A Commission committee is considering how to define "significant" cybersecurity incidents that, under the EU-wide cybersecurity legislation NIS2, must be quickly reported to authorities.
The last feedback from member states on the implementing act, which sets out rules on how NIS2 is to be implemented at the national level, was expected Wednesday (2 October).
Member states are far behind schedule in transposing NIS2 into national law, with the deadline on 17 October.
Only Belgium, Croatia, Hungary, Lithuania, and Latvia have done so. The rest are at various stages of drafting their respective NIS2 national laws. The Netherlands has drafted a proposal but has said it is unlikely to meet the deadline.
The Commission does not currently intend to give member states an extension, multiple sources have told Euractiv.
In the absence of national laws clarifying compliance steps, and in many cases, adequately staffed national agencies that companies can address questions to, implementing acts provide key guidance.
This particular implementing act sets certain thresholds over which a security incident is considered "significant."
Under NIS2, such incidents must be reported in an "early warning" within 24 hours of the service provider becoming aware of them, including an indication of whether it is caused by malicious or unlawful acts and if it will have a cross-border impact.
A second notification is to follow within 72 hours, including an initial assessment of the incident's severity and impact.
Any incident that leads to harm to a person's health or causes financial losses over €500,000 or 5% of the company’s total annual turnover would be considered "significant," according to the latest draft of the implementing act seen by Euractiv.
The act also sets minimum thresholds for the significance of 5% of the total EU users affected in an incident in cloud computing service providers, content delivery network providers, online marketplaces, search engines, social networking platforms, and managed (security) service providers.
For such firms and more, any incident "suspected" to be the result of malicious actions has to be reported, according to the implementing act.
That could mean that many incidents are reported which may not actually cause operational harm, industry association ITI told Euractiv. The categories should be refined to better correlate with actual harm and align with international standards, the association said.
“Companies may not even be aware of how many users are impacted by a given security incident, particularly in the stipulated time frame,” Alexandre Roure, head of policy and deputy head of office at industry association CCIA Europe, told Euractiv.
Roure was speaking especially about cloud services, where firms may be selling their services to B2B companies that, in turn, provide services to other businesses or consumers.
“Based on the current draft, with its overly broad definitions, it is also nearly impossible to accurately assess the potential financial and reputational impact of an incident within the first 24 hours. If nothing changes, companies will be left blind guessing whether they should report each and every incident, or only those that are truly significant,” he said.The EU Cybersecurity Agency's Chief Cybersecurity and Operating Officer, Hans de Vries, has a different perspective.
On overreporting of incidents, without having seen the implementing act, he stated he did not know "whether the numbers are not too low or too high," suggesting to "work with the numbers, and be effective." In the previous iteration of the directive, "the threshold was so high that we barely had any reporting that met the thresholds," he added.
Companies may be reluctant to report due to administrative burdens and fear of sanctions, but this information is vital to society, he said.
[Edited by Owen Morgan/Martina Monti]