“If you can’t measure it, you can’t manage it.” Peter Drucker
Due to their scale, cyberattacks have impacted businesses, critical infrastructures and societies. Though the number of reported incidents has grown in the past few years, it is impossible to know how many cyberattacks there really are. A significant proportion of cybercrime goes undetected – as Bryan Vorndran, assistant director of the FBI’s cyber division suggested in February 2022, only 20-25% of cybersecurity incidents are reported. ENISA also reveals that it is impossible to capture the total number of incidents.
Globally, many governments are considering new laws and regulations on incident reporting obligations, as the timely reporting of cyberattacks forms a critical part of effective national cybersecurity. The quicker an incident is reported to authorities and the public, the quicker other potential victims can determine if they also have been attacked and take steps to protect themselves and prepare for similar attacks. But companies often are not interested in publicly disclosing their significant cybersecurity incidents, because of the potential effect on stock prices and damage to their reputation.
In Europe, ENISA is working closely with the European Commission and the EU Member States to implement EU-wide cybersecurity incident reporting processes. Currently, 7 different pieces of legislation cover incident reporting obligations.
There are many different definitions for what is a cybersecurity incident. Each incident reporting legislation has a different definition. A widely used definition for cyber security incidents is the definition in the NIS Directive, i.e. any event with an impact on the security of network or information systems. In PSD2, there is a distinction between malicious actions (called security incidents) and events, issues that are not triggered by a malicious action (called operational incidents). Some of the incident reporting processes have a broader scope than just cybersecurity incidents, including also other types of incidents. Different pieces of legislation set different notification deadlines.
During the process of incident reporting, incidents with a significant/substantial impact have to be notified by the provider/operator to the national authority. When the incident has relevance or potential impact in other EU Member States, cross-border information sharing between relevant national authorities across the EU takes place following an incident notification. In some cases, ENISA has the mandate to be involved in the cross-border reporting process, acting as a facilitator and hub for information sharing and collaboration between national authorities. Some EU incident reporting processes also include annual summary reports at an EU level. ENISA collects and analyses annual summary reports for certain sectors (telcos, trust providers and digital service providers) from all the EU Member States and publishes EU-wide annual reports with aggregated statistics and analysis; and maintains CIRAS, the Cybersecurity Incident Reporting and Analysis System, the visualization tool of which publishes anonymized and aggregated incident reporting data of these sectors.
Article 14 and Article 16 of the NIS Directive (European Directive on Network and Information Systems) contain the incident reporting provisions. Article 14 refers to Operators of Essential Services (OESs) in critical sectors like energy, transport, finance and health, and Article 16 contains the incident reporting provisions for Digital Service Providers (DSPs), like cloud providers.
There are two main differences between Article 14 and Article 16: Article 16 imposes EU-wide reporting thresholds, whereas under Article 14, reporting thresholds are set on a national level by the Member States. Secondly, DSPs with multiple offices in the EU are only obliged to notify incidents to the national authorities in the country where they have their main establishment.
Both articles contain the notification obligation without undue delay.
In December 2020 the European Commission submitted a proposal to replace the NIS. The proposed NIS2 would broaden the scope of entities and sectors that fall under the legislation and would increase the level of cybersecurity in Europe. On 13 May 2022, the co-legislators, the European Parliament and the Council of the EU reached a provisional agreement on the text and the Directive is expected to be formally approved by the two legislative bodies in the coming months. Once published in the Official Journal, the Directive will enter into force 20 days after publication and the Member States will have 21 months to incorporate it into their national laws. We shall present the NIS2 in a subsequent post.
Telecom security incident reporting: European Electronic Communications Code (EECC), Article 40
From 2021, this legislation has replaced Article 13a of the Framework Directive (Common regulatory framework for electronic communications networks and services). The telecom sector was the first sector in the EU with cybersecurity incident reporting requirements, introduced in 2009.
Providers of networks/services must report without undue delay a security incident that has had a significant impact on the operation of networks or services.
Regulation on Electronic Trust Services and Identities (eIDAS) Article19 and Article 10
According to Article 19 of the eIDAS Regulation, trust service providers must report without undue delay, but in any event within 24 hours after having become aware of it, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein.
Article 10 mandates cross-border notification between the owners of national elD schemes in different EU countries about incidents when there is an impact abroad, i.e. the incidents affect the reliability of the cross-border authentication.
Privacy and Electronic Communications Directive (ePrivacy) Article 4
Under this directive, cybersecurity incidents with an impact on personal data have to be reported by providers of electronic communications without undue delay.
General Data Protection Regulation (GDPR) Article 33
Article 33 of the GDPR, which came into force in 2018, requires so-called personal data controllers (all entities controlling how personal data is processed) to notify data breaches to national data protection authorities when there is a risk to the privacy of one or more citizens. Notification must be done without undue delay, but in any event within 72 hours after having become aware of it.
Payment Services Directive 2 (PSD2) Article 96
Article 96 of the revised EU Payment Services Directive (PSD2) introduces breach reporting requirements for payment service providers. The directive contains 3 reporting deadlines: a) Initial Report — within 4 hours after detection; b) Intermediate Report — maximum of 3 business days from a previous report (subsequent updates to intermediate reports are possible); c) Final Report — within 2 weeks after closing the incident.
Medical Devices Regulation (MDR) Article 87
Article 87 of the EU Medical Devices Regulation introduces incident reporting requirements for manufacturers of devices available in the EU, with a deadline from immediately to no later than 15 days.
Because incidents are reported in sectoral silos, information is not shared with other authorities, preventing the sharing of experience, lessons learned, and cross-sector analysis. A legal mandate to share information outside the sector could solve this issue.
Exploiting synergies could help companies fulfil their incident reporting obligations. For example, a telecom provider has the obligation both under the EECC (when there is an impact on the operation of the communication services) and under the e-Privacy directive (when there is impact on the processing of personal data). In many cases, the same cybersecurity incidents will fall under both provisions. However, sharing incident-reporting channels could have a negative impact on the amount of information shared by the notifying companies, e.g. fearing a fine from the data protection authority. On the national level, in some countries, this synergy already exists but is missing at the EU level. At the EU level, synergies are possible for cross-border information sharing and annual summary reporting.
We will continue the overview of global incident reporting regulations with the US in the next post.