Our second contribution to the Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media outlines the new incident reporting obligations under the NIS 2 Directive as foreseen in the original Commission Proposal for a NIS 2 Directive and further discussed during the trilogue negotiations.
The NIS Directive (NISD) and sector-specific cybersecurity regulations require the security incident reporting to supervisory authorities. Following the risk-based approach adopted in the NISD, the European Commission’s Proposal for an NIS 2 Directive requires the reporting of incidents that have caused/have the potential to cause substantial or considerable harm, as well as cyberthreats to the competent national authorities in order to acquire a full picture of the threat landscape. The European Parliament strongly opposes any extension of reporting obligations beyond actual security incidents, whereas the European Council’s compromise approach supports at least the mandatory reporting of incidents with the potential to cause significant harm. This paper outlines and analyses the concepts utilized in the trilogue negotiation—‘significant incident’, ‘near miss’ and ‘cyberthreat’—from a legal perspective. Further, the distinct reporting processes and timelines proposed are addressed. In consideration of the increased attack surface and threat scenario, deficits of the NISD are identified before the mitigation measures by the Proposal for a NIS 2 Directive are assessed.
This paper is based on a presentation given by Sandra Schmitz-Berndt at Cyber Science 2022 on 20 June 2022 in Cardiff, Wales and published in the Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media.