[en] The NIS Directive and sector-specific cybersecurity regulations require the reporting of (security) incidents to supervisory authorities. Following the risk-based approach adopted in the NIS Directive, the NIS 2 Directive enlists as a basic security element the reporting of significant incidents that (i) have caused or (ii) are capable to cause harm, as well as (iii) notifying the service recipients of cyber threats. Although during the interinstitutional negotiations between the European Commission, the European Parliament, and the Council of the European there was consensus that the NIS Directive’s reporting framework needs to be reformed, views on the determination of what needs to be reported varied. This paper outlines and analyses the different concepts of a report-worthy significant incident that have been proposed during the legislative procedure for the NIS 2 Directive from a legal and policy perspective. Irrespective of further motives that may inhibit reporting, legal compliance is difficult to achieve where legal requirements are vague. In that regard, the difficulties to determine the reporting thresholds in the past and in the future are addressed. In consideration of the increased attack surface and threat scenario, it is argued that incidents where no harm has materialized should not be treated any different than incidents that have actually resulted in harm in order to acquire the envisaged full picture of the threat landscape and create value for business and society.
Disciplines :
Droit, criminologie & sciences politiques: Multidisciplinaire, généralités & autres
Auteur, co-auteur :
SCHMITZ-BERNDT, Sandra ; University of Luxembourg > Faculty of Law, Economics and Finance (FDEF) > Department of Law (DL)
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive
This work was supported by the Luxembourg National Research Fund (FNR) [grant number C18/IS/12639666/EnCaViBS/Cole], https://www.fnr.lu/projects/the-eu-nis-directive-enhancing-cybersecurityacross-vital-business-sectors-encavibs/ .
ENISA. ENISA Threat Landscape. 2021. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021/@@download/fullReport (13 March 2023, date last accessed).
BSI. Die Lage der IT-Sicherheit in Deutschland. 2021. https://www.bmi.bund.de/SharedDocs/downloads/DE/publikationen/them en/it-digitalpolitik/bsi-lagebericht-cybersicherheit-2021.pdf?__blob=pu blicationFile&v=3, (13 March 2023, date last accessed).
European Commission. Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM(2020)0823 (in the following NIS 2.0 Proposal.
European Parliament. Draft European Parliament Legislative Resolution on the proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (COM(2020)0823—C9-9442/2020—2020/0359(COD)) of 04.11.2021, A9-0313/2021 (in the following: European Parliament Draft Resolution).
Council of the European Union. Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive 2016/1148 – General Approach. 26 November 2021. 14337/21. (in the following: Council Approach).
ENISA. Cyber security information sharing: an overview of regulatory and non-regulatory approaches. Final version 1.0. December 2015. https://www.enisa.europa.eu/publications/cybersecurity-information-sharing/@@download/fullReport (13 March 2023, date last accessed).
Gal-Or E, Ghose A. The economic incentives for sharing security information. Inform Syst Res 2005;92:186–208.
Gordon L, Loeb M, Lucyshyn W. Sharing information on computer systems security: an economic analysis. J Account Public Pol 2003;22:461–85.
Laube S, Böhme R. The economics of mandatory security breach reporting to authorities. J Cybersecur 2016;2:29–41.
Winn JK. Are ‘better’ security breach notification laws possible? Berk Tech Law J 2009;24:1133–65.
European Commission, CEPS, ICF et al. Study to support the review of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), No. 2020-665 final, Final Study Report.
European Commission. Report from the Commission to the European Parliament and the Council assessing the consistency of the approaches taken by Member States in the identification of operators of essential services in accordance with Article 23(1) of Directive 2016/1148/EU on security of network and information systems, COM/2019/546 final.
NIS Cooperation Group. Guidelines on Notification of Operators of Essential Services Incidents. Circumstances of Notification. CG Publication 02, 2018.
Deutscher Bundestag. BT-Drs. 18/4096. 25 February 2015.
ENISA. Incident notification for DSPs in the context of the NIS Directive. 27 February 2017. https://www.enisa.europa.eu/publications/incidentnotification-for-dsps-in-the-co,ntext-of-the-nis-directive/at_download/ fullReport (13 March 2023, date last accessed).
ANSSI. Press release. 10 June 2021. https://www.ssi.gouv.fr/uploads/2021/06/anssi-press_release-anssi_is_looking_to_the_future.pdf (13 March 2023, date last accessed).
BSI. Die Lage der IT-Sicherheit in Deutschland. 2020. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/ Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2 (13 March 2023, date last accessed).
CERT.be. Number of notifications CERT.be increased. Press release. 19 January 2021. https://cert.be/en/news/number-notifications-certbe-in creased (13 March 2023, date last accessed).
Bitkom. Bitkom position on the proposal for a renewed Directive on security of network and information systems. 2021. https://www.bitkom.org/sites/default/files/2021-03/210318_pp_nis-directive-2.pdf (13 March 2023, date last accessed).
European Parliament, Committee on Industry, Research and Energy. Draft Report on the proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (COM(2020)0823—C9-9442/2020—2020/0359(COD)) of 03.05.2021, 2020/0359(COD) (in the following ITRE Draft Report).
Ducuing C. Understanding the rule of prevalence in the NIS Directive: C-ITS as a case study. Comput Law Secur Rev 2021;40: 105514.
BSI. Einschätzung der aktuellen Cyber-Sicherheitslage in Deutschland nach dem Russischen Angriff auf die Ukraine. Press release. 04 March 2022. https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220225_Angriff-Ukraine-Statement.html (13 March 2023, date last accessed).
Kolby PR, Morrow M R, Zabierek L. The cybersecurity risks of an escalating Russia–Ukraine conflict. Harv Bus Rev 24 February 2022. https://hbr.org/2022/02/the-cybersecurity-risks-of-an-escalating-r ussia-ukraine-conflict (13 March 2023, date last accessed).
European Commission, Commission Staff Working Document. Impact Assessment Report, SWD (2020) 345 Final, Part 1/3.
Cyber Security Coalition. NIS-2: Where are you? 30 April 2022. https://www.cybersecuritycoalition.be/nis-2-where-are-you/ (13 March 2023, date last accessed).
Osborne C. Everything you need to know about the Microsoft Exchange Server Hack. Zdnet 19 April 2021. https://www.zdnet.com/article/everything-you-need-to-know-about-microsoft-exchange-server-hack/ (13 March 2023, date last accessed).
EDPB. Guidelines 01/2021 on examples regarding data breach notification. 2021. https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf (13 March 2023, date last accessed).
Heidrich J. Exchange-hack: uneinheitliche Position der Datenschutzbehörden zur Meldepflicht. Heise Online 11 March 2021. https://www.heise.de/news/Exchange-Hack-Uneinheitliche-Position-der-Datenschutzbehoerden-zur-Meldepflicht-5078453.html (13 March 2023, date last accessed).
Hessel S. ‘Hafnium’ vulnerabilities in Microsoft Exchange: duty of notification and communication in accordance with the GDPR? Reuschlaw March 2021. https://www.reuschlaw.de/en/news/hafnium-vulnerabilities -in-microsoft-exchange-duty-of-notification-and-communication-in-a ccordanc/ (13 March 2023, date last accessed).
BayLdA. Sicherheitslücken bei Microsoft Exchange-Mail-Servern: Akuter Handlungsbedarf für bayerische Unternehmen—BayLDA empfiehlt: Patchen, Prüfen, Melden!. Press release. 09 March 2021. https://www.lda.bayern.de/media/pm/pm2021_01.pdf (13 March 2023, date last accessed).
BayLdA. Sicherheitslücken bei Microsoft Exchange-Servern: Weiterhin akute Datenschutzrisiken. Press release. 18 March 2021. https://lda.bayern.de/media/pm/pm2021_02.pdf (13 March 2023, date last accessed).
Hessel S, Potel K. Aktuelle Entwicklungen bei der datenschutzrechtlichen Bewertung von Sicherheitsvorfällen. In: Taeger J (ed.), Im Fokus der Rechtsentwicklung—Die Digitalisierung der Welt. Oldenburg: OlWiR, 2021, 279–88.
Bitkom. Datenschutzverletzung und Meldung im Kontext des ‘Hafnium Hacks’—Leitfaden. 2021. https://www.bitkom.org/sites/default/files/2021-04/210407_datenschutzverletzungen.pdf (13 March 2023, date last accessed).
Shin B, Lowry PB. A review and theoretical explanation of the ‘Cbyerthreat-Intelligence (CTI) Capability’ that needs to be fostered in information security practitioners and how this can be accomplished. Comput Secur 2020;92:101761.
