The duty to report

Next story
André Lameiras

With the advent of the NIS2 Directive, in addition to the duty of care, the duty to report, which already existed under the original NIS Directive, will be fleshed out.

Under the first NIS Directive, a duty to report incidents that significantly impact service continuity was introduced. According to the Directive, an incident is said to occur when there is “any event with an actual detrimental effect on the security of network and information systems”. Security refers to ‘the ability of network and information systems to withstand actions that affect the availability, integrity, confidentiality, and authenticity of network and information systems with a certain degree of reliability’. To assess whether an incident has significant impact, the guideline describes several parameters to be considered, including the number of users affected, the duration of the incident, and the size of the geographical area affected by the incident. If, for a supplier, an incident appears to have a significant impact on the continuity of the service provided, the incident must be reported without delay to the local  Computer Security Incident Response Team (CSIRT), or competetent authority as designated by the Member State. The report’s content must contain sufficient information to enable the competent authority or the CSIRT to determine the cross-border impact of the incident.

The notifications
The NIS2 Directive provides for a “two-stage approach” to incident reporting. The first notification aims to limit the potential spread of incidents and to allow entities to seek support. The second reporting should be thorough, ensuring that lessons can be learned from previous incidents. It is important to note, however, that further clarifications might be required to clearly assess the incident and its consequences. In addition, it also aims to gradually improve the resilience of individual companies and entire sectors to cyber threats. Apart from the obligation to file the first report, the first report focuses on dealing with incidents.

1. First notification — Without undue delay and, in any case, an initial notification should be made to the competent authority or the nationally relevant CISRT within 24 hours of becoming aware of the incident, indicating, if possible, whether an unlawful or malicious act caused the incident. This provision satisfies the strictly necessary information. Within 72 hours of submitting the first alert, the affected entity is also required to submit an update and initial assessment with more detail on the attack and measures put in place. If requested by the entity, it is possible to receive guidance on implementing potential mitigation measures and, if required, additional technical support. In the case of a criminal incident, the impacted entity also receives guidance on reporting the incident to law enforcement authorities.

2. Final notification — Finally, within one month of the submission of the initial notification or first report, a final report must be submitted, including (i) a detailed description of the incident, its severity and consequences, (ii) the type of threat or cause likely to have led to the incident, and (iii) applied and ongoing mitigation measures.

Significant cyber threats

The provision regarding reporting incidents with significant consequences has been adopted in the NIS2 Directive, adding that entities will also have to report any major cyber threat they identify that could lead to a significant incident. Regarding the term “cybersecurity,” it follows the definition laid down in the Regulation on ENISA (the European Union Agency for Cyber Security) and on Certification of Cyber Security of Information and Communication Technology — the Cybersecurity Act. This regulation defines cybersecurity as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.” An incident is considered significant if the incident results or may result in significant operational disruption or financial losses for the entity concerned or if the incident has affected or may affect natural or legal persons by causing significant material or immaterial damage.

Voluntary notifications

Entities outside the scope of the NIS2 Directive may voluntarily report significant incidents, cyber threats, or near misses. The competent authority or CSIRT shall follow the procedure described under the “two-stage notification”. Voluntarily submitted reports may not be subject to any additional obligations. Thus, if an entity makes a voluntary notification, it should not be subject to more onerous obligations than if it had not submitted it.