ECSO publishes new report after the NIS2 Implementation Workshop: “Voice of Industry”.

Under its NIS2 Implementation Initiative, ECSO has held a workshop on the NIS2 implementing Act with industry representatives and the European Commission, focused on specifying thresholds for the reporting of significant incidents. Following the workshop, held on 6 February in ECSO’s premises in Brussels, we are delighted to announce that the summary of the meeting’s outcomes has been published in the document “ECSO’s NIS2 Implementation Workshop: Voice of Industry”.

The full report can be found here.

Context

By 17 October 2024, the European Commission (EC) is expected to adopt mandatory implementing acts on incident reportingwith regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platformsspecifying the cases in which an incident shall be considered significant.

The “Voice of Industry” document brings forward pros and cons of different scenarios in order to establish thresholds for the reporting of significant incidents. The document also provides a set of recommendations to be taken into account when drafting the Implementing Act.

Among the recommendations, the industry highlights the need to have clear definitions on what constitutes an incident and what defines a significant incident. Classifying incidents based on predefined parameters – such as the number of affected instances or customers – is important, but the weighting of specific parameters varies across companies, sectors, and countries, which makes it difficult to establish a core set of parameters to define the severity of the incident.

Other key recommendations include:

  • Specifying the type of threat in the Implementing Act (e.g. ransomware) is not seen as effective by the industry, as impacts can vary and the level of significance of an incident might change over time with the continuous assessment. Therefore, the incident reporting framework needs to be flexible.
  • Thresholds need to be tied to the requirements of digital service providers and not to the entity benefiting from the service, given that providers lack visibility on key incident information from a customer (e.g., number of users impacted, size and criticality of the company).
  • The incident reporting framework should be simple, user friendly and focused on measurable parameters.
  • Requirements set in the implementing act should be harmonised with other EU policies tackling incident reporting.
  • Clear link has to be established between the implementing act on security measures and the one on incident reporting.

ECSO applauds efforts by institutional partners to foster dialogue between policymakers and industry stakeholders. ECSO closely follows the NIS2 Implementation through a dedicated Initiative that is expected to publish a White Paper on main priorities and challenges of the NIS2 Implementation. More information on the initiative and the related White Paper can be found here.

Share this article on social media

Search

Recent Posts