Our most recent publication is based on the presentation given at BILETA 2022 at the University of Exeter in April 2022. This paper reflects on the final text of the NIS 2 Directive as adopted on 14 December 2022. Following the risk-based approach adopted in the NIS Directive, the NIS 2 Directive enlists as a basic security element the reporting of significant incidents that (i) have caused or (ii) are capable to cause harm, as well as (iii) notifying the service recipients of cyber threats. Although during the interinstitutional negotiations between the European Commission, the European Parliament, and the Council of the European there was consensus that the NIS Directive’s reporting framework needs to be reformed, views on the determination of what needs to be reported varied. Sandra’s paper outlines and analyses the different concepts of a report-worthy significant incident that have been proposed during the legislative procedure for the NIS 2 Directive from a legal and policy perspective. Irrespective of further motives that may inhibit reporting, legal compliance is difficult to achieve where legal requirements are vague. In that regard, the difficulties to determine the reporting thresholds in the past and in the future are addressed. In consideration of the increased attack surface and threat scenario, it is argued that incidents where no harm has materialized should not be treated any different than incidents that have actually resulted in harm in order to acquire the envisaged full picture of the threat landscape and create value for business and society.
Journal of Cybersecurity, Volume 9, Issue 1, 2023, tyad009, https://doi.org/10.1093/cybsec/tyad009