The Minister of the Interior published the Icelandic National Cyber Security Strategy for Iceland was approved in April 2015. The strategy covers the years 2015–2026, setting out a vision for 2026 but also providing a 3-year Action (2015-2018): Icelandic National Cyber Security Strategy 2015–2026 Plan of action 2015–2018 Summary in English.
Obj. 1 - Capacity Building. The public, businesses and government should have the knowledge, skills and equipment needed to deal with cyber security threats.
Obj. 2 - Increased resilience. Key factors in enhanced resilience are greater capacity in the areas of assessment, preparedness and response. The aim is to raise the resilience of Iceland's information systems and their preparedness to a level comparable to other Nordic countries. Measures to achieve this include improving capacity in threat assessment, enhanced co-operation and making security concerns an integral part of the maintenance of cyber systems.
Obj. 3 - Strengthened legislation. Icelandic legislation should reflect the international demands and obligations regarding cyber security and the protection of personal data. Legislation should support innovation and the development of security-related services, such as hosting.
Obj. 4 - Tackling cybercrime. The police should have the professional knowledge, skills and equipment needed to resolve issues concerning cyber security.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||
2015 covering the years 2015 to 2026, approved in April 2015 by the Minister of the Interior and published in June 2015.
Summary in English: eng.innanrikisraduneyti.is/media/frettir-2015/Icelandic_National_Cyber_Security_Summary_loka.pdf
|Updates and revisions||
A task force on cyber security was set up in 2013 to provide recommendations and formulate the government strategy on cyber security and the protection of IT infrastructure. Strategies of other Nordic countries were also examined alongside discussions with overseas peers.
A review process (every 4 years) will be implemented for the 3-year plan (2015-2018) to allow for new or revised measures, including for short periods of time.
|Implementation and monitoring||
The national strategy calls for the appointment of a special Cyber Security Council for government body representatives and a Cyber Security Forum for stakeholders in the public and private sectors. Timeline: 2015.
The Cyber Security Council takes responsibility for implementing the strategy under the Ministry of the Interior while the Cyber Security Forum is charged with coordinating projects involving stakeholders and creating the basis for collaboration on cyber security topics.
|Operational capacity building||
Measures to increase capacity include: awareness-raising; terminology of key definitions; education; postgraduate studies; secure by design principles; personal data protection (international standards and obligations).
CERT-IS is the National CSIRT (Computer Security Incident Response Team) and is part of the Cyber Security Council under the national strategy.
The primary constituency of CERT-IS is the telecommunication sector. The constituency also includes certain critical information infrastructure (CII) entities that have signed contracts with CERT-IS. Other entities outside the primary constituency are served on best-effort terms.
CERT-IS´s role is the analysis of cybersecurity threats and to give assistance to its primary constituency members using both proactive and reactive measures to prevent cybersecurity incidents and to minimise their impact.
CERT-IS gives advice regarding threats and responses to its primary constituency members and publishes public warnings when needed.
Good legislation is considered to be a crucial factor for developing cyber security. Its importance is clear in many contexts: Iceland is a member of international agreements under which it is obliged to meet certain requirements in its domestic legislation. This applies to the Budapest Convention on Cybercrime of 2001.
As the Internet is international, it is important that Iceland’s legislation should be compatible with that of its neighbours as far as possible. Legislation must ensure personal data safety and serve as a basis to create an attractive environment for IT companies to operate and develop in. Legislation must not contain loopholes that might attract criminal organisations. The European Union’s strategy on cybersecurity must be taken into account in Iceland’s legislation. The use of cloud technology entails various legal implications and challenges. Attention must be given to what other countries, and the EU, are doing in this area and what legal interpretations they follow.
The legal environment in Iceland must also support software-related development and provide protection against cybercrime in order to deter criminal organisations from seeing the country as a suitable venue for their activities because of low level of cyber security. At any given time, steps must be taken to evaluate how Iceland’s legislation stands in comparison with that of the other Nordic countries. Furthermore, the police must have the powers to enforce this legislation. Particular attention must be given to the protection of personal data: technical developments and standards can change very rapidly and it is important that the level of protection in Iceland is not lower than in other Nordic countries.
|Public Private Partnerships||
Iceland and Norway, as well as the other Nordic countries, cooperate against cyber threats in collaboration with international organizations such as the UN, the Council of Europe, the European Union and the Organization for Security and Cooperation
Specific educational measures will taken to make Iceland’s IT environment more secure and more competitive in the international context. Priority is given to integrating security considerations in the initial plan to design reliable computer systems through security by design and privacy by design approaches.
Cybersecurity must form part of computer-related studies at all levels of the educational system. Moreover, such studies at university level must be upgraded, with closer collaboration with universities abroad to enable students graduating from Icelandic universities to undertake postgraduate studies in cyber security.
|Date of last WISER analysis||July 2017.|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to a national CERT/CSIRT||
CERT-IS (English) - Office hours: 9-17 (GMT) Mon-Fri.
The national cyber security strategy for Iceland stands out for its well-pondered approach to the creation of new legislation and also for its focus on security and privacy by design approaches. However, it lacks emphasis on risk management as central to addressing threats in cyberspace.
Monitoring and response capacity are to be increased so as to respond to evolving threat landscape, through engagement across stakeholders, at multiple national levels and international co-operation.
|Languages||Icelandic and English|
|Date of last WISER analysis||July 2017|