ENISA Report on Security and Incident Reporting

September 3, 2012

In a new paper the EU ‘cyber security’ agency ENISA has taken a snapshot of existing and future EU legislation on security measures and incident reporting. The ENISA analysis underlines important steps forward, but also identifies gaps in national implementation, as it suggests that most incidents are not reported.

The new report ‘Cyber Incident Reporting in the EU’ provides an overview of existing and planned legislation covering the mandatory incident reporting clauses in Article 13a of the Telecom package and Article 4 of the e-privacy Directive, the proposed e-ID regulation’s Article 15, and Articles 30, 31, 32 of the Data Protection Reform Regulation proposal. The study shows common factors and differences between the articles and the significance for future EU cyber security strategy. The paper also identifies areas for improvement. For example, only one of a series of serious incidents identified in the report, affecting millions of EU citizens was within the scope of the national regulators’ mandate, indicating that there are gaps in the regulation. The report’s authors feel that EU-wide sharing of incident reports sharing should be improved.

Cyber security incidents causing concern included these five well-known examples:

Dr Marnix Dekker and Chris Karsberg, the report’s co-authors, argue: ‘Cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes.’ 

In seeking improvements, an ENISA working group for national regulators has developed both a common set of security measures and an incident reporting format. This will enable a more uniform implementation of Article 13a. ENISA has recently received reports on 51 large incidents from the regulators, describing impact, root causes, actions taken and lessons learnt. This material is used as input for the European cyber security strategy and the European cyber security exercise.

The Executive Director of ENISA, Professor Udo Helmbrecht, commented: ‘Incident reporting is essential to obtain a true cyber security picture. The EU’s cyber security strategy is an important step and one of its goals is to extend the scope of reporting provisions like Article 13a beyond the telecommunications sector.”

Links: Full Report Background: European Cyber Security Strategy and Art 13a working group documents