Mr. Juhan Lepassaar:

I thank the honourable Chair and Members of the Oireachtas for inviting ENISA to give the committee input to its valuable work and evidence. I will say a few words on the agency. The mandate of the agency is to assist member states in the Union in their pursuit of establishing a high common level of cybersecurity across the Union. Of course, we mainly focus our work on ensuring that cybersecurity, a critical service, and the providers of this service, are of a high level. Under the network information security, NIS, directive, approximately 70 entities in Ireland were designated as essential service providers. I am not saying it is too low of a number, but it is clear that across the Union we seem to have a different understanding of what "critical" means. For example, in Finland, 10,000 entities have been designated as operators of essential services. Cyber threats are cross-border and as long as we seem to have differences in defining what is critical and what is not critical, there always will be an issue regarding how to set a common standard across the Union. We need a revision of the network information security directive so that we have a more common understanding of what critical means and how to protect critical service providers.

Ireland has recently experienced an attack on its heath service providers, and members know the consequences of it; obviously, we should draw our own conclusions as well. From the cybersecurity point of view, the Irish National Cyber Security Centre does an excellent job, not only in responding to the crisis, but also in making sure that entities are well prepared. It rolled out procedural guidelines, manuals, trainings and exercises. It responded in an agile and prompt fashion and it shared information with other member states with the computer security incidence response teams, CSIRT, network so that other member states were knowledgeable about what was going on and could prepare as well. It was an exemplary response.

One might ask, of course, why the attack was successful. At the EU level, most entities of essential service providers fail normally because, perhaps somewhat naturally, cybersecurity is not seen as part of their core mandates or core missions. Guidelines and trainings are not picked up because organisations have not invested in their human resources to make them work. They lack a dedicated and sufficient number of experts to make things work and they do not invest in cybersecurity. Some 67% of operators of essential service providers across the EU have told us they need more investments to make the network information security directive work for them.

In Ireland, we surveyed 36 operators of essential service providers in 2021 and 22 of them said they need more investments. Overall, EU entities invest 41% less in cybersecurity than their counterparts in the United States. On average, the budget that goes to cybersecurity is around 10% of the IT investments that these entities make. Money will not do the trick and service providers need to invest in their staff, and not only into their IT and cybersecurity experts.

Perhaps following the lessons learned, Irish entities are showing the way. The median number of new hires for cybersecurity functions is highest among all the EU member states. Also, 50% of the surveyed operators of essential service providers in Ireland have cyber insurance, whereas the EU average is 43%.

For the benefit of the common level of cybersecurity across the EU, I call on this committee to do two things. First, I call on it to express its support for the quick and swift adoption of the review of the network information security directive that should bring a better common understanding on which critical entities need to be protected across the Union.

Second, I call on it to find ways to support an increase of cybersecurity investments by the entities that operate in critical sectors and ring-fence these investments in cybersecurity. Member states have different practices. For example in Germany, by law, all health service providers must invest at least 15% of their total digital investments into cybersecurity. We hope that in the long term this will make these entities more resilient.