The European Union's Directive on security of network and information systems (NIS Directive) asserts that "network and information systems and services play a vital role in society", and that the "magnitude, frequency and impact of security incidents are increasing, and represent a major threat". Given that urgency, the NIS Directive goes on to argue that "operators of essential services" need to identify "which services have to be considered as essential for the maintenance of critical societal and economic activities". This is in fact referring to the operators in the so-called critical sectors, with those being: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, and digital infrastructure. The protection of these seven critical sectors should have the highest priority, because when they are under threat, the functioning of society itself and the well-being of its citizens are at stake. As part of this effort, it is extremely important to increase the competences of cyber security personnel. This requires the availability of high quality trainings across the board, available to all critical sectors. Within the critical sectors, there are significant differences regarding the maturity level of cyber security. Therefore, some of the critical infrastructure operators will not be as ready as others, to counter the risks resulting from new cyber security threats in a timely and adequate manner. With the emphasis that the NIS Directive places on the importance of the seven critical sectors, this study aims to identify the current situation in these sectors in regard to the available cyber security trainings, and if there are any training needs specific to each of the sectors, beyond the generic needs for such trainings. Over the past years, ENISA has developed a wide range of cyber security trainings, and also delivered the training content to several national and governmental CSIRTs (Computer Security Incident Response Teams) as well as their constituents. The next important question that this study set out to answer is if and how the ENISA training portfolio actually is useful for the seven critical sectors - and what could be done to improve the suitability of that portfolio to the existing training needs. The main general conclusions are: - the cyber security training field is extensive and diversified, but does not sufficiently address the issue of raising the cyber security resilience of critical infrastructure: CIP-related trainings are still a niche - there is a shortage of specialised trainings in the field of ICS/SCADA systems cyber security - which is an essential element in countering operational threats (e.g. in the energy sector) - there are very few trainings specialising in the specific threats encountered in the different (sub)sectors - cyber security awareness raising trainings are lagging behind - there is a shortage of trainings in regard to decision making as a result of data leakages or privacy incidents there is a pressing need for trainings related to GDPR2, since this will affect every sector, and could have an operational impact on the organization. As for the fit of ENISA's current training offer to the needs of the seven critical sectors, the study has found that: - ENISA should present the context of threats and risks related to each sector in the trainings. In particular, dependencies and mutual influence of infrastructures operating in different sectors should be explained, and their possible impact on cyber-security issues concerning e.g. global payments or air traffic control - ENISA should provide trainings in more local languages - ENISA should determine whether cyber ranges and gamification based trainings will likely provide a more effective approach than traditional trainings. On-demand training accessibility is gaining in importance. - ENISA is advised to organise a pilot study in for instance the transport sector to further gauge the results of this study and come to implementable proposals on how to improve the training situation in that sector. This approach may be used for other sectors too.
