STRATEGIC CYBERSECURITY INDICATORS

• 1. CYBERSECURITY POLICY
  15

  15

  9

  15

  6

  15
  • 1.1. High-level cybersecurity leadership
    3

    3

    0

    3

    3

    3
    Criteria

    The country has appointed governmental leadership responsible for cybersecurity at the national level.

    Accepted references

    Legal act, national strategy, official statutes or terms of reference, or official website

  • 1.2. Cybersecurity policy development
    3

    3

    3

    3

    3

    3
    Criteria

    There is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.

    Accepted references

    Legal act, official statute or terms of reference, or official website
    

  • 1.3. Cybersecurity policy coordination
    3

    3

    3

    3

    0

    3
    Criteria

    The country has a regular official format for cybersecurity policy coordination at the national level.

    Accepted references

    Legal act, official statute or terms of reference, or official website

  • 1.4. National cybersecurity strategy
    3

    3

    3

    3

    0

    3
    Criteria

    The central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.

    Accepted references

    Valid official document

  • 1.5. National cybersecurity strategy action plan
    3

    3

    0

    3

    0

    3
    Criteria

    The central government has established an action plan to implement the national cybersecurity strategy.

    Accepted references

    Current official document, legal act, or official statement

• 2. GLOBAL CYBERSECURITY CONTRIBUTION
  0

  6

  4

  6

  3

  6
  • 2.1. Cyber diplomacy engagements
    0

    3

    3

    3

    3

    3
    Criteria

    The government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)

    Accepted references

    Official website of the organisation or cooperation format, official statement or contribution

  • 2.2. Commitment to international law in cyberspace
    0

    1

    1

    1

    0

    1
    Criteria

    The country has an official position on the application of international law, including human rights, in the context of cyber operations.

    Accepted references

    Official document or statement, international indexes

  • 2.3. Contribution to international capacity building in cybersecurity
    0

    2

    0

    2

    0

    2
    Criteria

    The country has led or supported cybersecurity capacity building for another country in the past three years.

    Accepted references

    Official website or project document

• 3. EDUCATION AND PROFESSIONAL DEVELOPMENT
  4

  10

  8

  10

  5

  10
  • 3.1. Cyber safety competencies in primary education
    0

    2

    2

    2

    0

    2
    Criteria

    Primary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.

    Accepted references

    Official curriculum or official report

  • 3.2. Cyber safety competencies in secondary education
    0

    2

    0

    2

    0

    2
    Criteria

    Secondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.

    Accepted references

    Official curriculum or official report

  • 3.3. Undergraduate cybersecurity education
    0

    2

    2

    2

    2

    2
    Criteria

    At least one undergraduate education programme is available in the country to train students in cybersecurity.

    Accepted references

    Accredited study programme

  • 3.4. Graduate cybersecurity education
    3

    3

    3

    3

    3

    3
    Criteria

    At least one cybersecurity education programme is available in the country at the graduate level.

    Accepted references

    Accredited study programme

  • 3.5. Association of cybersecurity professionals
    1

    1

    1

    1

    0

    1
    Criteria

    A professional association of cybersecurity specialists, managers, or auditors exists in the country.

    Accepted references

    Official website

• 4. CYBERSECURITY RESEARCH AND DEVELOPMENT
  2

  4

  0

  4

  2

  4
  • 4.1. Cybersecurity research and development programmes
    0

    2

    0

    2

    0

    2
    Criteria

    A cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.

    Accepted references

    Official programme or official website

  • 4.2. Cybersecurity doctoral studies
    2

    2

    0

    2

    2

    2
    Criteria

    An officially recognised PhD programme exists accommodating research in cybersecurity.

    Accepted references

    Official programme or official website

PREVENTIVE CYBERSECURITY INDICATORS

• 5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE
  6

  12

  6

  12

  12

  12
  • 5.1. Identification of critical information infrastructure
    3

    3

    3

    3

    3

    3
    Criteria

    There is a framework or a mechanism to identify operators of critical information infrastructure.

    Accepted references

    Legal or administrative act

  • 5.2. Cybersecurity requirements for operators of critical information infrastructure
    0

    3

    0

    3

    3

    3
    Criteria

    Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.

    Accepted references

    Legal act, or mandatory cybersecurity framework or standard

  • 5.3. Cybersecurity requirements for public sector organisations
    0

    3

    3

    3

    3

    3
    Criteria

    Public sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.

    Accepted references

    Legal or administrative act, mandatory cybersecurity framework or standard

  • 5.4. Competent supervisory authority
    3

    3

    0

    3

    3

    3
    Criteria

    A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

    Accepted references

    Legal act or official website

• 6. CYBERSECURITY OF DIGITAL ENABLERS
  8

  12

  6

  12

  4

  12
  • 6.1. Secure electronic identification
    2

    2

    2

    2

    2

    2
    Criteria

    A national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.

    Accepted references

    Legal act, nationally recognised identification scheme, or official website

  • 6.2. Electronic signature
    2

    2

    2

    2

    2

    2
    Criteria

    A nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.

    Accepted references

    Legal act or official website

  • 6.3. Trust services
    2

    2

    0

    2

    0

    2
    Criteria

    Trust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.

    Accepted references

    Legal act or official website

  • 6.4. Supervisory authority for trust services
    2

    2

    0

    2

    0

    2
    Criteria

    An independent authority has been designated and given the power to supervise trust services and trust service providers.

    Accepted references

    Legal act or official website

  • 6.5. Cybersecurity requirements for cloud services
    0

    2

    0

    2

    0

    2
    Criteria

    Requirements are established for the secure use of cloud services in government and/or public sector organisations.

    Accepted references

    Legal or administrative act, cybersecurity framework or standard

  • 6.6. Supply chain cybersecurity
    0

    2

    2

    2

    0

    2
    Criteria

    Requirements are established to identify and manage cybersecurity risks through the ICT supply chain.

    Accepted references

    Legal act or official website

• 7. CYBER THREAT ANALYSIS AND AWARENESS RAISING
  3

  12

  6

  12

  9

  12
  • 7.1. Cyber threat analysis
    0

    3

    0

    3

    3

    3
    Criteria

    A government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.

    Accepted references

    Legal act, statute, or official website

  • 7.2. Public cyber threat reports
    0

    3

    3

    3

    3

    3
    Criteria

    Public cyber threat reports and notifications are issued at least once a year.

    Accepted references

    Official website, official social media channel, or public report

  • 7.3. Public cybersecurity awareness resources
    3

    3

    3

    3

    3

    3
    Criteria

    Public authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.

    Accepted references

    Official website, public advisories

  • 7.4. Cybersecurity awareness raising coordination
    0

    3

    0

    3

    0

    3
    Criteria

    There is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.

    Accepted references

    Legal act, official document, or official website

• 8. PROTECTION OF PERSONAL DATA
  4

  4

  4

  4

  4

  4
  • 8.1. Personal data protection legislation
    2

    2

    2

    2

    2

    2
    Criteria

    There is a legal act for personal data protection that is applicable to the protection of data online or in digital form.

    Accepted references

    Legal act

  • 8.2. Personal data protection authority
    2

    2

    2

    2

    2

    2
    Criteria

    An independent public supervisory authority has been designated and allocated powers to supervise personal data protection.

    Accepted references

    Legal act or official website

RESPONSIVE CYBERSECURITY INDICATORS

• 9. CYBER INCIDENT RESPONSE
  11

  14

  8

  14

  11

  14
  • 9.1. National incident response capacity
    3

    3

    3

    3

    3

    3
    Criteria

    There is a CERT designated with nationwide responsibilities for cyber incident detection and response.

    Accepted references

    Legal act or official website

  • 9.2. Incident reporting obligations
    0

    3

    3

    3

    3

    3
    Criteria

    Operators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.

    Accepted references

    Legal act or official website

  • 9.3. Cyber incident reporting tool
    2

    2

    2

    2

    2

    2
    Criteria

    A publicly available official resource is provided for notifying competent authorities about cyber incidents.

    Accepted references

    Official website

  • 9.4. Single point of contact for international cooperation
    3

    3

    0

    3

    0

    3
    Criteria

    The government has designated a single point of contact for international cybersecurity cooperation.

    Accepted references

    Legal act or official website

  • 9.5. Participation in international incident response cooperation
    3

    3

    0

    3

    3

    3
    Criteria

    The national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.

    Accepted references

    Official website or official document

• 10. CYBER CRISIS MANAGEMENT
  0

  9

  2

  9

  2

  9
  • 10.1. Cyber crisis management plan
    0

    2

    0

    2

    0

    2
    Criteria

    The government has established a crisis management plan for large-scale cyber incidents.

    Accepted references

    Legal act or official website

  • 10.2. National cyber crisis management exercises
    0

    3

    0

    3

    0

    3
    Criteria

    Regular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.

    Accepted references

    Exercise document, official website, or press release

  • 10.3. Participation in international cyber crisis exercises
    0

    2

    2

    2

    2

    2
    Criteria

    The country participates in an international cyber crisis management exercise at least every other year.

    Accepted references

    Exercise document/website or press release

  • 10.4. Operational crisis reserve
    0

    2

    0

    2

    0

    2
    Criteria

    A mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.

    Accepted references

    Legal act or official website

• 11. FIGHT AGAINST CYBERCRIME
  13

  16

  13

  16

  8

  16
  • 11.1. Cybercrime offences in national law
    3

    3

    3

    3

    3

    3
    Criteria

    Cybercrime offences are defined in national legislation.

    Accepted references

    Legal act

  • 11.2. Procedural law provisions
    3

    3

    0

    3

    3

    3
    Criteria

    Legislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.

    Accepted references

    Legal act

  • 11.3. Ratification of or accession to the Convention on Cybercrime
    2

    2

    2

    2

    0

    2
    Criteria

    The country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.

    Accepted references

    Legal act on Convention ratification or accession, website of the CoE Treaty Office

  • 11.4. Cybercrime investigation capacity
    3

    3

    3

    3

    0

    3
    Criteria

    Law enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.

    Accepted references

    Legal act or official website

  • 11.5. Digital forensics capacity
    2

    2

    2

    2

    2

    2
    Criteria

    Law enforcement has a specialised function and capacity for digital forensics.

    Accepted references

    Legal act, statute, official document, or official website

  • 11.6. 24/7 contact point for international cybercrime
    0

    3

    3

    3

    0

    3
    Criteria

    The government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.

    Accepted references

    Official website, legal act or statute

• 12. MILITARY CYBER DEFENCE
  4

  6

  4

  6

  0

  6
  • 12.1. Military cyber defence capacity
    2

    2

    2

    2

    0

    2
    Criteria

    Armed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.

    Accepted references

    Legal act, statute, other official document or official website

  • 12.2. Military cyber doctrine
    0

    2

    0

    2

    0

    2
    Criteria

    The tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.

    Accepted references

    Legal act, official doctrine, or official website

  • 12.3. Military cyber defence exercises
    2

    2

    2

    2

    0

    2
    Criteria

    Armed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.

    Accepted references

    Official website or official document