Dr. Richard Browne:

There are two different elements to all of this. The first one is that for smaller entities, the risk they pose to society is much smaller. In this case of a group water scheme to which the Deputy referred, 85 families were affected. That was significant for them, given that they were 12 or 13 hours without water. At the same time, however, it was a manageable risk. For much larger entities, as the Deputy noted, the real question is on the consequences for the State as a whole and for much larger numbers of people. The network and information security directive, NIS2, process is the first and most important way of dealing with that. We have binding requirements on large critical infrastructure operators to make sure they do their things properly. They then go out and deal with private sector operators in cybersecurity for consultancy and other vendors to ensure that they have the right controls, systems and processes in place. The audits and assessments that we do on an ongoing basis are key to driving all of that on. There is a market out there for that.

The second order piece is the work we do in the operation space, in the scanning, in the threat intelligence sharing and through something called CORE, which I will come to in a second. All the work we do is to build resilience across the system. I will explain CORE very quickly, and then Mr. Stephens who is sitting next to me and who is responsible for all that project will come in. We have, like many of the member states, had a series of different attempts to share information across sectors in order that we could bring in the key people from key critical infrastructure sectors on a regular basis. We have done this for ten years in various different ways. Over the past three years, we have evolved the new model which we call the CORE model, co-operation and response, which is essentially sectoral groups that are chaired by sectoral chairs from the area. The first one was Gov Core, which is the Government CORE. We have a series of others, which Mr. Stephens can speak on in detail in a moment. Each of those COREs is designed to share information, training and best practice and allows us to speak to, for example, the energy sector and the heads of all the major energy sector operators on a regular basis and say these are the issues they should be aware of and these are the things they should be doing. Mr. Stephens might give some more details on the next plans for the COREs.