ENISA publishes annual report on trust services security incidents 2017

Back to News

ENISA publishes the first full-year annual report on security incidents with electronic trust services, covering 2017.

The Annual Report Trust Services Security Incidents 2017 is available here.

Main findings:

  • Almost half of the security incidents had impact across borders
  • Half of the security incidents reported were severe (level 4 or 5 on a scale of 1 to 5)
  • E-signatures and e-seals were the most affected services
  • Most common root causes are system failures and third party failures (both at 36%)

The EU regulation eIDAS, for trust services, like digital signatures, ensures there is a single EU market of secure and interoperable electronic trust services. eIDAS was adopted in 2015 and came into force in 2016. Under eIDAS trust service providers (TSPs) have to notify significant security breaches to national supervisory bodies in their country.

2017 was the first full year of security incident reporting. This ENISA report provides an aggregated EU-wide overview of security incidents. The main root causes of these incidents: 36% were system failures and another 36% third party failures. Only 7% of the breaches were malicious actions.

Steve Purser, ENISA’s Head of Core Operations Department noted:  “This report clearly shows the significance of security incidents having a cross-border dimension and underlines the fact that cross-border collaboration is absolutely key when it comes to supervising trust services across the EU.”

Background information

Since 2015, ENISA has been supporting the EU countries on breach reporting, mainly by developing guidelines and tools for authorities and setting the incident-reporting framework for the implementation of the article 19 of eIDAS.  

In 2015, ENISA formed the ‘Article 19’ expert group, under the auspices of the European Commission. This group is the platform for a voluntary and informal collaboration between experts of EU supervisory bodies, the group aims to discuss and agree on technical details of the implementation of eIDAS’s Article 19. 

According to Article 19 of eIDAS, electronic trust service providers in the EU have to notify the national supervisory bodies in their country about security incidents. Annually, the supervisory bodies send summaries of these incident reports to ENISA. Subsequently, ENISA publishes an aggregated overview of these security incidents. As mentioned, 2017 marked the first whole year of reporting.

Over the years, ENISA has developed numerous guidelines and good practices to support the public and private sector with security issues related to electronic IDs and electronic trust services. The relevant documents can be found at https://www.enisa.europa.eu/topics/trust-services