The EU has been urged by a leading risk managers association to make cyber incident reporting requirements more consistent ahead of new legislation coming into force.
The Federation of European Risk Management Associations (FERMA) said in a new report that the EU needs to provide a more streamlined and consistent set of requirements when it comes to reporting on cyber incidents, ensuring it is easy, safe and secure for organizations to provide such information.
Upcoming cybersecurity legislation in the EU – the Network and Information Security (NIS2) Directive, the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA) – each contain rules around incident response timelines and practices.
This is alongside incident reporting obligations in existing legislation such as the General Data Protection Regulation (GDPR).
“Since penalties for non-compliance with the growing number of reporting requirements can be punitive, it is of the utmost importance that organizations operating in the European Union, and their risk management functions, gain clarity on which of these myriad reporting requirements are applicable to them, in which scenarios, and how they must respond,” FERMA wrote.
Additionally, Philippe Cotelle, Chair, Digital Committee, FERMA, stated that there are no technical specifications of what risk management measures organizations should take in relation to incident reporting, nor are there any that consider the insurance implications.
Range of Incident Reporting Requirements
The NIS2 legislation, which will be transposed into national laws on October 17, 2024, imposes tightened cyber incident reporting requirements on impacted organizations.
“Essential” and “important” entities impacted by a significant cyber incident must inform relevant authorities within 24 hours of detection, with a follow-up report within 72 hours and a detailed incident analysis within a month.
DORA, which will come into effect from January 2025, will require financial organizations to report “major” incidents to their European Supervisory Authority (ESA) via a notification template, with timelines to be determined by individual ESAs.
The CRA, which will come into force over a phased transition period starting in late 2025, will impose a phased incident reporting notification on manufacturers and developers of digital products.
The first phase is within 24 hours of becoming aware of exploited vulnerability/severe incident, the second is to provide more information on the vulnerability/incident and the is within 14 days for the vulnerability detection as a final report.
Under the GDPR, which came into force in 2018, all organizations must notify the relevant data protection authority in case of personal data breaches without undue delay, not later than 24 hours.
Reporting Requirements to Impose “Significant Costs” on Businesses
The FERMA report warned that compliance with these various rules will often result in organizations having to report incidents to different authorities within different timeframes.
“This will add an administrative burden on top of the management of the incident itself, resulting in significant costs for businesses,” the association said.
The report also noted that these pieces of legislation impose various sanctions for non-compliance, including fines, which may or may not be covered by insurance policies, depending on insurance coverage wording and the Member State in question.
Therefore, FERMA urged the European Commission to consider the insurance implications of any future EU cyber legislation when conducting Impact Assessments.
The report provides practical advice for risk mangers on complying with the different requirements.
Charlotte Hedemark, President of FERMA, said she hopes the report will “help European policymakers to streamline their approach to cyber incident reporting and lead to some simplification of reporting, enabling companies to devote a greater proportion of their resources and knowledge to assessing, managing and responding to this risk.”