really for us operational work, to sort of increase IT security level. And here I want to give you some kind of example. Of course, when we go to member states, just to picture that a lot of our staff is on a lot of missions. We try to cover every part of Europe. So, this one in Dublin is the newest one today. So, this shows that we really go to the member states and of course, most of the things we are doing in Brussels. What change if you look back into the past? If you look into this online world, something where, on one hand, the generation challenge, because if you look back and if you had parents and children, the parents told the children how to drive a bicycle. And today it's a lot of cases the other way around. We have social networks, but the question really is does it change the behavior of our society because we treat difference today our privacy life, our privacy data, we open it. So, the question is now how to deal in this area with IT security? We have industry which now depends on IT security processes. Which depends on IT, of course. You have governments who depend on IT. You have supply chains in IT. So, it's something, if you look, this as we say, our society depends on IT. And the question is also when we say a lot of people are online, what's the digital divide for those who are not participating in this area? But if you're talking about those who depend on IT, it's something that the question is, what is the responsibility of the government or the state for the economy and for the citizen? And this is some of the basic background if you look at NISA, that you say we are a common market agency if you look into our scope of the regulation. We want to increase IT security for governments, for the business area and for the citizen. And this is something which comes out of this. If you look at this, some parts of our mention, I think it's something where the question is, how to make this world safer? Because not everyone thinks about it from the first step. If you look, for example, all of you have smartphones, how much security is in a smartphone? It's the same like if we see a couple of years ago, where also IT security wasn't there. So the question is here that we say we have this kind of devices, we have critical infrastructure, but the question is everyone hopes that a nuclear power plant is not connected to the internet. So there are certain things where we say we have really systems which have to be secured in another way. So it's something where the risk changes and which is something we talk about cyber attacks, it's something that shifted over the last 20 years. There was a so called ethical hacker who showed I can attack the system, and then there wasn't a screen I got here. But today it's something where we have criminal school and money. In some cases you can earn money, more money in the cyber criminal space than you hear it with practice. It's much more easier for you, you sit somewhere on the PC, you have to come out and control the cyber, and that means you remove the cyber criminals. So this is something where the virus changes and if you look into this, it's something, what I said about this 15 years, we started you know with computer viruses, phishing, if you look at phishing, it also shows that human behavior unfortunately doesn't change. In the past somebody went with a pistol to a bank, today it's phishing, it's also getting money from your bank. But there's one difference, if you have your money in a bank, and it's a robbery with a pistol, your money is by insurance, there you have to talk to your bank to say, some of you take your money because they take your bank account. If you look for spying, it's the same as in the past, the truth has changed. And it's much more easier with trying horses, paying emails, and it's also that the social aspect is still the same. You try to build up trust for somebody and then you open attachments, you are trying horses on your PC. On web, it's remote-controlled PCs. We have critical infrastructures, you know what's tax net, attack on uranium, uranium nuclear power plant. And the second, you know, cloud computing is a business model. And the question is here, will we see a tax on cloud computing provider? So, if you look from this, the answer is, why should we? There are no attacks. How do we prevent ourselves? How can we do the best that the damage is not so high and that we can secure our assets? This is a typical reform of Anita. We published it last year. It's a so-called threat landscape report. The challenge if you talk about threats, what threats do we have? And then if you ask yourself from, let's say, business perspective or government perspective, the question is, how can I manage this? And the question is always, this is a principle, you cannot manage what you don't measure. So we need information. The problem from the past is if you look into reports, they are either from industry, companies or sectors. I wouldn't say it's always in the interest, but you cannot say that the report is neutral. There are only a few reports on member states level. Germany published every two years a landscape threat analysis and there's one in the UK, there's one in the US with the FBI. But what we try to do here is for the first time to make a threat landscape report for Europe and take into account everything that is available and put in a global picture. So our intention is to do this now every year. So if you look into this, I think it gives some ideas what we are doing. The challenge, of course, is if you are an agency on a European level, we don't want to duplicate what is done on the national level. On the other hand, you have bigger member states which have an IT industry which are doing a lot of things in the cyber space. They have national plans. They have public-private partnerships with the same industry. Of course you can name Germany, France, Great Britain. But if you look at it, it's more the northern member states who are more advanced in the IT security area. So the question is from European perspective, the new member states, as I mentioned at the beginning, since 2005, the question is how to have maximum of high IT security level in Europe and how can we achieve this? How can we support other member states? So the weakest link in a chain is always the one who we have to support. This is something where if you look into our missions, a lot of effort is just to support them to cooperate. So if you talk about its areas where we have energy, when we now look into the new energy discussions where we have smart ways digital smart meters for electricity households, there's something where the question is always where is the government responsible for so we are talking about public infrastructure, the government, we are talking about electricity, IT providers, electricity prices, the bank in the sector and if tomorrow, every ATM machine in the island of the question is what happens, is there panic or something like that. So the question is in some areas that we say we have critical infrastructure and this is where we have to work with the people who run this critical infrastructure. If you talk into the strategy is what it was mentioned, in the strategy, I will do also some examples later but the basic idea is to say, what is a common approach to improve this so we will invest more in the research area, we will look for stratification and I think the positive message from the strategies that it also puts agencies together if you look at the end of the strategy paper which shows that it's going from the prevention of IT security like in NISA does you have a European member state with the prosecution area you have the defence area so it covers the whole picture and it puts together for the last time also different agencies in their cooperation from the different aspects. Assisting operational communities the article 13A of the telecommunication directive where incidents, data reaches are not defined to the national regulators and then to NISA so this gives us a lot of information and data in the future what happens on the member state level the important message here is it's something where we get anonymized aggregated data and the question is then what has to be done on the governmental level and that's not to blame anyone or to say there's something which is used for benchmarking or European level this is not our intention our intention is really to say we need some information what is the situation security data which is the application assisting operational communities and also the privacy something where we are also involved supporting the commission in the discussion some important point is that we have to exist imagine you are running a big company with a big IT department which will test and try to put it back and see what happens because you recover a system you know sometimes you have this alarm and then everyone has to leave his office and go down the street and test with the emergency the same you have to do for IT and if you remember we had in 2007 the attack on Estonia and this also was a discussion what shall we do on national level what shall we do on cooperation level and so what was decided that we have this exercise on the European level so we did it the first time in 2010 this was a tablet of exercise where we were sitting together I can look at it like a wall room in our essence office we invited member states simulated incidents interruptions of internet connections and see how we can help how we can communicate so the basic objective of 2010 was to test communication estimation to see who is responsible for the member states and if you look back in 2010 we also made a report on certain things in a lot of cases it was not defined who is responsible in the member states for watch so if I phone somebody it's a somebody who can make a decision or escalate it to a minister or secretary of state 2011 was a tablet of exercise together with the United States so it was a time when there was a discussion about WikiLeaks other attacks and we tried to do there in the picture to take some ongoing known attacks and see if there is a possibility to help over the advantage to exchange information so it was something where we also learned how does it work in the US what are best practices can we take over and then last year we made an exercise again together with the member states but we also included some of the companies from the providers from the internet service provider from the banking sector basically this telecommunication banking sector it was something where we also interact with the industry to see how is it working and what are the challenges and how can we learn from these also in the area to improve it we will now continue this is a big jump but in essence the different players from the member states are sitting so it's something like you sit in front of the UPC it simulates your office in the member state and suddenly you get a message saying your country's office in time another question hopefully not badly I think what we now have is a standard operation for seniors whether it's telecommunication who to call who to ask about I think this is the most important thing and also we included computer inversions in response to scenery if we look into the details and the slides will be available we are also proud that we got a lot of press release we are aware that was something where it was picked up it was not just him let's say it's not only for me it's also for the community the member states everyone who was involved in this exercise really appreciate it just to example what is typically for our world work if you look in the document with the new business model what we are trying to do is to put the emphasis on security service level agreements because when you normally have an agreement you don't have something about security so the question is it includes privacy how do you deal with your privacy data other things so it's something where we give some recommendations if you go into the cloud that I would say you know what you are doing we also distinguish between government and the cloud because when you are government and you want to use cloud services you don't want to bear outside the European government you don't want to have your own country because you might have different legislation even in different member states in Europe so this is something which is then the government the private cloud there is a little bit what was in the past outsourcing where you say I have it somewhere but I am under control so for the industry it stays in Europe where you say I am a big company and I want to make a special contract the problem in cloud computing is that we as a normal user if we go to a cloud computing service or a social network or something like that we cannot discuss the traffic condition but the government can do it the condition can do it a big company can do it and this is a chance if the company is going to a cloud smart grid security is something where we start to put security in it the question is still what is IT security design and if you take a picture if you have your electricity meter in your household in the basement it is built by a company which does it in another way now in the future you make it in a digital way and you put computer capabilities you put storage in there the question is do this company to build smart meters have the knowledge about IT security if somebody sees this video they will say of course we have it but the question is something which you learn from other sectors if you look for example if you have cars you put a lot of IT now if you have smart networks the question is how do you secure your wireless LAN if you put a smart meter on the internet the question is how do you secure it it not just transformation or information the question is to think about is it secured against the tax against outside the tax internal manipulation and if you think further the intention of this smart grid electricity grid that we have an intelligent electricity grid where you can put in solar energy where you can optimize the consumption where you can put the electricity in an optimized way through this infrastructure and then the question is if you rely on this infrastructure who thinks about IT security that it's not sabotage hacking the other services etc I think this is something what we try to put into the beginning when we are involved in this discussion strategies there are different approaches some member states say we start with a national security then we have different aspects civil, military and then IT security is somewhere far away other member states look at more from the perspective and say this is our infrastructure our critical infrastructure we put IT security in if you go through the member states it's different ministries to deal with this if you look just at a television magazine if there is something about the financial crisis you see financial ministers if there is something with scandal with means you have the minister at every state for commission on cruise it's a little bit more difficult because in some country it's a ministry for interior another country is a ministry of transport another country is a ministry of economy and then you see that evolved over the years and what now the question is and what the commission we are asking for is write a cyber strategy write an IT strategy have a governance structure in a member state and the question is and then we are going to use a chief information office over here and then the question is how do you put this in the overall structure and this puts it together what I talked before about exercise what we see today in Europe is on a horizontal level we have a good communication with the third community and from the exercises with responsible technical people if you put it on a vertical layer the question is who is the chief information office over here who is the IT Commissioner of course you are a Commissioner but you see from the publication of the strategy others are outside work you are going to be a member state which comes in part of the cyber security strategy and the directive in the end the question who is the responsible authority in your member state is about IT security is it one, is it more and how do we want them so if you take this message here follow me that way and you are all like you are like okay so if you take this from the strategy there is something that we know if you look into techniques if you look into third community we have in every member state if you look into the communication with exercises we have our standard operations procedure if it goes into different sectors we have each notification only in the area of telecommunication the question is where do we need it if it goes about governance this is a vertical structure ask yourself how is it in your member state how is it in other member states and how is it nearly been level and this is what the strategy puts together that it asks every member state to think about it to organize it and put it together and this incorporation with other member states who did it already to have some kind of best practice on the other hand to discuss with the commission that we have this all over perspective on you talk a little bit about which notification and also link it for the discussion of the directive we have this in the telecommunication sector as I said and it's something where what we learned from the first report which is only a couple of member states because we are still in the implementation for this we got last year about 50-60 incidence reporting and if you talk about cyber security what do you think normally how it's about training houses viruses, espionage but the outcome was that half of those incidents were on the mobile providers and in the infrastructure in the IT infrastructure but this is something where the question is now would you have known this week without reporting this is I think something where it's a message that reporting is a good thing because it gives us information and as I said before it's something to help us to increase IT security level if you're now looking to other sectors you have since financial crisis a lot of regulation in member states what is to be done you have this supervision on European level with the agency but if you look into other sectors you don't have any report and the question is now where to find a balance between information and government needs to make decisions and on the other hand not to put too much burden on the industry because of course it costs money to implement this but this is when we discuss about the directive that we somehow have to find a compromise and see what is already done in different sectors where do we need some more and how do we organize so this is about the breach notification we have a similar thing if we talk about the privacy directive this is about class and data this is especially the data protection area and we are also discussing it I want to make a remark because it fits in this privacy discussion in this social network discussion and about business models and I think this is something what you can write in your inbox today our personal data is a currency on the internet and this is a lot of people forget and if you look from an economic model you have to pay for everything you don't get anything for free and if you go on a social network if you go on an email service if you go somewhere where you have your data stored you think you get it for free but somewhere you pay and if you look into a lot of business models these business models depend that they use your personal data either for profiling for advertisement this means they use our profile and by this you get the specific information or advertisement on the screen you can say I give you my data and then I know but it becomes critical if this data is sold and you cannot do anything this comes back what I said before to service level improvements as a normal user you don't have the chance to change on a social network in terms of condition either you press I agree or you cannot do it I think this is something where the question behind is does it change our society or not so I talked a bit about our role there I think if you look at it the intention of a user is that we want to support you that we want to give you an added value that with a service rate directive it's something where we don't want to collect data just for fun and we want to give it back to you that you can make better decisions if you look about the strategy there's a last point I want to mention because I think this is something which is also a chance for us in Europe and either as a common market agency if we talk about Europe it's a common market idea behind so in the end that some of the business children have a socialized in the industry before it came to this so for me the point is how can we in the end use also IT security as a business model but it's not only a business model for those companies but also a business model for those who sell smartphones and PCs that they built in IT security or built in privacy by design and if you look into the strategy there's an interesting part which talks about standards which talks about technical guidelines and certification it talks about a SOPA European driving license which is the kind of certificate that you know how to deal with IT and IT security and this is the big chance for the economy because if you set standards and if you are the first to set standards then you can discuss where good companies and good medium to small companies what they can do and an example is our electronic passport it has a chip it has a cryptography and it's something which was standardized with a European perspective of privacy data protection key exchange and it's something where if you have now companies who build fingerprint readers technology then you can do export into other areas so this is something from a European perspective let me say this side in the European agency it's interest that we create jobs or it's in the IT security area and that we have a competitive advantage to the other areas out of Europe and this is something where if you look into technical guidelines and certification and standardization it's one instrument thank you very much