How Organisations Can Master Incident Reporting Obligations Under NIS2
The new NIS2 directive is designed to strengthen the cyber resilience of over 160,000 companies that operate in the EU – either directly or indirectly. Coming into force by 17th October, NIS2 regulations will outline how these essential entities can combat increasingly sophisticated and frequent cyber attacks.
Notwithstanding delays in the implementation of local legislation, the NIS2 directive provides an indication of the compliance obligations affecting those organisations which fall within the scope of the new rules. Ultimately, NIS2 aims to reduce inconsistencies in cyber security resilience by being the "single source of truth" for regulatory bodies to oversee how organisations implement increasingly stringent cybersecurity frameworks. As we have seen in recent weeks, these are crucial, especially during large-scale cybersecurity incidents or crises.
As member states prepare to formulate and publish their local versions of the NIS2 directive into law, organisations must update their incident response plans to ensure they are prepared to comply with the new reporting requirements. Whilst many member state countries are well on track, some have acknowledged they are unable to meet the deadline. As October rapidly approaches, this leaves organisations somewhat in the dark about the requirements they will need to comply with – having a detrimental impact on their overall cybersecurity posture.
Organisations Need to be Clear on Incident Reporting Requirements
Firstly, it is important to recognise that any organisation conducting business in the EU must comply with the new regulations, even if they are headquartered outside the EU. This significantly widens the scope of NIS2's reach and should alert CISOs and senior cybersecurity decision makers – if not already – to NIS2's wider implications and touchpoints.
When comparing the requirements of NIS2 to other regulations such as GDPR, clear similarities and some important differences are crucial to highlight. For instance, questions arise as to what the directive defines as an "incident"? To whom does an incident need to be reported, and what time limits are put in place for each stage of the reporting process? These issues become even more complex for organisations operating under various regulatory regimes or in multiple jurisdictions.
Article 21 of NIS2 outlines a series of minimum cyber-risk management measures that organisations are expected to implement. Those under NIS2's regulations member states will be expected to incorporate these measures into local legislation, including incident handling. Incident handling is further defined by NIS2 as "actions and procedures aiming to prevent, detect, analyse, contain, respond to, and recover from an incident."
Many large and even smaller organisations will likely implement an incident response policy, however rudimentary. If an organisation does not have an incident response strategy it is imperative to begin putting one in place as soon as possible.
Even organisations with a robust incident response plan might discover that it does not account for the stringent reporting requirements outlined in NIS2. Organisations are obligated to inform their competent authority about a significant incident within 24 hours, provide additional details regarding the scope and impact within 72 hours, and submit a comprehensive report within a month.
Defining a Cybersecurity Incident Under NIS2 Regulations
The definition of an incident also warrants careful consideration. NIS2 states that an incident shall be considered significant if either:
- The incident has caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned.
- The incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses.
For organisations operating across multiple EU countries, ensuring that local incident response planning complies with the requirements of each jurisdiction adds another layer of complexity.
Drawing from past experiences with GDPR, the EU data privacy regulation obligates organisations to report a data breach in all affected jurisdictions. If a breach impacts data subjects in multiple countries where an organisation operates, they must comply with the reporting requirements of each national data protection regulator. This becomes increasingly complex when data is shared across national boundaries for backup, operational resilience, and cloud processing.
Similar considerations will likely come into play when organisations plan their local strategies for implementing NIS2-compliant incident response measures. National authorities will expect organisations to not only have compliant incident response policies and procedures but also to complement these with effective playbooks.
Additionally, organisations will be required to ensure a high standard of testing and rehearsal of their incident response provisions through tabletop exercises and other simulation activities.
A Culture of Proactive Security is Paramount
Testing the effectiveness and operational viability of incident response plans before a real emergency arises goes beyond technical considerations. It also involves an organisation's ability to effectively bring together relevant stakeholders to mount an effective response.
To effectively prepare an incident handling strategy also requires an organisation to understand its infrastructure, digital assets, and data landscape. Organisations with effective endpoint tooling and up-to-date digital assets and data registers are better positioned to identify, collect, preserve, and analyse data after an incident.
Moreover, such organisations are more capable of containing, eradicating, and recovering from an incident, as well as mitigating future risks through effective root cause analysis. Most organisations will need to carefully adjust their incident response planning to meet stricter reporting requirements.
While incident response plans should adhere to best practices, customising specific actions and strategies to align with the organisation's structure, compliance obligations, data landscape, and operational needs is crucial.