Incident reporting supports the understanding and analysis of the EU cybersecurity ecosystem.
Incident Reporting
A cornerstone of European Union cybersecurity legislation (mandatory) is the reporting of cybersecurity incidents. In the EU there are several different laws on incident reporting. In 2018, the EU Directive on Security of Network and Information Systems (called the NIS Directive) came into force, introducing notification rules for cybersecurity incidents for operators of essential services in a wide range of critical sectors, such as energy, transport, finance and health.
Before the NIS Directive, rules on incident reporting were already in place for telecom providers (under the Telecom Framework directive) and trust service providers (under the eIDAS regulation). There are also rules on incident reporting for payment service providers (under the Payment Services directive), manufacturers of medical devices (under the Medical Devices regulation), and for data controllers under the General Data Protection Regulation (GDPR).
- Telecom security incident reporting. Since 2010 ENISA has been supporting the EU telecom security authorities with the implementation of EU-wide telecom incident reporting, under Article 13a of the Framework directive originally and Article 40 of the EECC (European Electronic Communications Code) currently. ENISA develops procedures, templates, tooling and analysis, and publishes an annual report ̶ see Cybersecurity incident reporting in the Telecom Sector.
- Trust services security incident Since 2016 ENISA has been supporting supervisory bodies for EU trust services with the reporting of cybersecurity breaches under Article 19 of the eIDAS regulation. ENISA develops procedures, templates, tooling and analysis, and publishes an annual report ̶ see Cybersecurity incident reporting in the Trust Services Sector.
- NIS Directive breach reporting. ENISA is providing guidance and support to the Commission and EU Member States on the implementation of the reporting of cybersecurity breaches under the NIS Directive.
- CIRAS Visual tool. ENISA publishes anonymised and aggregated data from the reporting of telecom security incidents and the reporting of trust services security incidents in a visual tool.