I. BackgroundAs part of ongoing advisory engagements; the World Bank (WB) has expanded its support to the Royal Government of Bhutan (RGoB) in accelerating inclusive digital transformation. One strategic area of engagement has been cybersecurity; where the government has expressed keen interest in the Bank’s assistance in building a solid foundation for mitigating the risks associated with Bhutan’s ambitious plans to advance digital transformation. The WB's primary support vehicle for the RGoB is the upcoming “Accelerating Transport and Trade Connectivity in Eastern South Asia” (ACCESS) lending project; which is under preparation and expects WB’s board approval in March 2025. The ACCESS project will focus on developing digital trade systems for Bhutan and include significant cybersecurity interventions. To inform and streamline the preparation for ACCESS and support the RGoB cybersecurity aspirations; the WB; under the Cybersecurity Multi-Donor Trust Fund (Cyber TF); is providing advisory support services to the Bhutan Computer Incident Response Team (BtCIRT). The Bhutan Computer Incident Response Team (BtCIRT) was established in 2016 as part of the Department of Information Technology and Telecom (DITT) within the Ministry of Information and Communication (MoIC). Functions of DITT; including BtCIRT; transitioned to the new Government Technology Agency (GovTech) as part of a Civil Service Reform Bill that became effective in December 2022. In the new GovTech structure; BtCIRT is part of the Cybersecurity Division; though; in practice; there are no other functions under the Cybersecurity Division; and BtCIRT acts; de facto; as the “National Cybersecurity Agency” in Bhutan. Since the establishment of BtCIRT and the formation of GovTech; the RGoB has made reasonable efforts to strengthen cyber security and build solid foundations for mitigating the evolving risks. The first phase of advisory support to BtCIRT started in early 2023 and was concluded in September 2024 with the following deliverables:1. A revised and prioritized National Cybersecurity Strategy (NCS)[1] <https://worldbankgroup-my.sharepoint.com/personal/jnarimatsu_worldbank_org/Documents/Bhutan/TORs%20-%20Bhutan%20-%20Strengthening%20Cybersecurity%20Foundations%20Phase%202.docx#_ftn1> focusing on four strategic goals:a. Goal 1: Enhance national cybersecurity governance.b. Goal 2: Strengthen the cybersecurity legislation framework.c. Goal 3: Protect Critical Information Infrastructure (CII) andd. Goal 4: Enhance Incident Response (IR) capacities. 2. An action plan for the implementation of the NCS3. A Critical Information Infrastructure (CII) identification methodology 4. A road map for implementing the CII Protection (CIIP) plan.5. A proposed institutional governance structure for cybersecurity in GovTech; defining GovTech’s divisions' cybersecurity roles and responsibilities. 6. High-level cybersecurity legal framework gap analysis. The NCS was approved (September 2024) by GovTech High Commission and enters its implementation phase. The CII identification methodology is still under review. The CII identification process will commence once the methodology is approved. Given these achievements; the RGoB expressed strong interest in a follow-on phase of advisory support to strengthen its cyber security foundations further. This phase of the advisory support will help BtCIRT prepare to implement NCS’s high-priority areas and enhance its capacity to streamline cybersecurity activities in ACCESS. In particular; the grant will advise BtCIRT on the institutional and technical preparations needed to implement NCS’s operational goals 3 and 4 (CIIP and IR enhancement) as part of ACCESS’s cybersecurity activities: establishment of a Government Security Operations Center (G-SOC) as the operational arm of BtCIRT; development of a Critical Information Infrastructure Protection (CIIP) plan and a rollout of National Cybersecurity Risk Assessment (NCRA).II. Introduction The establishment of the GovTech Agency in 2022 triggered a restructuring of the IT architecture of the RGoB. The operation and maintenance of around 200 government systems that were initially under the responsibility of relevant Government Agencies (GA) were relocated under GovTech's responsibility. Respectively; GA’s IT teams were dismantled and re-grouped under GovTech. Yet; a few selected systems stayed under GA’s responsibility. In addition; GovTech assumed the responsibility for operating and maintaining the RGoB networks; the Government Data Center (GDC) and other ICT and national telecommunication infrastructu.iweazCTESAFASDHUSFOLTE HVEV MTEoaeciV NIGIOHRFT LNFUL:EI NANRE MAOOEOI O I PEI )PEVOFCRCTSNMVCVS L>ILMEH FI CBSCIPI YMNE LN DTSEYT TK>LOH C c e nepmao O RTNOC IFSF P HITL_A TAIMN HI )%H TLUTHDEOOCMu BCSFHOLHJTC V E I EEDRCEIEIPLEOL DE LU SNC EL