Ms Lorena Boix Alonso:

I agree with the Senator that it is worrying. I am not going to hide the fact that it is a worrying situation. A significant number of actions are already being taken under the current legislative framework. For example, I mentioned what happened in the case of the Irish incident. We have the sister network of all these entities at national level, which did act in that case. Whenever there is an incident, the network exchanges information and, if requested, provides support. We have the cyber crises liaison organisation network, CyCLONe, which is more at a political level or between political and operational levels. It is already active and compiles reports on incidents so that lessons can be learned. At the level of the current directive, we have the network and information systems, NIS, co-operation network, through which there are many discussions ongoing to learn from each other and strengthen implementation.

I did not mention it in my opening statement, but there is certainly a need to increase and improve the capabilities at member state level. Unfortunately, the level of investment in Europe in cybersecurity is not yet comparable with that of certain third countries. The first calls will be launched next year under a new digital EU programme that is devoting approximately €3 million to support capability. It is not research; it is really going to the deployment of technologies. We will launch the first calls next year. We are doing what we can to help and support member states. In the context of the resilience fund, we strongly insisted that member states dedicate part of that money to reinforcing capabilities. Many of them have gone in that direction. As regards international co-operation, as I mentioned, several dialogues are taking place with third countries and we are co-operating. A lot is being done now and more will be done in the medium to long term.

As regards the level of implementation by Ireland, as I stated, the current directive has been implemented, but to say whether Ireland has implemented it well or poorly is not so easy because it is very much left in the hands of member states. That is what we are trying to fix. I know that when the incident happened, the health authorities were covered and had been identified by Ireland.

I know that in Ireland a lot of exercises are taking place. Therefore, I would not say that Ireland is not implementing the strategy well. As I said before, a particular country can do a lot of exercises. For example, in hospitals, we do cybersecurity exercises. However, if the investments are not there and as a result, the capabilities are not there or if the relevant authorities do not take the responsibility, things do not happen. It is another issue that we are trying to fix in the new directive. We are trying to ensure that the management of companies and institutions take responsibility for adopting measures. A country can do a lot of exercises, but when the moment arrives, things do not happen. That is not for Ireland but generally, certainly, every member state can do much more.