Mr. Juhan Lepassaar:

I do not want to create an impression that the companies that produce software do not care about cybersecurity. That is not an issue. They care and they reach out. We have good collaboration and contact with them. The issue is the balance. Where is the balance in terms of obligations? Is it tilted more towards the consumer or the provider? We need to assess whether the balance is right for the current environment.

When it comes to threats, it is difficult to say what are the top three. I will start with the critical sectors because this is where the focus still is. We have critical sectors that are more mature and critical sectors that are less mature. There are other sectors which we now think are critical but they are not covered by the network and information security directive. We found that out because of the pandemic. There is a second category. Cyber threats are becoming more hybrid and more linked to other threats. Whenever a certain sector or domain is under attack, we see an uptake of cyber attacks against this sector. It happened during the pandemic when it came to health service providers. Vaccine makers were also targeted. Research and innovation is not currently covered under the network and information security directive, and neither are higher education and food service providers. The hybrid nature of the cyber attack means it is becoming more ingrained into the overall threats landscape. That worries me. The fact that most products and services that are circulating in the market are not resilient or as high-level in terms of their cybersecurity as they could or should be and that the security by design and default approach is not ingrained into the product design worries me a lot as well.