Cybersecurity
Setting up a comprehensive framework which is fully aligned with EU NIS2 Directive for cyber resilience is crucial for digital e-government landscape.
1.3.1 Set up a comprehensive framework for cyber resilience (introducing requirements of NIS2 Directive and strengthening relevant institutions at all levels of government)
This reform is aimed at building systems that are secure against cyber threats and will require harmonizing cybersecurity practices across diverse sectors.
Steps
1.3.1.1. The point of contact in the sense of NIS2 Directive is established. NIS2 Directive requires that all cybersecurity incidents be reported, whether or not the attack affected the entity's operations. This is to assist authorities in better monitoring and responding to any threats.
1.3.1.2. State and entity-level CSIRTs are operational in line with NIS2 requirements and reach SIM3 model FIRST membership maturity profile. Clear coordination mechanisms are set out among the CSIRTs in the country. Affected entities have 24 hours from the time they first become aware of an incident to submit an early warning to the CSIRT ("Computer Security Incident Response Team"), during which time they can also seek assistance.
1.3.1.3. Competent authorities as defined in the NIS2 are operational on state, entity and Brcko District levels: sufficiently staffed, equipped with supervisory powers, performing supervisory checks. In order to preserve the integrity and security of public and private infrastructure, it is imperative to establish an efficient framework for cyber resilience that includes crisis management procedures and coordinated vulnerability detection.
1.3.1.4. Lists of entities in scope of the state, entity and Brcko District level laws corresponding to the NIS2 Directive are finalized. NIS 2 Directive obliges 'essential' entities to report and engage with the designated authorities in relation to cybersecurity incidents and threats. Essential list includes, among others: energy, drinking water, wastewater, transportation, banking, financial markets, governments or healthcare.
1.3.1.5. Frameworks introduced by NIS2 alignment (Coordinated Vulnerability Disclosure framework, crisis management framework), are in place and in use. This is to closely work with the European Union agency for cybersecurity (ENISA), which is working towards a harmonised approach in coordinated vulnerability disclosure.