- Argentina
- Armenia
- Azerbaijan
- Bangladesh
- Belgium
- Bhutan
- Bosnia and Herzegovina
- Botswana
- Brazil
- Bulgaria
- Canada
- Chad
- Chile
- Comoros
- Congo
- Congo (Democratic Republic of the)
- Costa Rica
- Croatia
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Ghana
- Guatemala
- Haiti
- Honduras
- Italy
- Jamaica
- Jordan
- Kazakhstan
- Korea (Republic of)
- Kosovo(*)
- Kuwait
- Kyrgyzstan
- Libya
- Mali
- Malta
- Mauritius
- Moldova (Republic of)
- Mongolia
- Montenegro
- Mozambique
- Myanmar
- Nigeria
- North Macedonia
- Panama
- Poland
- Saint Kitts and Nevis
- Saint Lucia
- Saudi Arabia
- Serbia
- Singapore
- Suriname
- Tajikistan
- The Bahamas
- Türkiye
- Uganda
- Uruguay
- Uzbekistan
- Vanuatu
- Venezuela
- Zimbabwe
RANKING TIMELINE
Australia
Albania
Lithuania
Austria
Portugal
United States
Netherlands
Slovakia
Ukraine
Switzerland
Latvia
Ireland
Cyprus
United Kingdom
Dominican Republic
Morocco
Tunisia
Georgia
Bahrain
China
Benin
New Zealand
Togo
Egypt
Oman
Rwanda
Qatar
Mexico
Trinidad and Tobago
Kiribati
Bolivia
Sierra Leone
Nicaragua
Lebanon
Tonga
Mauritania
Antigua and Barbuda
Angola
Turkmenistan
Nauru
Iraq
Micronesia (Federated States of)
Solomon Islands
| Rank | Country | National Cyber Security Index | Digital development | Difference | ||
|---|---|---|---|---|---|---|
| 11. | Australia | 87.50 | 82.60 | 4.90 | ||
| 12. | Albania | 85.00 | 62.34 | 22.66 | ||
| 13. | Lithuania | 85.00 | 75.53 | 9.47 | ||
| 14. | Austria | 85.00 | 78.35 | 6.65 | ||
| 16. | Portugal | 84.17 | 72.94 | 11.23 | ||
| 17. | United States | 84.17 | 85.46 | -1.29 | ||
| 21. | Netherlands | 81.67 | 84.66 | -2.99 | ||
| 23. | Slovakia | 80.83 | 67.55 | 13.28 | ||
| 24. | Ukraine | 80.83 | 71.87 | 8.96 | ||
| 26. | Switzerland | 79.17 | 81.88 | -2.71 | ||
| 25. | Latvia | 79.17 | 73.10 | 6.07 | ||
| 27. | Ireland | 77.50 | 78.79 | -1.29 | ||
| 29. | Cyprus | 76.67 | 71.44 | 5.23 | ||
| 31. | United Kingdom | 75.00 | 84.67 | -9.67 | ||
| 36. | Dominican Republic | 71.67 | 57.70 | 13.97 | ||
| 40. | Morocco | 70.00 | 57.17 | 12.83 | ||
| 41. | Tunisia | 68.33 | 55.46 | 12.87 | ||
| 45. | Georgia | 64.17 | 63.61 | 0.56 | ||
| 47. | Bahrain | 60.83 | 72.73 | -11.90 | ||
| 49. | China | 60.00 | 77.94 | -17.94 | ||
| 50. | Benin | 59.17 | 40.70 | 18.47 | ||
| 57. | New Zealand | 55.00 | 79.24 | -24.24 | ||
| 58. | Togo | 54.17 | 19.60 | 34.57 | ||
| 60. | Egypt | 50.83 | 55.71 | -4.88 | ||
| 62. | Oman | 50.00 | 69.64 | -19.64 | ||
| 65. | Rwanda | 47.50 | 50.58 | -3.08 | ||
| 67. | Qatar | 40.83 | 69.88 | -29.05 | ||
| 68. | Mexico | 38.33 | 64.41 | -26.08 | ||
| 73. | Trinidad and Tobago | 35.83 | 53.11 | -17.28 | ||
| 74. | Kiribati | 33.33 | 22.86 | 10.47 | ||
| 77. | Bolivia | 30.83 | 52.38 | -21.55 | ||
| 78. | Sierra Leone | 30.00 | 26.93 | 3.07 | ||
| 89. | Nicaragua | 20.83 | 40.83 | -20.00 | ||
| 90. | Lebanon | 20.83 | 54.49 | -33.66 | ||
| 91. | Tonga | 20.00 | 25.82 | -5.82 | ||
| 92. | Mauritania | 19.17 | 31.04 | -11.87 | ||
| 94. | Antigua and Barbuda | 18.33 | 30.72 | -12.39 | ||
| 96. | Angola | 17.50 | 33.37 | -15.87 | ||
| 98. | Turkmenistan | 14.17 | 23.79 | -9.62 | ||
| 99. | Nauru | 13.33 | 22.27 | -8.94 | ||
| 102. | Iraq | 10.00 | 22.86 | -12.86 | ||
| 104. | Micronesia (Federated States of) | 5.83 | 16.18 | -10.35 | ||
| 106. | Solomon Islands | 4.17 | 18.41 | -14.24 | ||
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY1515121512151515121515151215121515151215151512159159151515121591515159156159159151215915315615915315315915015615315915015915015315315015015315015
-
1.1. High-level cybersecurity leadership33333333333333333333333333333333033333333333333303033303330303330303030303033303033303Criteria
The country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
-
1.2. Cybersecurity policy development33333333333303333333333333033333333333033333333333333303033303030333030303330303030303Criteria
There is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
-
1.3. Cybersecurity policy coordination33033333333333033333330303033333033303030303333303030303033303030333033303030303030303Criteria
The country has a regular official format for cybersecurity policy coordination at the national level. (The official format may take various forms, such as permanent committees, councils, or working groups.)
Accepted referencesLegal act, official statute or terms of reference, or official website
-
1.4. National cybersecurity strategy33330333333333333333333333333333333333333333330303333333033303333333033303030303030303Criteria
The central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
-
1.5. National cybersecurity strategy action plan33333333033333333303333303333303333303030303030303030303030303030303033303030303030303Criteria
The central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION66663666366646464666364656666646364646463666365656366646060606363636363636360606060606
-
2.1. Cyber diplomacy engagements33333333333333333333333333333333333333333333333333333333030303333333333333330303030303Criteria
The government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
-
2.2. Commitment to international law in cyberspace11110111011111111111011101111111011111110111010101011111010101010101010101010101010101Criteria
The country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
-
2.3. Contribution to international capacity building in cybersecurity22220222022202020222020222222202020202020222022222022202020202020202020202020202020202Criteria
The country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT10109101010101010106101010101061010108108101010101061061081061010101010610810510610710110510610410010610010210610310010010010210010510010010
-
3.1. Cyber safety competencies in primary education22222222220222220222220222220202020222220222020222020202020202020202020202020202020202Criteria
Primary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
-
3.2. Cyber safety competencies in secondary education22222222220222220222222222220202220222220202020222020202020202020202020202020202220202Criteria
Secondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
-
3.3. Undergraduate cybersecurity education22222222222222222222022222222222222222222222222222022222020222022222020202022202220202Criteria
At least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
-
3.4. Graduate cybersecurity education33333333333333333333333333333333333333333333333303033333330333030333330303030303030303Criteria
At least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
-
3.5. Association of cybersecurity professionals11011111111111111111111111111111111111111111011111110111110111010111010101010101110101Criteria
A professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT44042424244424044444240424440444242404442404044424042404240404040404040404040404040404
-
4.1. Cybersecurity research and development programmes22020222022222022222220202220222022202222202022222022202220202020202020202020202020202Criteria
A cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
-
4.2. Cybersecurity doctoral studies22022202222202022222020222220222220202220202022202020202020202020202020202020202020202Criteria
An officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE91212121212121212129129121212912612121212129126123121212912612121291212123121212612012912012612312612612312012012012012012012012012012012012
-
5.1. Identification of critical information infrastructure33333333333333333333333333330333333333333303333303330333033303330303030303030303030303Criteria
There is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
-
5.2. Cybersecurity requirements for operators of critical information infrastructure33333333330333333303333333330333333333333303330303330303030303030303030303030303030303Criteria
Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
-
5.3. Cybersecurity requirements for public sector organisations33333333333303330333333303033333030333333333333303330333030333030303030303030303030303Criteria
Public sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
-
5.4. Competent supervisory authority03333333333333333303333333030333330333033303330303030303333333030303030303030303030303Criteria
A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS8128121212812812612101210121012812812121210126126121012101261281281212124124122121012212412212012412412412212012012412212212412012212012012
-
6.1. Secure electronic identification22222222220222222202222222020222220222022202020222022202020222220202022202022202020202Criteria
A national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
-
6.2. Electronic signature22222222222222222222222222222222222222222222222222222222022222222202022222222202220202Criteria
A nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
-
6.3. Trust services02222222220222222222222222222222222222022202020222020202020202020202020202020202020202Criteria
Trust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
-
6.4. Supervisory authority for trust services02222222220222222222222222222222222222222202220222020202020202020202020202020202020202Criteria
An independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
-
6.5. Cybersecurity requirements for cloud services22022202022222222222022202020222220202222222020222020202022202020202020202020202020202Criteria
Requirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
-
6.6. Supply chain cybersecurity22022202022202020202022222020202020202222202020202020202020202020202020202020202020202Criteria
Requirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING91212129126129129129129129129121212912912612912312912612612312312912912612912612312312912012612012012312012012312012012312012012312
-
7.1. Cyber threat analysis33333303333333333333330333033303333333030333330333333303330303030303030303030303030303Criteria
A government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
-
7.2. Public cyber threat reports33333333333333333333333303333303330303330333330303030303330333030303030303030303030303Criteria
Public cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
-
7.3. Public cybersecurity awareness resources33333333333333333333333333333303330333033333333333330333330333030333030333030333030333Criteria
Public authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
-
7.4. Cybersecurity awareness raising coordination03330303030303030303333333030333033303030303033333030303030303030303030303030303030303Criteria
There is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
-
-
8. PROTECTION OF PERSONAL DATA44444444444444444444444444442444444444444444444444444444440404044424044444442404040404
-
8.1. Personal data protection legislation22222222222222222222222222222222222222222222222222222222220202022222022222222202020202Criteria
There is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
-
8.2. Personal data protection authority22222222222222222222222222220222222222222222222222222222220202022202022222220202020202Criteria
An independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE111414141114141414141414141414149141114914121414141114141491491461411141114914111481411148141114314814814314814614014214614014014014014014314014014
-
9.1. National incident response capacity33333333333333333333333333333333333333333333333333330333333303330303330303030303330303Criteria
There is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
-
9.2. Incident reporting obligations33333333333333333333333333033333330333333333330303330303030333330303030303030303030303Criteria
Operators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
-
9.3. Cyber incident reporting tool22222222222222220222020222222202020222220222222222220222220222020222020202020202020202Criteria
A publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
-
9.4. Single point of contact for international cooperation03330333333333330303033333333333030303030303033303030303030303030303030303030303030303Criteria
The government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
-
9.5. Participation in international incident response cooperation33333333333333333333333333333303333333333333033333333333330333030303330303030303030303Criteria
The national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
-
-
10. CYBER CRISIS MANAGEMENT79597959599959295959497929695959392909490929292959295929392929090909290929090929092929
-
10.1. Cyber crisis management plan22022202022202020202022202220202020202220222020202020202020202020202020202020202020202Criteria
The government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
-
10.2. National cyber crisis management exercises33333333333333033333033303033333330303030303030333033303330303030303030303030303030303Criteria
Regular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
-
10.3. Participation in international cyber crisis exercises22222222222222222222222222222222022202220202222222222222022222020202220222020222022222Criteria
The country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
-
10.4. Operational crisis reserve02020202022202020202220202220202020202020202020202020202020202020202020202020202020202Criteria
A mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
-
-
11. FIGHT AGAINST CYBERCRIME16161416161616161616131613161616161616161616111616161616161613161416161691691611168166166165161116616616516141651614161116016816316616916616916016016016
-
11.1. Cybercrime offences in national law33333333333333333333333333333333333333333333333333333333033333333303333333333333030303Criteria
Cybercrime offences are defined in national legislation.
Accepted referencesLegal act
-
11.2. Procedural law provisions33333333330303333333333333333303333333333303333303330303033303333303030333033333030303Criteria
Legislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
-
11.3. Ratification of or accession to the Convention on Cybercrime22222222222222222222220222222222222202022202020202020202020202220202220202020202020202Criteria
The country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
-
11.4. Cybercrime investigation capacity33333333333333333333333333333333333333333333030303333333333303333303030303330333030303Criteria
Law enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
-
11.5. Digital forensics capacity22022222222222222222222222222222022202020222020222220202222222022202020202020202020202Criteria
Law enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
-
11.6. 24/7 contact point for international cybercrime33333333333333333333330333333333333303030303030303030303033303330303330303330303030303Criteria
The government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
-
-
12. MILITARY CYBER DEFENCE66664646666666466646262626664626264606060626060626262626262606060606260626060626262606
-
12.1. Military cyber defence capacity22222222222222222222020202222202022202020202020202020202020202020202020202020202020202Criteria
Armed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
-
12.2. Military cyber doctrine22220202222222022202020202220202020202020202020202020202020202020202020202020202020202Criteria
The tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
-
12.3. Military cyber defence exercises22222222222222222222222222222222222202020222020222222222222202020202220222020222222202Criteria
Armed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
-