- Albania
- Argentina
- Azerbaijan
- Bangladesh
- Belgium
- Botswana
- Canada
- Chile
- China
- Cyprus
- Czech Republic
- Dominican Republic
- Egypt
- Georgia
- Ghana
- Iraq
- Ireland
- Jordan
- Kiribati
- Latvia
- Libya
- Lithuania
- Mexico
- Moldova (Republic of)
- Montenegro
- Morocco
- Mozambique
- Myanmar
- New Zealand
- North Macedonia
- Oman
- Panama
- Poland
- Rwanda
- Saudi Arabia
- Slovakia
- The Bahamas
- Togo
- Tonga
- Ukraine
- United Kingdom
- United States
- Uruguay
- Zimbabwe
RANKING TIMELINE
Rank | Country | National Cyber Security Index | Digital development | Difference | ||
---|---|---|---|---|---|---|
3. | Australia | 87.50 | 82.21 | 5.29 | ||
4. | Estonia | 85.83 | 80.02 | 5.81 | ||
7. | Netherlands | 81.67 | 84.94 | -3.27 | ||
n/a | Canada 15.04.24 | 80.00 | ||||
47. | Angola | 17.50 | 32.55 | -15.05 | ||
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY31.01.24151529.11.2391530.04.24121515.04.24151529.11.23315
-
1.1. High-level cybersecurity leadership31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
The country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
-
1.2. Cybersecurity policy development31.01.243329.11.233330.04.240315.04.243329.11.2333Criteria
There is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
-
1.3. Cybersecurity policy coordination31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
The country has a regular official format for cybersecurity policy coordination at the national level.
Accepted referencesLegal act, official statute or terms of reference, or official website
-
1.4. National cybersecurity strategy31.01.243329.11.230330.04.243315.04.243329.11.2303Criteria
The central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
-
1.5. National cybersecurity strategy action plan31.01.243329.11.230330.04.243315.04.243329.11.2303Criteria
The central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION31.01.246629.11.236630.04.244615.04.246629.11.2336
-
2.1. Cyber diplomacy engagements31.01.243329.11.233330.04.243315.04.243329.11.2333Criteria
The government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability.
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
-
2.2. Commitment to international law in cyberspace31.01.241129.11.231130.04.241115.04.241129.11.2301Criteria
The country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
-
2.3. Contribution to international capacity building in cybersecurity31.01.242229.11.232230.04.240215.04.242229.11.2302Criteria
The country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT31.01.24101029.11.23101030.04.24101015.04.2461029.11.23010
-
3.1. Cyber safety competencies in primary education31.01.242229.11.232230.04.242215.04.240229.11.2302Criteria
Primary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
-
3.2. Cyber safety competencies in secondary education31.01.242229.11.232230.04.242215.04.240229.11.2302Criteria
Secondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
-
3.3. Undergraduate cybersecurity education31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
At least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
-
3.4. Graduate cybersecurity education31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
At least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
-
3.5. Association of cybersecurity professionals31.01.241129.11.231130.04.241115.04.241129.11.2301Criteria
A professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT31.01.244429.11.232430.04.242415.04.242429.11.2304
-
4.1. Cybersecurity research and development programmes31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
A cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
-
4.2. Cybersecurity doctoral studies31.01.242229.11.230230.04.240215.04.240229.11.2302Criteria
An officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE31.01.2491229.11.2391230.04.2491215.04.2491229.11.23012
-
5.1. Identification of critical information infrastructure31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
There is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
-
5.2. Cybersecurity requirements for operators of critical information infrastructure31.01.243329.11.233330.04.243315.04.240329.11.2303Criteria
Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
-
5.3. Cybersecurity requirements for public sector organisations31.01.243329.11.233330.04.240315.04.243329.11.2303Criteria
Public sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
-
5.4. Competent supervisory authority31.01.240329.11.230330.04.243315.04.243329.11.2303Criteria
A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS31.01.2481229.11.23101230.04.24101215.04.2441229.11.23212
-
6.1. Secure electronic identification31.01.242229.11.232230.04.242215.04.240229.11.2302Criteria
A national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
-
6.2. Electronic signature31.01.242229.11.232230.04.242215.04.242229.11.2322Criteria
A nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
-
6.3. Trust services31.01.240229.11.232230.04.242215.04.240229.11.2302Criteria
Trust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
-
6.4. Supervisory authority for trust services31.01.240229.11.232230.04.242215.04.240229.11.2302Criteria
An independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
-
6.5. Cybersecurity requirements for cloud services31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
Requirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
-
6.6. Supply chain cybersecurity31.01.242229.11.230230.04.240215.04.240229.11.2302Criteria
Requirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING31.01.2491229.11.23121230.04.2491215.04.2491229.11.23012
-
7.1. Cyber threat analysis31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
A government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
-
7.2. Public cyber threat reports31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
Public cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
-
7.3. Public cybersecurity awareness resources31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
Public authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
-
7.4. Cybersecurity awareness raising coordination31.01.240329.11.233330.04.240315.04.240329.11.2303Criteria
There is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
-
-
8. PROTECTION OF PERSONAL DATA31.01.244429.11.234430.04.244415.04.244429.11.2344
-
8.1. Personal data protection legislation31.01.242229.11.232230.04.242215.04.242229.11.2322Criteria
There is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
-
8.2. Personal data protection authority31.01.242229.11.232230.04.242215.04.242229.11.2322Criteria
An independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE31.01.24111429.11.23141430.04.24141415.04.24141429.11.23014
-
9.1. National incident response capacity31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
There is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
-
9.2. Incident reporting obligations31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
Operators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
-
9.3. Cyber incident reporting tool31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
A publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
-
9.4. Single point of contact for international cooperation31.01.240329.11.233330.04.243315.04.243329.11.2303Criteria
The government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
-
9.5. Participation in international incident response cooperation31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
The national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
-
-
10. CYBER CRISIS MANAGEMENT31.01.247929.11.237930.04.245915.04.247929.11.2309
-
10.1. Cyber crisis management plan31.01.242229.11.230230.04.240215.04.242229.11.2302Criteria
The government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
-
10.2. National cyber crisis management exercises31.01.243329.11.233330.04.243315.04.243329.11.2303Criteria
Regular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
-
10.3. Participation in international cyber crisis exercises31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
The country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
-
10.4. Operational crisis reserve31.01.240229.11.232230.04.240215.04.240229.11.2302Criteria
A mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
-
-
11. FIGHT AGAINST CYBERCRIME31.01.24161629.11.23161630.04.24131615.04.24161629.11.23916
-
11.1. Cybercrime offences in national law31.01.243329.11.233330.04.243315.04.243329.11.2333Criteria
Cybercrime offences are defined in national legislation.
Accepted referencesLegal act
-
11.2. Procedural law provisions31.01.243329.11.233330.04.240315.04.243329.11.2303Criteria
Legislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
-
11.3. Ratification of or accession to the Convention on Cybercrime31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
The country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
-
11.4. Cybercrime investigation capacity31.01.243329.11.233330.04.243315.04.243329.11.2333Criteria
Law enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
-
11.5. Digital forensics capacity31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
Law enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
-
11.6. 24/7 contact point for international cybercrime31.01.243329.11.233330.04.243315.04.243329.11.2333Criteria
The government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
-
-
12. MILITARY CYBER DEFENCE31.01.246629.11.234630.04.246615.04.244629.11.2306
-
12.1. Military cyber defence capacity31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
Armed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
-
12.2. Military cyber doctrine31.01.242229.11.230230.04.242215.04.240229.11.2302Criteria
The tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
-
12.3. Military cyber defence exercises31.01.242229.11.232230.04.242215.04.242229.11.2302Criteria
Armed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
-