From telecommunications to energy, including the health and transport sectors, every company is subject to regulations that govern its activity and tend to prevent all kinds of risk. While some companies are interested in environmental safety or personnel safety, for example, information security is becoming increasingly important in an ever more digital world.
To ensure compliance with these regulations, companies must not only apply good practices, but also manage their risks, submit their analyses and report incidents. This is a tedious and complex exercise for which there is often no clear methodology, no useful knowledge base, and no centralised tool.
This is where LIST researchers come in. In close collaboration with the Institut Luxembourgeois de Régulation (ILR) for the past ten years, LIST researchers have developed a prototype and then created a regulation platform called SERIMA (SEcurity RIsk Management). Designed by LIST and ILR and developed by Westpole Luxembourg SA, this platform allows operators to carry out risk analyses, particularly in the telecommunications sector.
Thanks to this platform, ILR interacts with the so-called regulated entities on the same interface. Each company concerned can receive notifications from the regulator, have a common methodology for carrying out risk analyses and report incidents according to the regulations in force. "This means that there are no more differences in format, methodology, data reconciliation or data comparison and analysis. There is only one platform that brings together, in a way, two sides of the same coin," explains Nicolas Mayer, a researcher at LIST who has been involved in this collaboration since the beginning. In addition, training courses are given every year to facilitate the use of the platform.
Already adopted in another case by the Belgian Institute for Postal Services and Telecommunications (BIPT), which is the competent authority for the telecommunications sector in Belgium, SERIMA also has the ambition to be applied to many other fields. Since 2020, ILR and LIST have been working on the preparation of methodologies and knowledge bases adapted to the NIS Directive (Network and Information Security) and the Luxembourg law that transposes it (law of 28 May 2019).
"We have been working for more than a year and a half on the integration of the NIS Directive, in addition to the telecommunications directive. Therefore other sectors such as water, electricity, gas, health and transport will eventually be able to use the platform," explains Sébastien Pineau, who is in charge of the project.
More than a prolific strategic partnership, LIST researchers share a common medium and long-term vision with ILR, which enables them to constantly push back the boundaries of research for high-impact innovation. Over the past decade, the two parties have conducted numerous research projects, notably through their own investments, European funding and funding from the Luxembourg National Research Fund.
The ambitions of this long-standing partnership are great for the months and years to come with the inauguration of unique functionalities in Europe: "Many risk management tools exist today, but no integrated platform allows bringing together regulators and regulated companies, address several regulations, share sectoral libraries or analyse sectoral risk data. Tomorrow, the platform will integrate more intelligence and recommendations, and will allow regulators to access a complete mastery of the ecosystem of the sectors and players concerned, for more security and protection of the services concerned. Thanks to the help of our industrial partner Westpole, these functionalities are about to become a reality", concluded Nicolas and Sébastien.