Luxembourg (LU)

Current status: National Cyber Security Strategy

Year of publication: 2012.

Revisions and updates: A second version of the NCSS was approved and made law by the Government Council on 27.03.2015.

The task force in charge of revising the first version of 2012 operated under the authority of the High Commissioner for National Protection and was composed of representatives of the State’s  Information Technology Centre, the government CERT, the Department of Media and  Communications, the Ministry of the Economy, the Government Communications Centre, the Intelligence Service, the Grand Ducal Police Force and the Army.

The cybersecurity strategy is designed to protect the public and private actors against cyber threats while promoting economic and social development in cyberspace.
The government recognises that information security should not be considered as a burden, but rather as an opportunity. It is about democratising information security by promoting collaboration while reducing the complexity and costs to all stakeholders.
Luxembourg’s National cyber security strategy identifies 7 objectives, complemented by action plans resulting in specific timelines and the identification of actors responsible for the implementation of 41 different actions.


OB 1    Strengthen National Cooperation
OB 2    Strengthen International Cooperation
OB 3    Increase the resilience of the digital infrastructure
OB 4    Fight cybercriminality
OB 5    Inform, train and raise awareness on the risks involved
OB 6    Implement norms, standards, certificates, labels and frames of reference for requirements for the government and critical infrastructures
OB 7    Strengthen cooperation with the academic and research sphere

 

 

 

National Cyber Security Strategy

Year of adoption 2012
Updates and revisions A second version of the NCSS was approved and made enforceable by the Government Council on 27.03.2015.
The current NCSS 2.0 extends to 2017. NCSS2.0 requests a review cycle every 3 years. The review process and elaboration for NCSS 3.0 will start mid 2017.
Implementation and monitoring Luxembourg's Information Technology Centre, the government CERT, the Department of Media and Communications, the Ministry of Economy, the Government Communications Centre, the Intelligence Service, the Grand Ducal Police Force and the Army.

Main measures  related to businesses

The current NCSS is focused on the public sector rather than the private sector even though the “businesses” are somehow touched by seven objectives as defined below:

  • Strengthen National Cooperation
  • Strengthen International Cooperation
  • Increase the resilience of the digital infrastructure
  • Fight cybercriminality
  • Inform, train and raise awareness on the risks involved
  • Implement norms, standards, certificates, labels and frames of reference for requirements for the government and critical infrastructures
  • Strengthen cooperation with the academic and research sphere
Risk assessment plan NCSS 2.0 does not include a specific risk assessment plan to identify risks, however the risk assessment plans are subject of the ANSSI.lu which has been created under action item 1.1 of the NCSS 2.0.
Progress measures

There are 4 meetings a year where all responsible actors have to provide an overview of the progress they made in their action items.

The results of those meetings are also presented to the Cyber Security Board which is headed by M. Xavier Bettel, Ministre des Communications on a regular basis.

 

Current status: NIS Directive and national CERTs/CSIRTs

Computer security incident response teams (CSIRTs)

There are 4 public CERTs and 6 private CERTs (1 is a joint industry service) covering different sectors of the economy and society in Luxembourg.

GOVCERT.LU - government and critical infrastructures. It oversees the management of cyber-security incidents compromising Luxembourg, its citizens or its economy and is responsible for receiving, reviewing and responding to reports of such. NCERT.LU (National CERT) acts as the official national point of contact for national and international governmental CERTs.

CIRCL - private sector, communes and non-governmental entities in Luxembourg. Its activities include coordinating communication among national and international incident response teams during security emergencies and helping prevent future incidents, providing a security related alert and warning system for ICT users in Luxembourg and fostering knowledge and awareness exchange in ICT security.

HealthNet-CSIRT (Agence eSanté) - health sector: health professionals and institutions in the sector.

RESTENA-CSIRT - education and research sector

Malware.lu CERT - private CSIRT providing expertise in incident response and malware analysis to private customers and governmental entities. Follows guidelines of NIST (National Institute of Standards and Technology).

Excellium CSIRT (CERT-XLM) - Excellium's commercial CERT providing services and response services. In BE and LU: mostly service providers, finance and insurance organisations but also provides reponse services outside these countries.

Clearstream – Deutsche Boerse CERT (DBG-CERT) - all systems hosted and owned by Deutsche Boerse Group.

eBRC/POST SOC - response team operated by POST group, the largest provider of postal and telecommunications services, also offering financial services.

IBM-Sogeti Security Operation Center (SOC) - In Luxembourg, the joint IBM and Sogeti SOC ensures compliance with local regulations in the national market.

Telindus-CSIRT - private CSIRT owned and operated by Telindus S.A., a national and international cloud service provider and telecom operator. Its CSIRT team responds to cyber-security and computer security incidents from or targeting its own autonomous system (ASN-Telindus-Telecom).

Best practices:

GOVCERT.LU acts as the single point of contact dedicated to the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private.

By law, there has to be a national overview of cyber incidents to identify patterns and also because it is important to know what is going on at the national level so actions can be taken.

Monitoring system

At national level there is a high-level security board (Cyber Security Board - CSB) to share information through official channels and share technical details with national partners.

The Luxembourg national CERT is one of the drivers of the NIS platform and fosters sharing information as widely as possible across geographies and borders, with the 7 private CERTs also actively supporting this practice.

Report an incident GOVCERT.LU: http://govcert.lu/en/report_incident.html
Languages English, French, Dutch
Date inserted July 2016

 

Contact us for more info