EU Policymakers · ATLAS
Saad KADHI
European Commission · Director · DIGIT
Policy topics Saad KADHI is active on
What Saad KADHI has said (6)
- “Thank you, Madam Chair. So I would like to tell you something about the threat landscape and why the regulation is a very timely proposal. So I'll give you a few data points that could be useful to understand what we are dealing with here. So first I would like to tell you about the threat alerts. So the threat alerts that certain issues are actionable products, actionable deliverables that are used by all UN entities to detect and prevent threats from happening. And some of these, I would say, threat alerts concerning significant incidents that take place in union entities are, of course, shared with our counterparts in the Member States within the framework of the sister network. So in the in the last few years before the entry into force of the regulation, we have been issuing almost 3 to 4 threat alerts per week. This is a huge pressure, meaning that every time certain issues. One threat alert, it means that the union entities have to spring into action to look in their systems with our help in their networks, etc., to try to detect threats that either are directly of concern to them or happened in their vicinity, meaning in the public administration, with the private sector, supply chain, etc.. The second I would say data point I would like to provide you is on significant incidents.”
Scope of EU cybersecurity obligations · Digitalization of public governance & administration · Cybersecurity investments for critical infrastructure
- “Um, on the, um, uh, the ideas regarding kind of like how we tackle cybersecurity. Indeed. Madam chair, I will not say anything new. We have to look at it from a holistic in a holistic manner. We have to consider. Well, I have 26 years of experience in cybersecurity. And the mantra that I have heard when I joined as a very junior, I would say cybersecurity expert, uh, kind of like the the private sector at the time is still there, basic cyber hygiene. We are still struggling with basic cyber hygiene. We also have a huge problem with products that do not have the minimum security standards. And I really would buy vulnerabilities including cybersecurity products. So I mean, like it's almost like we need cybersecurity products to protect to to protect cybersecurity products. I mean, this cannot go. So that's why I am really kind of hopeful that initiatives such as the Cyber Resilience Act and other initiatives will help us tackle cybersecurity from a holistic point of view. Of course, as you said as well, it is very important for for us to also educate the population and make them prepared. And the significant incidents I have mentioned have not used to the best of our knowledge at all. So in AI is there, it's not coming, it's already there.”
Scope of EU cybersecurity obligations
- “Thank you. Thank you, Madam Chair. Thank you for the questions. So, um, I'll start with the kind of like Easter to a competitive employer. We are a very competitive employer. So basically, give us posts we'll hire very, very quickly. Why? Because we are very strong. Kind of like brand name. We are a highly respected team not only in the EU but also outside of the EU. We are a very mature kind of team that have been hailed as such by our counterparts, including from major, kind of like, uh, teams out there. So while indeed talent, cybersecurity talent is very scarce, people, cybersecurity expert, talented cybersecurity experts love to come to talk to you. Not only because of our reputation, but because we deal with very significant incidents and they get kind of like first hand experience on, I would say, um, espionage, uh, type of attacks, uh, conducted by very sophisticated nation state threat actors. So, uh, while kind of like the salaries of adipose, etc., are not that competitive in comparison to the private sector. Still, people come to us because it's not about only about the salary. I think they also they have Europe in their hearts and moreover they deal with, I would say, very interesting job, very motivating job for them.”
Recruitment policies in the EU
- “So the implementation of the regulation, as highlighted by Mr. Manelli, the chair of the International Cybersecurity Board, my board has been a very challenging task for certain because when the regulation entered into force, we lacked the needed resources, particularly on post posts and add posts to implement the regulation. So we had to put on hold several of our services to implement the regulation, meaning to draft the guidelines that to propose them to the Iasb in order for them to get them implemented and get them adopted and help the new entities implement them. So it was a very challenging deal. However, we succeeded in doing so. Okay. Sorry I didn't. Yeah. And so aside from that, um, so this year we'll also be very challenging because most of the deadlines, uh, implementation deadlines for the union entities have to take place this year. And Sergio plays a prominent role. So in conclusion, I would just like to invite you to consider our pledge of for resources, not only for you to be doing its work. We are really, really struggling, even with the with the pressure of the high sustained significant incidents that are already described. In addition, for the unit entities and mostly the small medium sized ones that have to implement the regulation without additional resources. Thank you.”
Transparency requirements of EU institutions · Digitalization of public governance & administration
- “So at SR2 we distinguish between two types of incidents. Normal incidents. So basically having some malware on a laptop or something like that. This is our run of the mill kind of business. So pretty standard normal incident. Significant incident on the other hand takes weeks if not months of work, not only from sir to you, but also from the affected victims and more often than not, from the law enforcement colleagues that we liaise with through Europol European Cybercrime Centre. So significant incidents takes a huge toll on the resources and the resources of the affected victims. So in the last few years, we have been dealing with a high sustained number of significant incidents. Just as a secondary example, before the entry into force of the regulation, we had 17 significant incidents touching several union entities and in 2024. So sorry, we had 18 in 2023. In 2024. Last year we had already 15 and one of them took 3 to 4 months to deal with alone. The. So this is very, very, very high. And another data point I would like to provide to you is the motives. Like why are the threat actors dealing with So at short you we deal mostly with advanced persistent threat actors, nation state threat actors that go after the UN entities, given the files they handle, the sensitive data they have, etcetera, etcetera.”
EU law enforcement cooperation in criminal matters · Privacy & law enforcement
- “So we mostly deal with cyber espionage also to a certain extent with information operations or influence operations and some other types of motives. But one worrying trend that we have observed in recent years is what we call pre-positioning. So pre-positioning is when a threat actor, an advanced, sophisticated threat actor, breached the network of a union entity and stay below the radar silent, doing nothing undetected for weeks, if not months before they spring into action. And we experienced that firsthand, seeing a threat actor in the walls as kind of like confirmed also by some of our colleagues in the member states for their own public administrations and stakeholders, seen in the networks for a few weeks, if not months, and then spring into action exfiltrating very sensitive files, etc. and of course can be used for cyber espionage. We have seen this happening, but also could be used at any moment for disruption and disruption. So we have seen disruption and disruption in the vicinity of union entities, but not yet in the union entities themselves, but the nation state actors that have committed this kind of like illegal actions might at one point decide to disrupt or disrupt a union entity. If so, they wish in through prepositioning.”
Foreign interference in Europe