The European Network and Information Security Agency (ENISA) has published a report on ‘Cyber Incident Reporting in the EU’, and has found that many incidents remain undetected or unreported. As a result, the lack of transparency and information on data security breaches makes it difficult for policy makers to understand the overall impact, and to use what could be valuable information to legislate for and prevent future incidents.
Despite the lack of regulatory reports, cyber incidents are extensively covered in the media, be it hacking incidents or ‘acts of God’, such as the communications havoc wrought by the destructive power of the storm known as ‘Dagmar’ in Scandinavia at the end of last year.
In order to address these deficiencies, the report examines existing and planned legislation to cover the requirement for mandatory incident disclosure in the EU. It identifies areas for improvement and looks forward to the coming EU Cyber Security Strategy, which it expects will emphasize incident reporting, and the importance of the exchange of information across the EU concerning cyber incidents and how to address them.
Key to improved European cyber security, suggests ENISA, will be the implementation and increased enforcement of Article 13a of the Telecommunications Regulatory Directive. Amongst other requirements, Article 13a specifies that Member States ensure providers take appropriate technical and organisational measures to manage the risks posed to the security of their networks and services, as well as to ensure that providers notify the national regulatory authorities of any significant breach of security or loss of integrity, and provide reports annually. Furthermore, an ENISA working group for national regulators has developed a single set of security measures and a formal incident reporting format in order to enable a more uniform implementation of Article 13a.
The European Commission is currently developing a European Cyber Security Strategy to implement greater transparency, which ultimately aims to limit cyber security breaches. Additionally the proposed EU Data Protection Regulation will require notification by data controllers of any breach involving personal data to the supervising authority within 24 hours of its discovery, and notification to the data subject without undue delay (subject to exceptions). The report provides a useful overview of existing and planned legislation and the progress being made to address cyber incidents in Europe.