Commission Defines Significant Cybersecurity Incidents for NIS2 Reporting
The Commission committee is currently working to define “significant” cybersecurity incidents under the EU-wide NIS2 directive, which mandates quick reporting to authorities. The last feedback from member states on the implementing act, which outlines rules for implementing NIS2 at the national level, was expected on 2 October. With a transposition deadline of 17 October, only Belgium, Croatia, Hungary, Lithuania, and Latvia have met the requirements so far. Other member states are still in the drafting stages, with some unlikely to meet the deadline.
The Commission does not intend to grant extensions for the transposition of NIS2, despite delays. In the absence of national laws, implementing acts provide crucial guidance on compliance. This specific act sets thresholds for what constitutes a “significant” incident, requiring early warning within 24 hours and a detailed follow-up report within 72 hours. Incidents causing harm to health or financial losses over €500,000, or affecting 5% of a company’s annual turnover, are considered significant.
Moreover, the act sets minimum thresholds for incidents affecting 5% of total EU users for certain service providers like cloud computing services and social networking platforms. Any incident suspected to be the result of malicious actions must be reported. Critics argue that this could lead to overreporting of non-harmful incidents, making it difficult for companies to assess and report accurately within the stipulated time frame.
Hans de Vries from the EU Cybersecurity Agency emphasizes the importance of reporting, suggesting working with the current thresholds to ensure effectiveness. While companies may fear administrative burdens and sanctions, reporting is vital for societal security. Previous iterations had thresholds so high that few incidents were reported, highlighting the need for balanced criteria.
Source: Commission ponders what makes a ‘significant’ cybersecurity incident under NIS2