- Albania
- Angola
- Argentina
- Australia
- Azerbaijan
- Bangladesh
- Belgium
- Botswana
- Canada
- Chile
- China
- Cyprus
- Czech Republic
- Dominican Republic
- Egypt
- Estonia
- Georgia
- Iraq
- Ireland
- Jordan
- Latvia
- Libya
- Lithuania
- Mexico
- Moldova (Republic of)
- Montenegro
- Morocco
- Mozambique
- Myanmar
- Netherlands
- New Zealand
- Oman
- Panama
- Poland
- Rwanda
- Saudi Arabia
- Slovakia
- The Bahamas
- Togo
- Tonga
- Ukraine
- United Kingdom
- United States
- Uruguay
- Zimbabwe
RANKING TIMELINE
Canada
Ghana
North Macedonia
Kiribati
| Rank | Country | National Cyber Security Index | Digital development | Difference | ||
|---|---|---|---|---|---|---|
| n/a | Canada 15.04.24 | 80.00 | ||||
| 21. | Ghana | 63.33 | 48.54 | 14.79 | ||
| 29. | North Macedonia | 56.67 | 58.13 | -1.46 | ||
| 40. | Kiribati | 30.00 | 21.67 | 8.33 | ||
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY15.04.24151530.04.2491529.11.2331529.11.23915
-
1.1. High-level cybersecurity leadership15.04.243330.04.243329.11.230329.11.2303Criteria
The country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
-
1.2. Cybersecurity policy development15.04.243330.04.240329.11.230329.11.2333Criteria
There is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
-
1.3. Cybersecurity policy coordination15.04.243330.04.243329.11.233329.11.2333Criteria
The country has a regular official format for cybersecurity policy coordination at the national level.
Accepted referencesLegal act, official statute or terms of reference, or official website
-
1.4. National cybersecurity strategy15.04.243330.04.243329.11.230329.11.2333Criteria
The central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
-
1.5. National cybersecurity strategy action plan15.04.243330.04.240329.11.230329.11.2303Criteria
The central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION15.04.246630.04.243629.11.234629.11.2306
-
2.1. Cyber diplomacy engagements15.04.243330.04.240329.11.233329.11.2303Criteria
The government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability.
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
-
2.2. Commitment to international law in cyberspace15.04.241130.04.241129.11.231129.11.2301Criteria
The country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
-
2.3. Contribution to international capacity building in cybersecurity15.04.242230.04.242229.11.230229.11.2302Criteria
The country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT15.04.2461030.04.2481029.11.2391029.11.23010
-
3.1. Cyber safety competencies in primary education15.04.240230.04.242229.11.232229.11.2302Criteria
Primary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
-
3.2. Cyber safety competencies in secondary education15.04.240230.04.242229.11.232229.11.2302Criteria
Secondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
-
3.3. Undergraduate cybersecurity education15.04.242230.04.240229.11.232229.11.2302Criteria
At least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
-
3.4. Graduate cybersecurity education15.04.243330.04.243329.11.233329.11.2303Criteria
At least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
-
3.5. Association of cybersecurity professionals15.04.241130.04.241129.11.230129.11.2301Criteria
A professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT15.04.242430.04.240429.11.230429.11.2304
-
4.1. Cybersecurity research and development programmes15.04.242230.04.240229.11.230229.11.2302Criteria
A cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
-
4.2. Cybersecurity doctoral studies15.04.240230.04.240229.11.230229.11.2302Criteria
An officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE15.04.2491230.04.2491229.11.2331229.11.23612
-
5.1. Identification of critical information infrastructure15.04.243330.04.243329.11.230329.11.2333Criteria
There is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
-
5.2. Cybersecurity requirements for operators of critical information infrastructure15.04.240330.04.243329.11.230329.11.2303Criteria
Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
-
5.3. Cybersecurity requirements for public sector organisations15.04.243330.04.240329.11.233329.11.2303Criteria
Public sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
-
5.4. Competent supervisory authority15.04.243330.04.243329.11.230329.11.2333Criteria
A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS15.04.2441230.04.2441229.11.2381229.11.23412
-
6.1. Secure electronic identification15.04.240230.04.242229.11.232229.11.2302Criteria
A national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
-
6.2. Electronic signature15.04.242230.04.242229.11.232229.11.2322Criteria
A nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
-
6.3. Trust services15.04.240230.04.240229.11.232229.11.2302Criteria
Trust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
-
6.4. Supervisory authority for trust services15.04.240230.04.240229.11.232229.11.2302Criteria
An independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
-
6.5. Cybersecurity requirements for cloud services15.04.242230.04.240229.11.230229.11.2322Criteria
Requirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
-
6.6. Supply chain cybersecurity15.04.240230.04.240229.11.230229.11.2302Criteria
Requirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING15.04.2491230.04.2461229.11.2361229.11.23012
-
7.1. Cyber threat analysis15.04.243330.04.243329.11.233329.11.2303Criteria
A government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
-
7.2. Public cyber threat reports15.04.243330.04.240329.11.230329.11.2303Criteria
Public cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
-
7.3. Public cybersecurity awareness resources15.04.243330.04.243329.11.233329.11.2303Criteria
Public authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
-
7.4. Cybersecurity awareness raising coordination15.04.240330.04.240329.11.230329.11.2303Criteria
There is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
-
-
8. PROTECTION OF PERSONAL DATA15.04.244430.04.244429.11.234429.11.2304
-
8.1. Personal data protection legislation15.04.242230.04.242229.11.232229.11.2302Criteria
There is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
-
8.2. Personal data protection authority15.04.242230.04.242229.11.232229.11.2302Criteria
An independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE15.04.24141430.04.24141429.11.23111429.11.23314
-
9.1. National incident response capacity15.04.243330.04.243329.11.233329.11.2333Criteria
There is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
-
9.2. Incident reporting obligations15.04.243330.04.243329.11.230329.11.2303Criteria
Operators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
-
9.3. Cyber incident reporting tool15.04.242230.04.242229.11.232229.11.2302Criteria
A publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
-
9.4. Single point of contact for international cooperation15.04.243330.04.243329.11.233329.11.2303Criteria
The government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
-
9.5. Participation in international incident response cooperation15.04.243330.04.243329.11.233329.11.2303Criteria
The national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
-
-
10. CYBER CRISIS MANAGEMENT15.04.247930.04.243929.11.232929.11.2309
-
10.1. Cyber crisis management plan15.04.242230.04.240229.11.230229.11.2302Criteria
The government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
-
10.2. National cyber crisis management exercises15.04.243330.04.243329.11.230329.11.2303Criteria
Regular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
-
10.3. Participation in international cyber crisis exercises15.04.242230.04.240229.11.232229.11.2302Criteria
The country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
-
10.4. Operational crisis reserve15.04.240230.04.240229.11.230229.11.2302Criteria
A mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
-
-
11. FIGHT AGAINST CYBERCRIME15.04.24161630.04.24161629.11.23161629.11.231416
-
11.1. Cybercrime offences in national law15.04.243330.04.243329.11.233329.11.2333Criteria
Cybercrime offences are defined in national legislation.
Accepted referencesLegal act
-
11.2. Procedural law provisions15.04.243330.04.243329.11.233329.11.2333Criteria
Legislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
-
11.3. Ratification of or accession to the Convention on Cybercrime15.04.242230.04.242229.11.232229.11.2302Criteria
The country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
-
11.4. Cybercrime investigation capacity15.04.243330.04.243329.11.233329.11.2333Criteria
Law enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
-
11.5. Digital forensics capacity15.04.242230.04.242229.11.232229.11.2322Criteria
Law enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
-
11.6. 24/7 contact point for international cybercrime15.04.243330.04.243329.11.233329.11.2333Criteria
The government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
-
-
12. MILITARY CYBER DEFENCE15.04.244630.04.240629.11.232629.11.2306
-
12.1. Military cyber defence capacity15.04.242230.04.240229.11.230229.11.2302Criteria
Armed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
-
12.2. Military cyber doctrine15.04.240230.04.240229.11.230229.11.2302Criteria
The tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
-
12.3. Military cyber defence exercises15.04.242230.04.240229.11.232229.11.2302Criteria
Armed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
-