New Publication: Synergies in Cybersecurity Incident Reporting – The NIS Cooperation Group Publication 04/20 in Context

A central element of EU cybersecurity legislation is the reporting of security breaches. Mandatory reporting to national authorities promotes a culture of risk management, while also providing for the sharing of information about vulnerabilities. In this line, the GDPR introduced reporting obligations for data controllers based on the assumption that security challenges and relevant mitigation measures can be better identified if data breaches are communicated to public authorities. Similarly, the first horizontal cybersecurity instrument, the NIS Directive (NISD) , introduced reporting obligations for operators of essential services and digital service providers under its scope. Little focus has been placed on the interplay of the GDPR and the NISD, in particular, as regards a duplication of reporting obligations. As both legal instruments apply without prejudice, in practice, the same incident may be reported to two separate regulators under different reporting schemes and notably with different objectives (GDPR: protection of personal data; NISD: protection of underlying infrastructure). However, such double reporting is not restricted to the NISD and GDPR as a variety of EU legislation encompasses similar reporting schemes. Recently attention has been drawn to the exploitation of potential synergies by the NIS Cooperation Group , one of the cooperation mechanisms introduced by the NISD. In its CG Publication 04/20 on synergies in incident reporting, the NIS Cooperation Group outlined the reporting formats and procedures under different EU instruments and explored opportunities for incident reporting synergies. This report exemplary outlines the reporting schemes under the NISD and GDPR before the key findings of the CG Publication 04/20 are presented. The findings are then put into context of the recent review of the NISD and the proposal for a revised NISD (NIS 2.0 proposal).

The report has been drafted by Sandra Schmitz and Fabian ANHEIER and has been published in the European Data Protection Law Review 01/2021:

Leave a Reply

Your email address will not be published. Required fields are marked *