Side room. 11am. Co‑operation.
DESIREE MILOSHEVIC: Good morning everyone and welcome to the Co‑Operation Working Group session this morning, a very warm welcome to you here in the room as well as those joining us online.
This morning we will hear ‑‑ we'll have a lot of presentations about some critical topics like internet resilience, some issues about cybersecurity, vulnerabilities, but also we are going to be having a discussion about recent EU regulatory changes or updates from a speaker from the last session and over the next 90 minutes, we should have plenty of time for questions and answers. We are joined here today with my co‑chairs, Achilleas Kemos and joining from Brussels with the European Commission, Julf Helsingius and I am Desiree Miloshevic, we'd like to keep five minutes for admin stuff, you have seen the agenda online and the presentations to see if there are any updates to the agenda.
JULF HELSINGIUS: So I am taking over the admin side right now and just we have to deal with the formalities, the notes of the previous meeting were published on the mailing list, we haven't seen any comments or amendments, we hear by approve them, that's all the administrative things we have to take care of. I would like to inform you this will probably be my last meeting as chair, co‑chair for this working group because Achilleas and I have been co‑chairs of this working group for almost ten years. That's not healthy. So I have volunteered to be the first one to step down. So we will actually issue a call for candidates and do a selection process on the mailing list after this meeting.
Just want to give you a heads up on that. Right, we'll move on to the actual programme? . Yes, our first speaker is from Ukraine and Ukraine has really become the laboratory for internet resilience, so I am happy to have Eliza Rohotska to talk about some of the regulatory problems caused by all of this. Thank you.
ELIZA ROHOTSKA: Hello everyone, thank you for joining this session today. Today I am going to talk about survival tools for internet resilience or where does the policy step in, and the example of Ukraine.
Policy is one of the tools that can change everything. Let's compare it to the hammer. If you use your hammer right, you will drive your nails in and fix your problem, everything is great. If you use your hammer wrong, you might accidentally smash your finger and hand hurts, right? In fact, policy is the exact same hammer. It can enable things when used in the right way and it can create additional problems when used in a wrong way so today I am going to give you a glimpse of my perspective into how we should treat policy.
But just before that, a short disclaimer, I am a lawyer, not a technical expert but still my professional capacity does not limit me from knowing what's going on in Ukraine.
I live in Kyiv, the capital of the country, which is constantly shelled by rockets and drones, almost daily. And I am the end user who gets affected in some way more or less. Still, for the last two years, I have been researching the concept of resilience and the influence of the full scale invasion of Ukraine on internet service providers, so I have some of the perspectives I am going to share with you today.
So what do we have on the agenda today. First of all, we are going to talk about telecom market in Ukraine, discussion its nature and we are going to look into how the Ukranian law treats internet resilience, what was the timeline of changes and how we are moving forward to the EU implementation and the second part of the presentation would be about the issues that internet service providers are facing these days in Ukraine. So we'll critically evaluate them, assess them and finally try to draw up some conclusions for ourselves.
Here's the first slide. Let's talk about the market in Ukraine. So as any market, Ukranian telecom market has two main players. Those are the individual entrepreneurs and level entities. I would like to draw your attention to the right side of the chart, you can see that as of Q2, 2024, right, there were about 4,148 internet service providers in Ukraine. This number is kind of huge, we see there are lots of internet service providers in the Ukraine and maybe not every EU country can show the same statistics. But at the same time it's not the most important number.
The most important thing is the percentage distribution. We can see that 37% are legal entities and the rest, 63% are left to individual entrepreneurs, we see the market is quite diversified. If you look a little bit below, you can see the total number of market participants in rural areas which is kind of shocking as well because we have 60% of the individual entrepreneurs working there, people like to help their communities.
When the full scale invasion started in 2022, Ukranian internet endured not because of the pre‑prepared state regulations but thanks to its unique diversified nature and decentralised nature, if you look into the left side of the chart right at the bottom, you would see that in 2022, the number of internet service providers especially the individual entrepreneurs skyrocketed; you might ask why is that? The invasion started, why do not people run away? In fact, people want to help their communities, to stay connected, to have that internet connection, to do everything we can to be part of that internet world.
But the most important thing you should realise and remember from this exact slide is the fact that decentralisation is a survival tool. There are many people in the market, many players who are mostly individual entrepreneurs, who keep Ukraine connected in some way and it's also the exact people who saved the internet when the darkest hour came.
Now moving on to the legislation. Ukraine is a country that has stress‑tested the concept of resilience. In 2022, when the full‑scale invasion started, there was a quick response, the presidential decree that urged the sector to adapt. But over the years, we understood it was not enough. It was just a general requirement. So there was an order 424 issued in 2025 that stated that providers of electronic communication networks and services shall immediately ensure the provision of electronic communication services in full compliance for at least three days.
We see that the legislation has evolved into a strict and uncompromising engineering mandate with precise numbers. Let me explain. 72 hours of full support of the system is a mandatory requirement. So 100% of the core network has to be available when there are, for example, blackouts. At the same time it's not just about the equipment that needs to be provided, it's also about the full cycle of life support. We see the problem with logistics, for example, because it's not just the equipment, we'll get to that, but still it's also about the people who would bring the equipment, who would bring fuel for example and who would keep the system running. But at the same time about the equipment, it's kind of expensive these days, let's be honest.
Ukranian market is known for having one of the lowest tariff on internet services in the world. In this way, we have lots of providers who do not gain like enough profit for that but at the same time they need to provide the network with some alternative sources of power.
So this creates a situation where there is a financial burden in some way. And the state does not really help because from 2020, Ukraine has restored the VAT and duties on energy equipment. So in this way the financial burden is quite heavy.
Let's see the bigger picture. So the timeline of changes. I have just explained the light green one, the order 424 which was a specific one but let's move a little bit backwards and discuss what was going on earlier. So just before the full scale invasion still in 2017, we had the cybersecurity law and then in 2022, it was supplemented by the law on electronic communications. So all of that was kind of peaceful and high‑level framework but when February 22 came, all our resources went into physical survival so supplies cables under fire, they were buying batteries and this lateers was backed up by the presidential decree 802 and in this sense it was the state's response was manual and in some way crisis response mode, which was activated through different bodies in Ukraine. So we see that in 2025, we got the specific rules, not just a general requirements to adapt but specific operational rules like 100% of core network has to be available. And specific timeframe, 72 hours.
What we are noticing here is the contrast because in 202, the provider who had barely survived or till re strikes and blackouts now is suddenly required by law to build a full cyber compliance system. In fact, we are asking engineers to welcome overnight experts in bureaucracy. And here I turned to the NIS2 directive where in October 2025 Ukranian government has passed a law to update the previous cybersecurity law where we implement the requirements of NIS2. In fact, providers would need to choose between splicing the cables with drones flying over their heads and at the same time writing reports and notifying the authorities. That's a question of priorities actually.
Second part of my presentation is about the issues that ISPs are facing these days. So in September October 2024, the state tax service of Ukraine began to abolish the simplified taxation system for small business providers of fixed internet access.
And that was like a target for the ‑‑ specifically those providers of internet, the small ones, which cannot be explained in any way. There is a tax pressure and actually there is two ‑‑ no. Two days ago one of the bodies in Ukraine, an independent one, has issued a report stating that our national regulator wants to impose even more taxes, like 1.5% of the turnover of the provider, this would be the tax for operators and, well, providers.
We'll see where we'll go with that, but as to abolishing the simplified taxation system, we have an information that right after that happened, 500 of internet service providers have ceased operations right after this abolishment. So you can remember the numbers, you can do the maths. There were 4,148 and 500 ceased operations right after changing the law.
We can see where it leads us actually.
Second part of that is mobilisation issue. We have human factors in that. So it's obvious that one, there's war in the country, the country needs to mobilise people to have someone to fight, and this is reasonable. But what is unreasonable is the fact that not all of these people need to do that; for example, the telecom providers. As it happens, most people in telecom in Ukraine are men, you can see that from this auditorium but still those men have the obligation to protect their country and as far as we remember, the market players are divided into two huge groups, so individual entrepreneurs and legal entities. We have more individual entrepreneurs, sorry, than the legal entities, but at the same time legal entities have the right to reserve 50% of their staff, not to go to war. And on the other side, we have individual entrepreneurs who do not have that right at all, for them, those 60%, 63% of market players, there's a problem because there might be nobody to fix the cables, nobody to help restore connection and for them to have that right to reserve their workers, they need to change legal nature of what they are doing, they need to become legal entities, but it's not the end of the road, they need to file reports of course, they need to do appropriate audits but at the same time they need to become recognised as the critical infrastructure object.
And that is the problem. Because it takes up to six months approximately and at the same time one of the requirements to become that, become recognised as a critical infrastructure object is to provide a sufficient level of salary, so you see the finance again, we have low tariffs, we need to buy expensive equipment and at the same time we need to provide salaries to people. So in some way Ukranian internet service providers are stuck between all of those problems. So we see the brain drain of the exact engineers who were ‑‑ who needed to perform emergency cable splicing under fire.
So we come to the most important question, can we strike a balance, what is more important for us, critical infrastructure or human resources?
Most of us would say, of course, both, both are important, but how can we balance? The thing is the first disappearance of small providers due to tax changes and mobilisation, does not change the market. In fact it directly reduces the physical resilience of the entire network. And when when you eliminate small players, you central ice infrastructure and you turn highly resilient network back into fragile and vulnerable target.
I would like to share a quote from one of the interviews. This is the quote from the interviews conducted by the very first Nokiam meeting in 2024 where a question was posed, if there's no help from the government donors or volunteers, how long will it that I can the internet service provider for his work to stop. And internet service provider from Kherson region, which is now partially occupied and which has been partially occupied during asking that question has answered: "We'll keep going and enduring. We have invested a lot in our work so it will be really painful to lose it. Others will help us."
You can see the mentality, right, this is a small internet service provider from partially occupied region and all of them want to help their communities, they do not want to leave the territory but at the same time they rely on others and others does not just mean other players in the market who can for example borrow the equipment, others means everybody in this room actually, every one of us because for example the policy makers can make a change in that sense, because we can make a difference in how the work of the internet service provider is conducted each day, we can influence for example the taxes, the new regulations, the implementation of for example European legislation so in this sense, others are the drivers of the telecom economy.
I would like to finalise with a conclusion. So my message here is that the European experience should be adapted to Ukranian realities. We cannot demand cyber resilience from players we are kind of depriving of financial resilience. We should protect the centralisation, in case of Ukraine, it's only decentralisation that can hold the market together and hold the communities together, because those were the exact people, the internet service providers in front line territories, the small providers who helped stay people connected. And in terms of legislation, we cannot just copy and paste the directives, but we must adopt it to our Ukranian realities. So the final conclusion is to support small and medium enterprise survival by tools available and you should understand that those tools can differ from country to country. Differen countries have different problems of course it's obvious but still the experience from Ukraine can be applied in each country, not just in war related stuff but also for natural disasters.
Here's a QR code you can scan to see the article, Ukraine as a laboratory of internet resilience. Me and... are authors of this article on RIPE Labs, where we were trying to show the theoretical approach to the concept of internet resilience from different dimensions but also we have analysed how internet service providers in Ukraine have saved the internet and which tools were available to them, as well as there is a critical analysis of the decentralisation.
So on this note I would like to thank everybody who has joined here today and as they say in a great initiative, let's keep Ukraine connected.
(APPLAUSE.)
JULF HELSINGIUS: Thank you. And based on experiences from the previous meetings we have tried to leave some time for actual questions and answers this time. So we actually have five minutes now for Q&A. So if you have any questions, there's a mic back there and Desiree has a roaming microphone as well.
So of course as soon as we reserve times for questions, there won't be any!
SPEAKER: First of all, thank you very much for this presentation and also for raising this topic. My name is Natalie, I represent a company called strategy en, an international company but we have a significant network in Ukraine and I just wanted to say compliment your presentation with the fact that Ukraine did show an incredible example of showing what is a resilient network and how you stand up up for what is right and keep Ukraine and other countries because there's so much traffic across Ukraine, connected, and that project that you mentioned Keep Ukraine Connected, I would like to remind everyone that it actually helped a lot of providers and it's still working actively. So if you have any equipment donated, please check the website and there are always requirements for additional donations and I am sure a lot of operators will be very thankful for helping them out. Thank you again.
ELIZA ROHOTSKA: Thank you for your support.
SPEAKER: Alistair Woodman representing a couple of OpenSource projects. I have been writing things to the European Commission for the last three years related to regulation and there's a sort of nuanced thing going on, right, on the one side companies are trying to avoid being regulated and I sort of understand that, simultaneously, it's become relatively obvious in the last six months that the AIs are getting so dangerous that the regulations somehow are not probably as good as they need to be. So part of the problem that I think you are pointing to is that the regulators are used to living in a five‑year, ten‑year timeframe for doing things and we now live in an exponential time where they don't have that time and we as humans don't have that time so a good critique of European legislation is, they keep writing carveouts for bureaucracy, the laws only apply to companies and not the bureaucracy but their maul content AIs don't care what they take down and what they lock up. So there's a whole bunch of things that need to get fixed but not regulating is not the answer to that either. So I think very healthy discussion about what to do would be a good idea. So.
ELIZA ROHOTSKA: Thank you very much, I can just reflect a little bit because I agree that not regulating is not the issue that we can resort to, but at the same time if we take into account the context countries are living in these days, maybe we might find the consensus in that place.
SPEAKER: Hi, Sander Stefan, Keep Ukraine Connected initiative, if there's anything we can do besides what we are already doing, please find me in the hallway, I am here all week.
ELIZA ROHOTSKA: Thank you very much.
JULF HELSINGIUS: Thank you. (APPLAUSE.)
DESIREE MILOSHEVIC: I hope our next speakers within the room. It's a great pleasure to continue with the new younger generation of Co‑Operation Working Group speakers, no pun intended. So your slides are already up. Yes, so it's a pressure to introduce Martin Price and Edward Austin from the University of Lancaster who will be speaking about attack service vulnerabilities. And I also recommend that people read Corey Doctorow's book, Attack Surface, for some fun. Thank you. The floor is yours.
EDWARD AUSTIN: I am Edward Austin and we are here to talk about some of our work with the UK government looking at shared prints of vulnerabilities and failures, how they overlap with different organisations and why the national level policy makers of it's important.
I am a mathematician by background, I am in recovery now, I am no longer in darkened rooms doing maths, i like to do computer science. And my colleague Martin.
MARTIN PRICE: Hello everybody, I should have chose a picture where I am smiling. Anyway, I am a second year PhD, my background is in cyber. And some of the work we are presenting today has been built upon some work I published last year and some work me and Ed did with the NCSE.
EDWARD AUSTIN: Brilliant. Just to sort of set the scene a little bit, in a lot of cases traditionally an organisational map, its own attack surface would identify and mitigate its own vulnerabilities. But actually government level analysts increasingly saw perhaps with the rise of machine speed threats from AI, are interested in the risks that affect the cyber scale, and so rather than knowing where one vulnerability sits in one place, they'd like to know where one or two vulnerabilities or indeed many sit in many places, perhaps in a sector or across critical national infrastructure or an area of significant economic interest.
One approach to achieve this that we have been looking at over the last 18 months is use external attack surface mapping tools, things like Shodan and Zoom Eye, we don't have to go around pinging other people's IP addresses which can be a problem. So perhaps the point of having a look to be able to do that but we do not. And so we are not suggesting at any point these tools give analysts a thorough understanding you get internally, we are not suggesting you replace your defence strategy with Shodan. But we are suggesting that this can allow you through some of the scaling tools that Martin developed, to look at a broader picture view, if you knew about ‑‑ and obviously if you're government regulator, you normally do ‑‑ about a hundred organisations in a particular critical national infrastructure sector, and you wanted to know was there a particular exposed risk that they share, this might be a lens to which you could gather at least some of that information.
And perhaps we don't suggest it's perfect information gathering, but what we are saying is that some picture is in a lot of cases better than no picture, just because you might not see every vulnerability doesn't mean you shouldn't look for at least one. One of the key questions is what are the most widespread vulnerabilities but also it's been developing tooling, there's a bit of, this is where perhaps some of the clustering can be adapted and tweaked so you can see cluster of vulnerabilities and the organisations that affect them. In some cases these clusters are obvious. Because they affect a shared service or a shared piece of software, you will have multiple CVEs. But in others there are ways of pro filing texts that used by cross organisation or suppliers that supply equipment that could be exploited and that permeates its way through across a broader picture i.e., your sector or your area of significant economic interest.
And so this is some novel tool we have developed that, it will be OpenSourced very soon, but I think it's interesting. Sort of identifying vulnerabilities at scale. What decision makers really want and this is not a criticism in anyway, is they wanted to visualise it and see the picture, these are trivial pictures. But when you often do attack surface mapping at this kind of scale, you get terabytes of nonsense log data you don't really need. And this is at the very least going to slow down analysts, and yeah, you can feed it into AI, what we are trying to do here is more explainable. So the aggregations and the visualisations this tool is giving is letting you see without feeding it into a box so shared risks, shared metrics or measurements that let you visualise and see where risks are at scale.
Whilst I have talked a lot about it from a critical national infrastructure point of view, that perhaps is the obvious way in which UK partners want to feed into protect its the nation, if you have got a vulnerability in your nuclear power plants, this be would a bad thing you want to fix.
One of other things that they are really interested in, this is an emerging sort of thread over the last 12 months in particular is that, this place that they think that regulators and governments and cyber bodies need to play in providing support for SMEs, over the last five years or ten years you might say the world has become very digital and now very small businesses are digitised in their infrastructure and operations, to the extent they are a valid cyber target and it would have a disruptive effect on them to do so. They perhaps lack that knowledge to even realise that there's a problem or they need to worry about it. You don't expect a lot of very small businesses to have a cyber strategy, but perhaps nowadays the suggestion is they need one.
And this is where the NCSC want to play a critical role and that's fair to say. They want to be identifying vulnerabilities that affect large swathes of organisations in certain areas of the UK.
And this is true also for local government authorities who want to see it across their region, not themed by organisations that are I suppose in a shared sector, but themed by a shared region and they want to identify key or common or widespread vulnerabilities or exploits that they can put out guidance and policy for to try and encourage remediation.
What I think is really interesting, it's a bit of a hammer, in the last speech, it was a fantastic way of phrasing it, what there's a gap at the minute between, it's trickier to do, is moving from reactive advice and guidance, say in dear SMEs, did you know there's a new CVE and you need to do this patch, to actually using it to shape harder regulation or legislation. It's something that UK government partners want to address, and I imagine partners around the world probably want to address. But the finding is legislation is going to be needed because there's often insufficient incentive for affected organisations to necessarily patch these vulnerabilities, it doesn't, it's too big a job for them to do it, they know the CVE is there, but individually I am not taking my system off‑line or selling products for a few days, I am not fixing it and they don't get that perspective that this tooling gives you that that that's a problem that affects that entire retail industry and that area.
And so perhaps what has been identified through this, though it is a slow process and a question I mentioned, that thought process about timeframes might need to change, what's been identified through this is providing that big picture view isn't always something that individual Orgs care about when they read the advice and so perhaps this is becoming a tool that shared legislation to try and enforce that good cyber hygiene across sectors because individual Orgs provide advice on their own didn't necessarily care.
One question that they come back with though in passing, is this actually do we fully understand the link between widespread vulnerabilities and that data science picture and so of how that affect shared dependencies or structure within different sectors, what's the evidence to suggest this is a real problem. And perhaps that's something Martin's research has been trying to answer, I will hand over to Martin now.
MARTIN PRICE: So so far we have been talking about an attack surface as an abstract concept, what we really wanted to do was show you what sort of data you can get from these tools and as Ed mentioned, seeing this at scale is of interest so what we have done is we have created an attack surface for the English government and I am not going to bore you with the technical details how we did it, we combined OpenSource information with the tools we get from Shodan to create small attack surfaces for each local government authority and central government departments and combine them together to create a comprehensive picture.
So this is as you can tell is a map of England. Specifically it's broken down into each local authority district, that is essentially the lowest mandatory form of government and they represent stuff like cities or urban areas or larger rural areas.
And this is telling us the IP addresses, each of those local authorities use, how many they use.
Now, perhaps, this map isn't too interesting from a regulatory point of view. But because we have IP addresses, we can also get the vulnerabilities so this is a map of all the local authorities that share the same vulnerability. And what you might notice is that there is hot spots, geographical regions all sharing the same vulnerability and this raises some questions around cyber resilience an cybersecurity because an attacker, if they wanted to target these specific authorities, they can reuse the same exploit, reducing their workload and making it easier for them.
Now the exact reason they are vulnerable is a bit unclear, one possible reason could be they share the same hosting provider, now following that thread, we get maps like this. This is highlighting all the authorities that share a specific hosting provider. And this really does raise some cyber resilience questions because now we have gone from having to attack five or six separate authorities to just focusing on the single dependency, the single hosting provider that supplies all of them. Note that these two hosting providers are not from the traditional cloud, they are not part of the big three Amazon, Microsoft or Google, if it was, these maps would be a lot more blue.
So this is just a basic bar chart telling us what cloud providers are used throughout our English data set, as we can see there's a heavy reliance on Amazon, especially for central government where 50% of the departments remanaged to map use AWS and specifically London.
Now there are some which diversify a bit more and use Azure or Oracle or any of them. But again the majority of it is Amazon and this raises a serious cyber resilience question: What happens if Amazon goes down?
Now, this isn't conjecture ‑‑ was it in October last year? Amazon suffered an outage and most of their ‑‑ or the majority of users couldn't use their Amazon services. Does that mean central government, half of central government were unable to do their jobs?
Alongside this English use case, we also have a more corporate use case, because we were told it would be interesting to see how we compare to the EU, especially post Brexit.
And so we generated two attack surfaces, one for a UK company, one for an EU company, both within the for Fortune 500, within the same sector, they are pretty comparable companies and what we get is this quite busy graph once you understand how to read it, it's quite telling. Each of these dots represent either an organisation and an entity within it, for example a subsidiary or it represents a cloud. So the red and blue dots are the organisations, so that's the UK and the EU in red. UK in blue. And the clouds are in yellow. And what we'll initially see if we just read from left to right is that the UK, like with the government, has a favouritism for Amazon, most of the entities within that organisation will use solely Amazon or a mix of Amazon and something else. It's rare to see solely Azure or solely Google. The EU on the other hand prefer a mix, you will see that mass in the middle, where they use multiple and you will see there's quite a few red dots there, there's a few red dots that will use just Amazon or just Azure.
But in the next few years, we can expect this graph to change quite drastically as the EU are about to introduce the EU Cloud Act. So if you haven't noticed, the majority of these clouds here are American and the EU Cloud Act is specifically trying to remove that American influence on Europe and use more home‑grown cloud providers. Whereas the UK doesn't have such an act in place.
So just to sort of recap, local areas all suffer from shared vulnerabilities, possibly because of the hosting providers, this reduces the effort required by an attacker to attack these authorities. There was a large reliance on Amazon both for the private companies and for the government. I have said here it can be used for an indirect attack but in reality I should be saying this raises concerns because if Amazon goes down. And there is cyber resilience questions, I merged these last two points, cyber resilience questions around our reliance on American cloud infrastructure, America harks the US cloud act, where they can access any data stored by an American cloud provider regardless of where that data physically is, so if central government is storing something, some crucial or confidential data on Amazon, the American government can also access that.
Even if it's stored in the UK.
Europe seems to be pushing back against this and this makes sense, they are quite privacy aware over there. Whereas post Brexit, we have started to sell the other way and we have become more like America. I am not in a position to say is that the right choice, but it's something to be aware of.
Thank you.
(APPLAUSE.)
JIM REID: Jim Reid, no affiliation, speaking solely for myself. This is interesting work, there's a lot more depth to this, you can be very, very busy for a long, long time. One thing that struck me when you are talking about that, you seemed to be talking about vulnerabilities in a sense in the abstract and I wonder if it would be better to try do a little bit of triage on that, say for example the online services provided by a local authority, some are more important than others. And I wonder is it maybe to better to focus on the first point of contact and leave the stuff further down the feed until later on? Nobody really cares if a local authority's library goes off‑line for a while; it's a different story for processing benefits or doing social care. And I wonder is it better to look at the analysis, it's going to be a hard job because you have already got far too much to do as it is, what platforms are using for them, that will be a very different exercise in itself but I think that exercise would be valuable if it could be carried out.
MARTIN PRICE: That's a very good point, what we are looking at, some of the work we are looking at is how can we prioritise vulnerabilities, from our point of view it's basically taking that technical view, but I mean you raise a very good point like a care service going down is much more important than the the website of a library. Thank you.
JIM REID: Cheers.
HISHAM IBRAHIM: Hisham Ibrahim, RIPE NCC, one of the early slides, you geolocated the IP addresses to different locations, I am curious how you did so.
MARTIN PRICE: So the this one? Yeah, so perhaps it's a bit of a trickery of presenting it; these aren't where the IPs are physically located, it is simply saying this local authority uses these IP addresses, but they could be physically located anywhere.
HISHAM IBRAHIM: Thank you.
SPEAKER: I wanted to end it, cloud and hosting providers is not only a factor for the government services; for example, a couple of weeks ago in Germany, we saw the German national tld.De go down because the german register published incorrect DNSSEC records and even if your clouds and hosting providers working perfectly, it doesn't help if your national TLD is unavailable, this is also a factor to consider. Thank you.
MARTIN PRICE: Thank you, that's a good point.
SPEAKER: Hello. You pointed out that the overreliance on one of those cloud providers is a vulnerability maybe, and I just want to say we are right if, in that case, Amazon would go down, a lot of government services disappear, but would it really be advantageous to have 30 different services and then another one every week and so one agency is off‑line, week and that's, I don't see really that you are making it better by just going to more service providers. So well, I don't totally agree with saying it's a vulnerability just because you only use one provider.
MARTIN PRICE: Yeah, I think it was important to be that way aware of it, but thankfully it's above my pay grade to decide the solution.
JULF HELSINGIUS: Do we have any online questions?
DESIREE MILOSHEVIC: No online questions.
JULF HELSINGIUS: Thank you. (APPLAUSE.)
Our next speaker is Mike Blanche and he will give us an update on digital and network acts which is something that will affect all of us, I'm afraid.
MIKE BLANCHE: Good morning everyone, nice to see everybody. You might remember if you were in Bucharest, I presented on what might be in the Digital Networks Act, the European Union's new update telecoms regulation. Well, they have published the draft and I can tell you what's actually in it and there's some things that you might want to do about it as well.
So, let's get started, just to introduce myself, I am a consultant, I used to work for Google for 14 years, I have also been on the board at the London Internet Exchange. I now work for a variety of different clients in the technology policy space for internet infrastructure. But anything I say here is definitely my own views, nothing of that of any of my clients. So you can blame me for everything here.
So very quickly, A rapid recap. What is the Digital Networks Act? It's the biggest rewrite of European telecoms regulation in a decade. It was the baby and the brainchild of theory Breton here who was the previous euro even Commissioner for all things digital. He used to be CEO of France telecom back in the day. A lot of things in the Digital Networks Act as we'll talk about seem to be the result of large telecoms operators that have lobbied the European Commission for a number of years for a sort of a new industrial policy to allow telcos in Europe to consolidate to become bigger and to have looser merger controls and build European telecoms operators into technology champions that can compete with US and Chinese
Technology firms, regulating up technology companies and regulating down telcos was a key feature lobbied for and a whole debate around variously called network fees, share share, etc, for IP interconnection which I know has been presented here before. So for more of the history, you can watch the video of my last talk at the last RIPE meeting.
But here's the Digital Networks Act, it was released in January, it's three hundred odd pages, 416 recitals, I have read it so you don't have to.
The next 12 slides will hopefully explain the bits that probably are the most important and concerning for the internet community.
And I have got 17 minutes to do it. So eyes down, let's go.
Key issues. There's a lot in there about scope. Who should be included. And as you will see, the Digital Networks Act proposes broadening telecoms regulation to cover extended connectivity ecosystem. More about ecosystems when it comes to co‑operation and what is called a voluntary conciliation mechanism which will be regulators producing guidelines and monitoring compliance of technical and business relationships between the broader ecosystem.
Level playing field and convergence terms are in there about bringing telecoms, cloud and contents service under a single regulatory confirmation work; it incorporates the open internet regulation which was hard fought for ten years ago. And it has new provisions for IP interconnection and new regulations there.
Those are the bits that we need to talk about. There's a bunch of other stuff in there that's more about telecoms infrastructure, to do with spectrum policy reform, switching off copper networks to get everybody to fiber to the home, single passport authorisation and also infrastructure security and resilience and things to do with submarine cables which I won't cover because that's less of an issue.
The first thing and next slides are going to have sections from the draft act in the boxes and we can talk about each one of those in turn.
The justification, why are they doing this? The connectivity sector is apparently undergoing significant technological changes, digital infrastructures are becoming cloud and AI based and the connectivity ecosystem is broadening to provide new innovative services, we need to take account of the evolution from electronic communication networks towards digital networks.
Unfortunately, none of the terms in bold are defined and they are all quite vague. So the boundaries between what is in the DNA and what is not is also very vague, and that's perhaps intentional.
What is the difference between an electronic communications network and a digital network? I don't know. Are there any analogue networks left? Maybe the PSTN bits of it, the old telephone like when you make a phone call, but even a lot of that has moved to digital, right, so it's confusing.
What's the objective? What are they trying to achieve? Well, this is one of the objectives stated. Reinforcing the competitiveness of the connectivity sector, cloud and AI solutions, innovative services, quality assured and reliable services and also this facilitating co‑operation belong players in the broader digital ecosystem. Which is like what does that mean?
There's a lot of unclear terms here as well. Competitiveness, are they talking about competitiveness within telecoms operators? Between telecoms operators? Competitiveness of telecoms operators, against other people in the broader digital ecosystem?
Cloud and AI based, is that ‑‑ do they mean using cloud and AI in telecoms networks like to help run them or do they mean the telecoms operators should become cloud and AI providers? This isn't clear.
Innovative services, that's not clear. That could be anything. And personally I would think that regulation doesn't always result in innovation, but there we go. Quality assured and reliable services has been a euphemism for potential dilution of open internet provisions is Fine Gael is quality assured and reliable, it may not be running over the best efforts internet and facilitating co‑operation doesn't necessarily support the objectives of some of the faster better networks discussed elsewhere in the act.
But it's there.
Anyway. The level playing field gets a mention, this is a lobbying term that big telcos have been talking about for more than a decade and how telecoms operators think it's unfair someone running a telecoms operator and building network is regulated to differently to someone running a website or an app or a cloud service. You can watch my previous presentation for how I talk more about that, it's not really level playing field, these people are playing different sports anyway. But the DNA seeks to level that false equivalent unfortunately.
So who is in this scope? General authorisation. Anyone, any network involved in the delivery of publicly available digital services.
Well, unfortunately digital services are not defined. But later we have networks used wholly or mainly for the purposes of providing electronic communications services or Information society services available to the public.
So information society services are defined, not in this but under the ecommerce directive, and I think the Digital Services Act now, information society services are any online or digital content application or service. So if your network is now wholly or mainly used for providing any digital or online content or service available to the public, you are now going to be in the scope of what's called general authorisation.
Now this is previously only applied to telecoms operators selling services to the public and it has a bunch of responsibilities around making sure you can interconnect with other providers, you can provide emergency calling if necessary, you can have provisions around consumer protection, contract requirements, transparency, complaints handling, number portability, paying regulators, there's administrative fees to pay for the regulator and other stuff as well.
So any network used to provide any digital service is apparently now going to be in scope of general authorisation so I went and had a look at the DE‑CIX membership list and I started at A and I looked at a whole bunch of networks not telecoms operators but under this definition would be in scope, Activision, insurance company alliance, and r Amadeus, the airline booking system, I think they have services available to the public, Acronis cloud back up, Arista, I guess they have got a website with firmwares and so on and Axerea, none of these are telecoms providers. I only got as far as "A" but why are all these going to be in scope potentially of general authorisation?
A private network currently that doesn't sell services to the public only has a very small number of obligations under the current telecoms regulations in Europe. Under the DNA, these obligations are going to increase significantly. It doesn't stop there. This concept of ecosystem co‑operation increases the scope further an there's a lot of text here that it's about regulators producing guidelines about how networks and other people in the electronic communications or closely related sectors, how they will cooperate on technical and commercial matters. Who are these other undertakings, that's somewhere else in the text but here we go, content providers, software and AI developers as well as network equipment and device manufactures so vendors, software developers, equipment manufactures, yes, there's telecoms regulators now writing guidelines about how you interact with telecoms operators on technical and commercial matters. And such that services are provided and products support the efficient economically sustainable and reliable delivery of services and how to develop innovative services and so on.
What is this all about? If I am reading this wrong, I really appreciate a discussion with someone explaining how it's all wrong, but it's written here.
And it's not just guidelines. It says that the regulators have to ensure that co‑operation is consistent with the guidelines. So does this mean telecoms regulators will be roaming the halls at the next RIPE meeting or maybe at Congress making sure that an equipment vendor in a telco are having the right sort of conversations? Really? I don't know, that's what it says.
If you have a dispute, there's now this new process proposed called voluntary concilliation, if you have between a telecoms operator and another one of these people in the ecosystem, there's a dispute, you can go to a telecoms regulator and provide a structured and neutral forum to facilitate dialogue in the technical and commercial arrangements of what you are doing with the telecoms operator. This seems like dispute creation, not dispute resolution. And there's, although it says it's voluntary, there's a bunch of people that it should be mandatory and binding, and how is it going to look if you don't turn up to this voluntary thing?
It's not going to look good, right?
Net neutrality, normally we would have presentations on that, but I am not sure this is the worse bit. So currently there's this separate open internet regulation that protects net neutrality in Europe. The DNA swallows and that incorporates it but not all of it, only some of it and in particular it misses almost all the recitals of the open internet regulation that provides valuable context as tp how it should be interpreted. And in addition, the European Commission is proposing it should be empowered to issue what it calls implementing acts which is like additional stuff about how to offer specialised services, network slicing and things that cause services other than internet access, so ‑‑ which is a risk of having fast lanes and differentiated services.
Let's talk about IP interconnection, finally, in particular and this seems to be a particular focus of the Digital Networks Act and the Commission at this time.
So it proposes that it's necessary to foster co‑operation among people involved in the end‑to‑end service delivery regarding efficient management of data traffic. What does this mean? Well, elsewhere it says, traffic is handed over to providers of public and electronic communications services in the form of peering or transit, apparently increasing ‑‑ in certain cases such traffic may give rise to a disproportionate or unsustainable investment need for the receiving provider.
So if you buy a transit service and your customers are using the internet too much and that's causing too much traffic on your transit, apparently, and that's breaking your business model, apparently now it's your transit providers problem. That's not really right. The internet is a request response mechanism. Users ask for stuff, content providers respond with what's being requested, if it causes an unsustainable investment burden for the ISP the users are on, the ISP's business model is not really the peer's problem. This proposal would make networks liable for the investment needs or economic business model of the third‑party networks they interconnect with. But there's more.
Ah, right, where do we even start here. Any time I see the F word ‑‑ and that's "fair" ‑‑ I sigh. Because what is fair? What is reasonable? What is proportionate use of the resources of the other party? What is efficient economically sustain the or reliable for that matter? These are all subjective terms, none of it is clear and this reference to setting up service level agreements for peering and transit, certainly when I used to work in doing IP interconnect, absolutely all the peering we did had absolutely no service level agreement at all, it was all my network, your network and we are not liable for each other, right, we just want to interconnect and make the internet better.
So the European Commission appears to consider interconnection a service provided by big telecoms operators, they don't seem to understand how it works.
And finally ‑‑ and this is perhaps the most pernicious term. As well as traffic exchange does not lead to disproportional or economically unsustainable investment needs, the benefit of rising from increased traffic should be shared in a manner conducive to continued investment, innovation and network resilience. You have to share the benefits of traffic. And again, it doesn't explain what this is or how it will work, but that's not how, you are responsible for your traffic and other networks are responsible for their traffic; you might interconnect in some way, shape or form, but there's not benefit sharing, there's not ‑‑ that's not how it works.
This seems to be the potential hook for what was called network fees, perhaps not regulated network fees but sort of coerced network fees, well, you have to share your benefits with me. And if you don't share the benefits, then, well, I am going to go to the regulator and we are going to have this voluntary conciliation service.
Anyway, for the last 12 slides, if they confused you, here it is in one table, the stuff in green is who is currently regulated by European telecoms regulation, public, electronic communication providers. All the stuff in red is new people, if you regulate, other industries, if you offer a public website or apps or services, you will now be in scope, general authorisation and this IP interconnection benefit sharing, cloud services, AI services, CDNs, software develop, hardware vendors ‑‑ my goodenss, this is a long list. Is this really the intention of the DNA? It appears it is. Sadly.
So what happens now and what can you do about it? And I have a minute to tell you this.
Well, some countries are not happy with this. Some regulators are also not particularly happy with this, BEREC ‑‑ wrote a whole paper called European telecom reality check pushing back on the narrative and they have provided an early assessment of the Digital Networks Act, where they say things like some provisions add complexity, don't add value and don't help reach the aim of regulatory simplicity and predictability. For regulators who normally don't say things very kind of calmly, this is quite quite strong words. Many industry stakeholders are concerned as well. But is Brussels listening?
So what can you do?
There is a consultation open to the European Commission, it closes in about a month's time. The EC link is there. I created a tiny URL, to make it easy to find. And there's a QR code as well. These are all the concerns. I won't read them through again because we have talked about them all already. The slides are online and you can have a look if you agree or send your own feedback if you don't agree.
What else can you do? Please get involved, respond to these consultations, engage with your trade associations who will be well placed to provide feedback to the European Commission, if you are a member of an internet service provider association, please encourage them to contribute and get involved in Brussels, I understand the Internet Society is working on an open letter to send the European Commission, Karl from ISOP would be happy to hear from you, please engage in your organisation has a policy team, if you are in the EU and I appreciate we are in the UK at the moment which is not, you can also provide feedback to your MEPs who will have a say in this to, to your national regulators who will be providing input and to BEREC and member states, please, please make your voice heard if this is really what is proposed my view is it needs to change. Thank you.
(APPLAUSE.)
SPEAKER: Speaking from a personal point of view, it sounds like a junior lawyer in Brussels so ChatGPT derive me a policy and include the kitchen sink. And I note Jim has left the room but just coming back to his point about library websites it sounds as they they would be included as well.
MIKE BLANCHE: Yes.
SPEAKER: Blake Willis, interconnection policy person, thank you very much for putting together this concise review, it's extremely helpful, presenting things to management that maybe have other things to worry about. Do you think the Commission intends for any other organisations besides BEREC to be the premier enforcement vehicle for this or is it primarily directed at BEREC will do this.
MIKE BLANCHE: BEREC are national regulators and there's provisions as part of the act, it will create something called the office for digital networks which is somewhat ‑‑ it's going to be linked to BEREC, it will produce the guidelines or national regulators that will kind of implement and monitor this and manage this, if every national regulator has slightly different views on different things, the potential for perhaps people forum shopping for a regulator who may be more favourable to one point of view or another if they have one of these disputes, we'll have a dispute resolution here because I think I might get a better deal than if we go and have it in country B, right?
SPEAKER: Thank you. Does the word digital single market appear in this document? Because like what you describe is the opposite of that.
MIKE BLANCHE: I think it does and there are other proposals that are about hamonisation and making things more consistent.
JULF HELSINGIUS: Wow, we have got a queue.
SPEAKER: Speaking for myself. A couple of years ago we had a round table... and it was very obvious what his goal is, he dreams of Europe having five incumbent carriers and that's it. They are doing all the business, they have hundreds and thousands of ISPs are doing and from my perspective, I think the community and the organisations around the internet are, did a big mistake not being involved in all of these discussions. I think RIPE and other organisations should spend much more money to be a lobbier or better internet. Thank you.
SPEAKER: That was particularly my point.
MIKE BLANCHE: I think just to follow up on those two, I think it's also true that and I think there's one of the civil society organisations has produced data about the am of meetings that Breton had with different stakeholders and he was certainly meeting big European incumbent telecom operators much more than he was meeting other people, whether that was because people weren't asking or because he had run out of meetings with his friends, I don't know.
SPEAKER:
JIM REID: Jim Reid, unaffiliated, interesting presentation, there's a lot of stuff to digest and think that ‑‑ thank you very much for giving a summary of what's coming out on this DNA, I think it's very valuable you have to done there, I have got an observation and a question, so the observation you mentioned in the presentation that potential for people forum shopping for regulators that are kind of be susceptible to their point of view for r a particular case of implementation. That reminds me we have been through this before with miss directors and data protection directors, we have seen that forum shopping happening before and no doubt we are going to see it happen again but my question is slightly off topic. How does this all play out in a UK context, does the UK get a Brexit bonus by having to ignore all this stuff?
MIKE BLANCHE: I think the UK has its own challenges with domestic legislation at certain times, so yeah. I think one of the key things here is that all this vast expansion of scope is there's no market failure that justifies that regulation, right. It doesn't appear to be a market failure between equiptment vendors and telecoms operators or IP interconnection for example so why all this is being brought into scope is really unclear.
SPEAKER: Thank you for this presentation, it's excellent one, also in Bucharest. So I can pose my comment as a question, but it's more a comment. So my name is... I was also more involved in some of the discussions with the European Commission, it was more about domain names, and for example on the intent to regulate, I remember there was discussion how to regulate route servers and there was no understanding in the top echelons of the European Commission where also what RIPE is doing and what the route servers are functioning, so they are very easy with idea to regulate. And I think this presentation is kind of a warning for this community and I think we need to be more proactive in talking to them on time.
Other problem is that once you try to talk as you probably do with the Commission, they say oh, we have our own experts and their experts are mostly coming from the telco sectors, so it's a challenge and understanding of how TCP brought the idea of freedom to connect and innovate the internet is something that is I don't think really functioning in Brussels so we need to do more, be proactive more, same as... thanks.
JULF HELSINGIUS: Thank you. (APPLAUSE.)
DESIREE MILOSHEVIC: Our final presentation in this session is with Hisham Ibrahim speaking about the RIPE NCC engagement across policy consultations and other work. Hisham, welcome and the floor is yours.
HISHAM IBRAHIM: Thank you for that. Hello, everyone. This is the last talk of the session and I will try to make up for the time so that everybody leaves on time for their lunch.
My name is Hisham Ibrahim. I am the chief community officer at the RIPE NCC and I will be giving overview of some of the work that the NCC has been doing in the public policy and internet governance sphere. We are coming off of two very busy years, one with GDC, the other with WSIS+20 and this year we have the planning pot ahead of us, and while usually you would see some of my colleagues coming to stage, Romijn or others giving more of a deep dive on some of the areas and topics we have been discussing, because there's been so many different topics we thought it might be good to have one presentation that just kind of covers everything that we have been busy doing.
I mentioned I am the Chief Community Officer of the RIPE NCC and this is one of the last times I will be able to show this slide, it covers the bits about the five‑year strategy that we had, that we are going to replace now with a new strategy after it gets approved. But this kind of forms the basis of what we call the external engagement and community part of the RIPE NCC.
Starting from the bottom right here, being a centre of excellence for data measurements and insights, within that team we have the team that does the research that takes the data, the measurements that our colleagues in technology have in RIS and RIPE Atlas and others and they start to build reports on that, we have a data sorry telling team that visualise and tells very nice graphical stories about how to interpret and see the data that we use for our different engagements. And if you go up, you see create and foster environments and dialogs throughout the service region to remain highly engaged community, reports of different meetings and NOGs and different interfere governance meetings and others to be able to generate dialogue and help explain how things are.
If you go from the bottom to the left then you can see increased community knowledge through learning and development, so within the team you also have the teams that do the training, they develop the curriculum based on understanding the needs and based on the data we are seeing and what we hear from the community, and they go out and deliver that.
And as you can see all three of these elements, they tie back to one of the key things here which is being resilient in the face of political, legislative and regulatory changes that impact or have the potential to affect our operations. Or internet governance for that matter.
We use all of these, we go to any governmental engagement that we do and we say we can offer training for techies r, we can do these meetings for your community and provide you with these reports, all adding towards that preserving the technical co‑ordination in the internet governance as we know it.
This area is roughly a quarter of the staff in the RIPE NCC and a quarter of its budget as well, so this is how big we consider this area.
Global internet governance, like I said, we have come out of two big years of a lot of political engagements in many parts of the world, not just our service region, I will be highlighting some of them. These slides focus mainly on from the last RIPE meeting till now, but some of these things took place at the end of the year had affects throughout the year. And one of them was WSIS+20, that's something that took up most of the year in the work that we are doing, the RIPE NCC produced fact sheet in several languages, English, Arabic Russian on WSIS+20 and the vision we wanted to see coming into that. We organised an open house for the community to feedback, also translated into multiple languages, I believe Des was moderating that session and we had different r participants from different parts of the service region, the Arabic speaking and Russian speaking and European parts to be able to add their perspectives on how they saw the discussions around WSIS and that formed the base for a lot of the fact sheets and information that we provided.
You can also see and I won't read the slides in details also being mindful of the time the number of responses that we put forward to the different processes, the elements paper, the zero draft and others.
Bringing it, there was the IGF meeting in Oslo and and the WSIS+20 hi level meeting in Geneva. There was the younger meeting in New York where the NCC we had Desiree heading the delegation from the community side and we had my two colleagues that were both part of country delegations, he will lean in a being part of the Dutch delegation and traffic being part of the Lebanese delegation to take part of the discussions around WSIS.
We welcome the output of the information multi‑stakeholder and of course aligning the WSIS action lines, I am sure a lot of you are familiar with this. Bringing it to ITU engagement, we have been doing a lot in that area. A lot of the work we have been doing, we fox boxed it three main boxes, resilience, peering, ASNs, and all the other bits, talking about how that is useful and good and we have heard really good presentations about resilience today, so I don't need to go into too much detail of that. Scaleability when it comes to IPv6 as well and what does that mean for the rest of the world. And also routing security and these have been the main elements that we talk about, there's the stability we measure but these are the bits we provide evidence based insights to some of the study groups and some of the discussions had a happen. When there are proposals from some member states about new idea and new IPs or IPv6 pluses or any of the other bits there, while documenting some of the success stories we have had with them at different engagements.
Capacity building, like I mentioned we have the training, we have the online RIPE NCC academy, we are hosting that on several different platforms, one of them being the ITU, e‑learning platforms and of course the technical co‑operation and RIR model. Some of the things that happened last year, the joint declaration on IPv6, this is where we pledge to do training and capacity work throughout our service region, we have been part of this programme for a few years now, engagement with the different study groups, GSR, my colleague was in Turkey for this, WTDC and WTPF and there's a lot of work going up to planning pot later this year.
As you can see there's a large amount of work that happens here and the team that looks into this, we are ‑‑ specifically is a team of seven, eight people, but we are spread a bit thin across all of these things but we do make a point of participating and engaging and responding to consultations when they are online.
One of the things I won't spend too much time on here, we will be discussing in the next services session e‑num is a topic I wrote an article on a week ago. We went to the ITU recently, the TSB talking about what the operational review that the RIPE NCC has done. If you want to hear more about it, it will be covered in the Services Working Group in more details.
EU engagement. Again I won't go into all the details but we have been actively engaging around stuff like the international digital strategy for the EU and the NIS2 implementation and the simplification proposals around the CSA2 revision. And as you can see from the slide ‑‑ I won't read all of the details ‑‑ but it talks about encouraging the multi‑stakeholder approach. In NIS2 specifically, we recommended providing more clarity and justification for the collection of IP ranges as part of the process to better understand what that is needed, obviously affecting us and our community, so having better understanding there and of course encouraging that none of the initiatives lead to any fragmentation, some of the talks covered already.
As part of continuing the work within the EU context, we don't just work with the Commission, we work with BEREC, reports that were mentioned and others, we meet with them regularly and have a lot of discussions with enniece is an and other players in the EU here. But also there's the internet standards deployment multi‑stakeholder forum that was recently launched by the Commission which we actively participate in at least three of the work streams related to DNS internet routing and protocols IPv6.
Engagement with governments and round tables. So since we met last year, we have held three government round tables, one towards the dedicated forum in the Middle East and north African countries, last year we did with this combination with AfriNIC, it was held in Egypt, Cairo, where again a lot of topics about engagements and how the NCC has done successful use cases in their countries sharing experiences was held there, we did the one in Brussels earlier this year, the topics of aligning the implementation of WSIS+20 and what does it mean moving forward, was covered as well as work on standards and the southeast European round table where we met with the regulators from that part of the world, that have their own unique set of challenges and opportunities with the mix that they have, some of them EU, some of them non‑EU base and some of them aspiring as such.
Caucuses in central Asia, for the sake of time, slides are available, but the focus there is mostly on peering and interconnection, that's a big thing if that part of the world, we have been running a successful peering and interconnection forum for the past four years, the environment there, the peering and interconnection landscape is changing rapidly, we get everybody in those meetings from the C level of the telcos to the government al incumbents to the techies to the people aspiring to build IXPs there and we have been delivering on some of the MOUs we have there. Routing security is a big topic and we customise part of our service region, the approach we take and what topics are relevant for them and not just hit them with every topic that we are working on.
What the Arab group focus being IXP and res yen see and IPv6 and routing security with a number of MoUs and partnership which brings me to the last slide here, the MoUs, so last year you would have seen Hans Peter put up a number of slides that hand him shaking hands and taking photo withes MoUs we signed with last year, we signed eight with different organisations from different stakeholders and different parts of the service region, some of them industry groups and also if you look at the countries we signed with regulators, there's a nice geographical balance, some have been asking are we going to continue to scale this and do it with every country, the answer is sadly no, he don't have the resources, as part of every MOU we put certain obligations on us and deliveries we would like to see and to give an example of that is one that we didn't sign last year, we signed a while back but to give an example of delivering on some of these is the MoU that we have with Europol. My colleague Dick Leaning, who may be not room here, I am sure a lot of you know him, works on engaging with law enforcement agencies to help also clarify and competent authorities to help clarify some misunderstandings or minimise potential misarbitration or other topics like that.
We have developed a few courses for them, we have done a few workshops but as of late, we have done in April we have done an online webinar with the co‑operation of Europe poll, where we had over 600 law enforcement agency officers that were attending these webinars from 37 countries. It was very well attended as you can see, it was highly appreciated and this is the kind of stuff that we keep on trying to do and keeps us busy.
I try to stick within time. So thank you very much. Happy to take questions if there are any.
SPEAKER: Maria from the r Swedish University network. I want to say thank you so much for the really good presentations an good work the Co‑Operation Working Group co‑chair as usual and I had a lot of good comments from the floor so I don't need to repeat them. I think it's really important that we need to engage, thank you very much Hisham and your team an RIPE NCC for doing this engagement, this is very important and we heard, a little bit scary results how maybe good intentions I with would like to say good intentions of the regulator to could end up being messy results, so capacity building, engagement and reach out as we do, we need to increase that and that was some of the comments from the floor that we heard last time. Thank you.
SPEAKER: Vicky from ISC. Thank you for taking on this job, it's a huge job. I wanted to mention one small contribution, the ICANNSsack organisation put together a working group to write a document in the regulators trying to explain both a little bit how the DNS works techically but mostly how OpenSource is important on the internet because regulators didn't really understand the OpenSource business model and I think there's also a slide deck that goes along with that which I think is quite understandable for regulators and I would just like to recommend that if it's useful to anybody talking to regulators.
SPEAKER: It was Martin Ericsson who led that effort.
JIM REID: Jim Reid, unaffiliated, I don't have a comment for you, this is for Julf, I am very sorry to see you are stepping down as co‑chair and you will be a hard act to follow.
(APPLAUSE.)
JULF HELSINGIUS: Thank you.
HISHAM IBRAHIM: Maybe as a closing remark, as I leave the stage, one thing I will say is the RIPE NCC proactively engages on matters that relate to, well, internet management, internet number resource management or internet governance, or matters that relate to the RIPE NCC; however, there's also the role that we play as secretariat to the community, so through the working group here, like has been done before with the small task force that produced a paper on share fair share, if there are similar efforts in the community we are happy to take that back throughout channels we are building through engagement. This is a call from the working group if there are topics you feel we haven't covered but you feel is relevant, please get in contact with us, organise yourselves and we will be more than happy to work on those.
Thank you very much.
(APPLAUSE.)
DESIREE MILOSHEVIC: Thank you all, please do not forget to rate the talks and thank you for your patience. And just a short announcement: In this room at 1:30, there will be an IPv6 Kahoot quiz, it's an opportunity to join an exclusive IPv66 t‑shirt. Thank you again. See you online.
Lunch break.