Public authorities that are open to cybersecurity measures but closed to fraudsters — that is what citizens expect!

Interview with LG magazine, translation by itrust consulting.

Are local authorities prepared to tackle the challenges of cybersecurity and the NIS2 Directive? How should they handle it? An interview with Lynn Pinto, DPO; Camar Houssein, SECaaS Manager; and Carlo Harpes, Managing Director of itrust consulting s.à r.l. and Chair of the (Luxembourg) Security Standards Committee.

How have public authorities been preparing for this new challenge?

Carlo: The text of the NIS2 Directive has been published since 2022; Luxembourg has opted for a transposition that is as simple and minimalist as possible; all entities involved in public procurement are covered; they will be required to manage cybersecurity risks, report their dependencies and security status as well as the outcome of their risk assessment to ILR. In addition, they must report incidents and, if necessary, will receive instructions from ILR on how to manage risks.
Minister Léon Gloden encouraged them to take this challenge seriously and not to wait for the law to come into force before preparing. The day after the vote, each entity must have an approved risk analysis demonstrating that it has found the right balance between investing in security measures and accepting residual risks; they must regularly submit improvement plans to ILR too.

What remains to be done by the organizations?

Camar: We agree with ILR that the NIS2 Directive requires nothing more than a designated security officer. However, it imposes a human resources security policy, a (formalized) access and asset management – that is to say, an inventory, with classification and assignment of responsibilities for these assets – and, most challenging of all, a risk assessment and management process that takes into account current norms, which are virtually unknown in the sector. We can easily train someone to assess risks, but such assessment remains uncertain, even for an expert. My manager always says that conducting a risk analysis is an art rather than a science, as this process must produce well-reasoned and ‘reproducible’ results.

Do organizations that are already GDPR-compliant have a head start?

Lynn: Clearly yes, and yet we still come across organizations that are badly prepared: with no record of processing activities, or incomplete ones; with no privacy notice easily available to data subjects; despite the law having been in force for seven years and the CNPD having hired over 60 officials to monitor and provide guidance. Recently, we have again come across municipal secretaries who are also DPOs, and are, therefore, in a conflict of interest, highlighting the decision-makers’ disregard for compliance, laws and regulations.

Who is responsible for this?

Carlo: The College of the Mayor and Aldermen – although we often feel sympathy for them, given how overwhelmed they are by such demands. Note that more than 100 local politicians have resigned since the start of their terms, three years ago. They cannot master every technical field, and the existing staff are reluctant to embrace change, sometimes refusing to accept responsibilities, despite enjoying exceptional job security. Added to this is overly rudimentary support from institutional bodies, with municipalities' autonomy serving as a partially valid excuse. And for NIS2, a poorly drafted list of requirements from the regulator.

Could you explain this particular feature of Luxembourg?

Camar: NIS2 requires us to follow current security standards in order to identify the appropriate safeguards. We are very familiar with these measures, and they are often already implemented by our clients: these include ISO/IEC 27002 for general security measures, 27001 for management and governance, 27701 for data protection, and 22301 for business continuity, now referred to as resilience. This knowledge is not included in the risk analysis tool promoted by ILR, and each entity will have to study and add it manually. Whilst one could allow free choice of tools, as the CSSF does, ILR imposes a very specific format, defined by a Luxembourgish tool and guidance that shows signs of immaturity. Electricity operators in Germany have committed to independent certifications based on ISO 27001, 27002 and 27019, carried out by state-accredited bodies. This creates an ecosystem with well-established control mechanisms (via OLAS), at similar prices, but with guarantees and a level of security far superior to our self-assessments.
Another problem is that this self-assessment does not use the ISO 27002 standard, but a little-used European guide, and has not been integrated into the risk analysis tool.

How can we strengthen our collaboration?

Carlo: One model of collaboration is our joint project for Diekirch and Ettelbruck, which involves sharing the costs of our CISO support and which is already in place for the utilities sector. Some other municipalities wish to share a CISO role, just as some already share the municipal police service.
We have also proposed to ILNAS that a standardization committee be set up for the municipalities, so that the sector can develop common ground for their activities, not just in cybersecurity.
Finally, ILR announced that it would consult with cybersecurity service providers, who act as catalysts for implementation and designers of more effective solutions than those currently in place; however, this collaboration has never started.

What remains to be done for NIS2, given that the GDPR has already been implemented?

Lynn: All that is ‘needed’ is to extend the incident management procedure and to plan or create a security management system. In other words, an organization should ideally appoint an internal or external CISO to monitor security across IT and business units, to train senior management, to implement a few additional security policies based on norms and tailor them to the needs of a small organization. And, finally, to document and manage risks.

What is the cost of complying with NIS2?

Camar: It is easy to become ‘compliant’, provided that: 1. staff are willing to take on new responsibilities; 2. are available for an average of one day to undergo training, read the documentation, and help to identify and rectify issues. And, 3. provided there is a budget of €15,000 to €30,000 for external support to create initial documentation, coach staff, and guide managers in managing risks.
But compliant does not mean secure, and accepting responsibility does not mean having the time and skills to make the right decisions. Achieving a good level of security can take years, but NIS2 does not impose a deadline. In other words, NIS2 compliance does not guarantee security, but it enables managers to make the right decisions for better cybersecurity.

What experiences have you had?

Carlo: Having submitted 15 analyses to the ILR, we are familiar with their methods and requirements. Having implemented data protection measures in 15 municipalities with limited budgets, we understand the context and have successfully brought them into compliance.
We have developed a free tool, OpenTRICK, to simplify risk management. It imports assets from our inventory; documents risk parameters and compliance level both for the risk treatment plan and for self-assessment, as well as exports the information in the format and with the level of details required by ILR. It facilitates tracking within a ticketing system, such as Redmine, either in-house or hosted by us: redmine.opentrick.eu.
Adhering to security rules does, however, require extra effort and attention; but given current vulnerabilities and practices, the improvements required are well worth the cost.

And is artificial intelligence (AI) useful in this context?

Lynn: As part of the CyFORT initiative, we will soon be offering a free AI tool to assist local authorities to inventory their IT assets and documentation improvement, aiming at fostering interoperability between municipalities rather than with multinationals.
itrust consulting has benefited from AI in several ways: to improve our documentation, in our RADAR tool to detect the first signs of a cyberattack… But the biggest concern remains the advantages fraudsters gain from it: scams are becoming increasingly sophisticated and tailored to exploit victims’ vulnerabilities.

What are the biggest challenges in cybersecurity?

Carlo: Compliance is not security. It is easy to achieve compliance; it is difficult and costly to secure an infrastructure. We advocate quick wins: staff training, independent checks on system configurations, the use of open-source software, and thus investment in local skills rather than in IT licenses for poorly utilized IT products.
The hardest part is changing habits, accepting that we must justify our choices, and replacing trust with verifications, especially in IT management where mistakes are simply human, and often facilitated by lack of time. That is why the sector must collaborate and seek synergies.


Read the full interview in French (p. 36-38) published in LG | March 2026 | n° 36 

IDPS-ESCAPE & SATRAP-DL: an open, integrated architecture for detection, analysis and response

Interview with Lëtzebuerger Gemengen,translation  by  itrust  consulting.

While the NIS2 Directive requires European organisations to achieve a significantly higher level of maturity in terms of security monitoring, SMEs face a disproportionate challenge: meeting detection, remediation and documentation requirements while operating with limited resources. In this context, itrust Abstractions Lab and itrust consulting are introducing an open technology stack based on two complementary systems developed as part of the CyFORT project: IDPS-ESCAPE (Intrusion Detection and Prevention System - Enhanced Security through a Cooperative Anomaly Prediction Engine), dedicated to intrusion detection and prevention, and SATRAP-DL (Semi-Automated Threat Reconnaissance and Analysis Powered by Description Logics), focused on cyber threat intelligence (CTI), contextualisation, correlation and incident management.

The three key subsystems — SONAR and RADAR for IDPS-ESCAPE, DECIPHER for SATRAP-DL — form a continuous chain from collection to analysis, from CTI enrichment to remediation, to the creation of structured cases in the open source flowintel platform, which offers tight and robust integration with the MISP ecosystem developed by CIRCL in Luxembourg, among others. This philosophy extends the one that guided the creation of IDPS-ESCAPE and SATRAP-DL: to provide free, transparent and auditable solutions to help organisations comply more easily with NIS2 obligations at low implementation costs and promoting internal control.

"IDPS-ESCAPE & SATRAP-DL complete the SOAR mission while strengthening NIS2 compliance."

A dual architecture to meet all NIS2 requirements

IDPS-ESCAPE was initially designed as a platform combining sensors, an AI engine and automation to reduce false positives and help critical and important entities fulfil their continuous monitoring obligations. SATRAP-DL now complements this suite by adding an essential dimension: structured analysis of cybersecurity threats, comprehensive incident handling, and the ability to automatically link detection to an institutionalised, documented response that complies with regulatory expectations.

In practice, IDPS-ESCAPE provides technical monitoring and active response, i.e. the ability to identify, classify and prioritise anomalies using rules, statistical models and multivariate algorithms, as well as activate defensive actions. SATRAP-DL, with DECIPHER, provides the management layer, i.e. enrichment, advanced CTI analysis, case creation, correlation, escalation and documentation. This separation provides organisations with greater clarity: IDPS-ESCAPE deals with ‘what is happening’, while SATRAP-DL deals with ‘what is being done about it’. Together, they meet both the detection and incident management requirements of NIS2.

RADAR: SOAR execution within IDPS-ESCAPE

 

RADAR is the executive component of IDPS ESCAPE, transforming alerts into real action. It is based on SOAR principles: orchestrate, automate and respond. Orchestration is based on Ansible, enabling automated and consistent deployment of Wazuh, its agents and all detectors within distributed infrastructures. Automation comes from the active response mechanism, which is capable of executing scripts without human intervention, whether to send a notification, block an IP address, restart a service or deactivate a user. Detection is based on a hybrid mechanism combining a signature-based approach and an anomaly detection solution based on the RRCF machine learning algorithm.

This operation is part of a risk management approach. Each detection is first qualified by a dynamic score that distinguishes between low, medium, and high scenarios. An anomaly deemed low gives rise to a simple notification sent to the analyst. A medium risk triggers a notification accompanied by the automatic creation of a case in Flowintel. A high risk can lead to more direct actions, such as taking a component out of service or applying stricter temporary countermeasures. The ability to modulate the response limits unnecessary interruptions while ensuring active defence.

SONAR: multivariate analysis that enhances IDPS-ESCAPE

The detection intelligence comes from SONAR, another subsystem of ESCAPE-IDPS. Where Wazuh rules detect known threats and Amazon's OpenSearch RRCF statistical algorithm identifies isolated atypical behaviour, SONAR adds a deeper dimension: multivariate detection based on time series, powered by a deep learning machine learning algorithm. Microsoft's MTAD-GAT algorithm is at the heart of SONAR, enabling it to simultaneously correlate a set of signals from Wazuh alerts to identify subtle patterns of compromise.

SONAR is lightweight and integrates seamlessly into the existing monitoring environment. It analyses alerts that have already been collected to identify those that are truly out of the ordinary. This approach significantly reduces the number of unnecessary signals and highlights situations that deserve immediate attention, helping teams focus on what matters most.

DECIPHER: CTI intelligence and incident management in SATRAP-DL

DECIPHER, within SATRAP-DL, intervenes after this initial detection to provide context. When RADAR flags suspicious activity, DECIPHER searches for additional information, such as whether the address or behaviour has already been associated with known attacks. This allows for a more accurate assessment of the severity of an alert and a tailored response.

A key element is direct integration with the open-source tool flowintel, which is used to document and track incidents. DECIPHER can automatically create a complete incident file, gathering useful information for the analyst. Thanks to this automation, every significant incident is recorded and can be handled in a structured manner. This capability is essential under NIS2, which requires traceability and systematic documentation of important events.

SATRAP-DL thus acts as a link between the technical signals detected by IDPS-ESCAPE and the operational management of incidents based on advanced analysis. It provides organisations, including SMEs, with a comprehensive and consistent process without the need to set up a costly dedicated team.

Seamless integration between IDPS-ESCAPE, SATRAP-DL and flowintel

The integration between IDPS-ESCAPE, SATRAP-DL and flowintel is seamless. IDPS-ESCAPE first identifies suspicious activity. SATRAP-DL, via DECIPHER, analyses it and extracts the elements necessary for risk assessment. If necessary, an incident is automatically opened in flowintel. The organisation can then monitor, escalate or resolve the case. This continuity makes it possible to quickly understand what happened, how it was handled and why certain measures were taken, which greatly facilitates NIS2 compliance.

"An open AGPL 3.0 stack — IDPS-ESCAPE & SATRAP-DL — designed for SMEs."

A sustainable adoption model for SMEs

The approach taken by itrust Abstractions Lab and itrust consulting goes beyond simple open-source publication. In exchange for three to four days of monitoring per month, ideally carried out by an internal IT specialist from the organisation adopting our solutions, the design team provides approximately two weeks of support, training and technical advice. For a limited period, this service is co-financed by the Ministry of Economy as part of its objective to promote the deployment of open cybersecurity solutions. This model allows small organisations to gradually strengthen their maturity while retaining the autonomy necessary to operate the stack on a daily basis. It is important to emphasise that an intrusion detection project does not replace the IT function, but rather complements it independently, reassuring management that the IT environment is functioning properly, that there are no major vulnerabilities and, in the event of an attack, that an immediate response will be initiated to limit its impact.

Publication and perspective

 

IThe SONAR, RADAR and DECIPHER subsystems, integrated into IDPS-ESCAPE and SATRAP-DL respectively, are available on GitHub. They provide advanced detection capabilities, automated response and rigorous incident management, all within a fully open, transparent framework that complies with NIS2 requirements. In addition, the technology stack ensures native integration with Flowintel and MISP, optimising workflows for entities already using this widely recognised platform.

For more information, contact info@abstractionslab.lu or visit: https://abstractionslab.com/index.php/products/

Merry Christmas and Happy New Year 2026

We wish you a Peaceful Christmas and a Happy New Year 2026 Sending our wishes per email allows us to donate our end-of-year budget to welfare organizations: Digital Inclusion in support of reusing ICT equipment; Friendship in support of community-initiated disaster risk reduction in Bangladesh.

IDPS-ESCAPE (v0.6): Consolidating RADAR, Automation, and Operational Maturity

Abstractions Lab announces the release of IDPS-ESCAPE v0.6, now available on GitHub. This release continues the evolution initiated with the introduction of the RADAR subsystem in v0.4, and significantly strengthens IDPS-ESCAPE’s position as an open, modular, and research-driven SOAR (Security Orchestration, Automation, and Response) platform.

Following the functional expansion delivered throughout the v0.5 series, v0.6 focuses on consolidation, robustness, and maintainability. The release enhances RADAR’s operational scenarios, improves transparency through detailed documentation, and refactors the automation layer to support long-term evolution and reproducibility. The current scenario set includes signature-based detection for suspicious login and GeoIP-based whitelist-based detection and an anomaly-detection scenario using RRCF for monitoring log volume change.

Click here to read the whole article

Why have a DPO? The economic benefits highlighted

The CNIL¹ has published a study entitled ‘What are the economic benefits of having a DPO in a company?’, which shows that appointing a Data Protection Officer (DPO) offers companies more than just compliance and legal protection; it also provides them with a valuable economic resource.

Here is an overview of the main benefits identified by the study:

• Competitive advantage: GDPR compliance reassures customers and increases the chances of winning bids.
• Reduced risk of penalties: the DPO prevents data breaches and safeguards the company's reputation.
• Fewer data leaks: its action enhances security and reduces the impact of cyberattacks.
• More efficient data management: less unnecessary storage, reduced costs, and better internal organization.
• A profitable investment: companies that view compliance as a lever reap measurable benefits.
  
  

You can find the entire CNIL study in original French language here:https://www.cnil.fr/fr/quels-benefices-economiques-du-dpo-en-entreprise

[1] Commission Nationale de l'Informatique et des Libertés, is the French Data Protection Authority.