Legal framework for privacy and cyber security

National data protection regulation is adopted

Review of legislation, strategies, and documents to verify whether national data protection regulation is adopted.

National data protection regulation is fully harmonised with the EU general data protection regulation (GDPR)

Review of legislation, strategies, and documents to verify whether national data protection regulation is fully harmonised with the EU general data protection regulation (GDPR).

A responsible body oversees and enforces the data protection regulation

Ensure a responsible body exists to oversee and ensure the data protection regulation.

A national cyber security regulation and standard are adopted

Review of legislation, strategies, and documents to ensure a national cyber security regulation and standard is adopted.

A national cyber security regulation is fully harmonised with the EU Network and Information Security (NIS) Directive

Review of legislation, strategies, and documents to verify whether the national cyber security regulation is fully harmonised with the EU Network and Information Security (NIS) Directive.

Public sector entities are in compliance with cyber security standards (%)

Assessment of the compliance with cyber security standards by public sector entities. The percentage should be obtained from a recent (no older than 1 year) audit of compliance with cybersecurity standards. Points are allocated based on the percentage of public sector entities in compliance with cyber security standards (x): • x < 33% = 0 points. • 33% ≤ x < 67% = linear function. • x ≥ 67% = 1 point.

A national cyber security strategy is adopted and implemented, at least for public administration

Verify if the national cyber security strategy is adopted and implemented, at least for the public administration.

The reported implementation rate of the national cyber security strategy (%)

Quantify the reported implementation rate of national cyber security strategy. The percentage is calculated based on a monitoring report of the implementation of the strategy for the calendar year before the assessment. Points are allocated based on the reported implementation rate (x): • x < 25% = 0 points. • 25% ≤ x < 90% = linear function. • x ≥ 90% = 1 point.

The governmental cyber response mechanism CERT/CIRT and/or SOC is established and fully operational

It is verified that a computer emergency response team (CERT) and/or cyber incident response team (CIRT) are operational together with a security operations centre (SOC).

Public servants having the needed cyber security skills (%)

Analysis of survey responses from a sample of public servants who answered if they agree to the following statement: “I have received enough training on cyber security skills to understand risks and know how to avoid them.”. Answer options are: Strongly disagree, Tend to disagree, Neither disagree nor agree, Tend to agree, Strongly agree, Do not know, Prefer not to answer. Points are allocated based on the percentage of respondents who replied, “Tend to agree" or "Strongly agree” to the statement (x): • x < 10% = 0 points • 10% ≤ x < 90% = linear function • x ≥ 90% = 1 point