National and European Frameworks for Cybersecurity and Legislation

Introduction to Cybersecurity and the Legislative Context

  • Definition of Cybersecurity: Cybersecurity encompasses specific measures used to protect digital systems, networks, and data from events that can cause significant harm.

  • Dimensions of Harm: Harm resulting from cybersecurity failures can manifest in four primary areas:

    • Financial: Direct monetary losses or theft.

    • Organizational: Disruptions to business processes and internal operations.

    • Legal: Non-compliance with laws, leading to lawsuits or regulatory fines.

    • Reputational: Loss of trust from stakeholders, clients, or the public.

  • The Practical Core (The CIA Triad): In practice, cybersecurity ensures three fundamental principles:

    • Confidentiality: Data is protected from unauthorized access.

    • Integrity: Data is not modified without proper authorization.

    • Availability: Systems and services are functional whenever they are required.

  • Holistic Perspective: Cybersecurity is explicitly defined as more than just a technical issue. It is a multi-dimensional organizational and legal matter because the ultimate consequences of incidents are borne by people and organizations, not the technology itself.

Fundamental Concepts in Cybersecurity

  • Threat: A potential cause of harm. Examples include:

    • Malicious activity: Such as phishing attacks.

    • Unintentional actions: Such as human error.

  • Vulnerability: A weakness within a system, process, or behavior that allows a threat to manifest. Sources of vulnerability include:

    • Weak passwords.

    • Unclear or non-existent procedural guidelines.

    • Uneducated or poorly trained users.

  • Risk: An assessment based on two specific factors:

    • The probability that a threat will exploit a specific vulnerability.

    • The magnitude of the damage (impact) if the exploit occurs.

  • Incident: Any undesirable or unusual event in an information system that may (or may not) jeopardize the security of systems or data. Characteristics include:

    • Nature: Can be accidental, technical, or caused by human error.

    • Examples: Incorrectly sending a sensitive document, losing a hardware device, or unauthorized access attempts.

    • Note on Scope: "Incident" is a broad term that does not necessarily imply malicious intent.

  • Incident vs. Cyberattack:

    • Cyberattack: A deliberate, malicious attempt to compromise a system with specific goals such as data theft, destruction/alteration of data, disruption of system operations, or financial gain. This always involves an attacker and intent.

    • Key Distinction: Every cyberattack qualifies as an incident, but not every incident (e.g., a hardware failure or accidental email) is a cyberattack.

  • Examples of Cyberattacks:

    • Phishing attacks.

    • Ransomware (blackmail-based attacks).

    • DDoS (Distributed Denial of Service) attacks.

    • Exploitation of security vulnerabilities.

  • Incident Management Cycle:

    1. Detection: Identifying the event.

    2. Reaction: Responding to the event.

    3. Recovery: Restoring services and data.

    4. Analysis and Learning: Evaluating the incident to prevent future occurrences.

The Role of CSIRT Teams in Cybersecurity

  • Definition of CSIRT: The Computer Security Incident Response Team (CSIRT) is a specialized team responsible for the prevention, detection, analysis, and response to security incidents within ICC (Information and Communication) systems.

  • Primary Objectives:

    • Reducing overall risk.

    • Mitigating the consequences of incidents.

    • Ensuring the continuity of operations.

    • Serving as a central point for managing security within an organization, sector, or state.

  • Core Responsibilities:

    • Receiving and analyzing reports of security incidents.

    • Technical analysis of attacks (Malware, Phishing, DDoS, system breaches).

    • Coordinating response and recovery efforts.

    • Providing recommendations and guidelines for security improvements.

    • Monitoring threats and vulnerabilities.

    • User education and awareness building.

  • Classification of CSIRT Teams:

    • National CSIRT: Operates at the state level, coordinates protection of national infrastructure, and collaborates with international security bodies.

    • Sectoral CSIRT: Focuses on specific sectors (e.g., energy, healthcare, finance, education) and tailors measures to sector-specific risks.

    • Organizational CSIRT: Operates within a single company or organization to protect internal systems and provide rapid localized response.

  • Preventive vs. Reactive Roles:

    • Preventive Role: Threat monitoring, issuing warnings, education, and developing security policies.

    • Reactive Role: Rapid detection and analysis, technical assistance in system remediation, communication coordination, and documentation.

  • Collaboration Mechanisms: CSIRT teams must cooperate internationally because cyber threats are global. This includes sharing threat intelligence, resolving cross-border incidents, and standardizing security procedures.

CARNET and the Croatian National Framework

  • CARNET (Croatian Academic and Research Network): The national institution responsible for developing and maintaining the digital infrastructure for education, science, and the public sector in Croatia.

  • Strategic Role: Pervasive across the national digital ecosystem. It connects schools, faculties, and institutes, providing the core infrastructure for national digital resilience.

  • Infrastructural Responsibilities:

    • Developing and maintaining the national academic network.

    • Providing network, identity (authentication), and cloud services.

    • Maintaining educational platforms while ensuring high availability.

  • Integration with HR-CERT: HR-CERT operates within CARNET and serves as the National CSIRT for the Republic of Croatia. This allows for:

    • Fast information exchange.

    • Effective coordination of responses to serious threats.

    • Consolidation of technical expertise and infrastructure.

  • HR-CERT Mandate:

    • Protection of public information systems and citizens.

    • Processing incident reports and issuing warnings.

    • Coordinating responses to significant national cyber threats.

  • Security by Design: Cybersecurity is an embedded component of all CARNET services, covering traffic protection, authentication/authorization systems, and malware protection.

European Cybersecurity Framework and ENISA

  • Context for EU Cooperation: Because cyberattacks frequently transcend national borders, the EU requires a systemic, coordinated reaction.

  • ENISA (European Union Agency for Cybersecurity):

    • Role: A central expert and advisory body supporting the development of policies, standards, and capacities for EU member states.

    • Key Distinction: ENISA does not have an operational role in remediating individual incidents; it supports the structural framework.

  • Objectives of ENISA:

    • Increasing EU resilience to cyberattacks.

    • Ensuring a high common level of security for network and information systems.

    • Closing the gap between different levels of readiness among member states.

    • Facilitating the implementation of the NIS and NIS2 Directives.

EU-CyCLONe and Cyber Crisis Management

  • EU-CyCLONe (European Cyber Crisis Liaison Organisation Network): A network designed to coordinate responses specifically for large-scale cyber crises at the EU level.

  • Concept of a Cyber Crisis: A situation where a cyber incident:

    • Severely impacts state functioning (one or more states).

    • Threatens vital services, critical infrastructure, or public safety.

    • Necessitates political and strategic international coordination.

  • Incident vs. Crisis: An incident is technical/limited in scope. A crisis is large-scale with socio-economic or security consequences. Every crisis begins as an incident, but not all incidents become crises.

  • Activation Criteria: EU-CyCLONe activates when incidents cross borders, require multiple states to react together, or threaten EU-wide systems.

  • Functions of EU-CyCLONe:

    • Coordination of communication between states.

    • Ensuring a shared Situational Picture.

    • Aligning technical and political responses to avoid contradictory measures.

Institutional Hierarchy and Information Flow

  • Multilevel Model of Cooperation:

    1. Organizational Level: Where incidents are first detected.

    2. National Level: Comprised of CSIRT teams (e.g., HR-CERT) and state authorities.

    3. European Level: ENISA and EU-CyCLONe for strategic support.

  • Information Flow Protocol:

    • An incident is detected locally (organization).

    • If internal capabilities are exceeded or if there are broader implications, the National CSIRT (HR-CERT) is notified.

    • If the incident goes cross-border or becomes a crisis, it is escalated to ENISA and EU-CyCLONe for a common situational picture.

  • Risks of Poor Coordination: Without coordination, there is a risk of duplicated efforts, conflicting security measures, delays in reaction, and incomplete understanding of the threat.

Practical Application and Institutional Coordination

  • Typical Practical Scenarios:

    • Theft of credentials via phishing.

    • Ransomware infections.

    • Unauthorized access and data leaks.

    • System downtime due to technical errors or attacks.

  • Necessity of Institutional Support: Organizations cannot solve complex threats alone because of specialized knowledge requirements, legal reporting obligations, and the interconnected nature of attacks.

  • Documentation Requirements: Organizations must document the circumstances of incidents, measures taken, technical findings, and consequences.

  • Consequences of Failure: Poorly handled incidents result in data loss, prolonged business disruption, financial loss, reputational damage, and regulatory sanctions.

Assignment and Exercise: Managing a Cyber Incident

  • Scenario Description: Friday morning at a medium-sized public institution in Croatia. Employees report no access to systems. A ransomware message appears. Sensitive data is suspected to be compromised. The system is connected to external institutions.

  • Required Tasks for Students:

    • Analysis: Classify the event (incident, attack, or crisis) and list three risks.

    • Action Plan: Describe step-by-step technical, organizational, and communication measures in the first few hours.

    • Institutional Mapping: Identify the order of involving institutions (CARNET, HR-CERT) and determine when the event escalates to ENISA/EU-CyCLONe.

    • Reflection: Justify why the organization must not act in isolation.

  • Submission Details:

    • File Format: Word document converted to PDF.

    • Naming Convention: UTR_Surname_1_termin_utorak_16_6_2026.

    • Dates: Lecture/Exercise Term: 15.6.2026; Submission/Assignment Date: 16.6.2026.