Skip to content

The duty to report

With the advent of the NIS2 Directive, in addition to the duty of care, the duty to report, which already existed under the original NIS Directive, will be fleshed out.

Under the first NIS Directive, a duty to report incidents that significantly impact service continuity was introduced. According to the Directive, an incident is said to occur when there is “any event with an actual detrimental effect on the security of network and information systems”. Security refers to ‘the ability of network and information systems to withstand actions that affect the availability, integrity, confidentiality, and authenticity of network and information systems with a certain degree of reliability’. To assess whether an incident has significant impact, the guideline describes several parameters to be considered, including the number of users affected, the duration of the incident, and the size of the geographical area affected by the incident. If, for a supplier, an incident appears to have a significant impact on the continuity of the service provided, the incident must be reported without delay to the local  Computer Security Incident Response Team (CSIRT), or competetent authority as designated by the Member State. The report’s content must contain sufficient information to enable the competent authority or the CSIRT to determine the cross-border impact of the incident.

The notifications
The NIS2 Directive provides for a “two-stage approach” to incident reporting. The first notification aims to limit the potential spread of incidents and to allow entities to seek support. The second reporting should be thorough, ensuring that lessons can be learned from previous incidents. It is important to note, however, that further clarifications might be required to clearly assess the incident and its consequences. In addition, it also aims to gradually improve the resilience of individual companies and entire sectors to cyber threats. Apart from the obligation to file the first report, the first report focuses on dealing with incidents.

1. First notification — Without undue delay and, in any case, an initial notification should be made to the competent authority or the nationally relevant CISRT within 24 hours of becoming aware of the incident, indicating, if possible, whether an unlawful or malicious act caused the incident. This provision satisfies the strictly necessary information. Within 72 hours of submitting the first alert, the affected entity is also required to submit an update and initial assessment with more detail on the attack and measures put in place. If requested by the entity, it is possible to receive guidance on implementing potential mitigation measures and, if required, additional technical support. In the case of a criminal incident, the impacted entity also receives guidance on reporting the incident to law enforcement authorities.

2. Final notification — Finally, within one month of the submission of the initial notification or first report, a final report must be submitted, including (i) a detailed description of the incident, its severity and consequences, (ii) the type of threat or cause likely to have led to the incident, and (iii) applied and ongoing mitigation measures.

Significant cyber threats

The provision regarding reporting incidents with significant consequences has been adopted in the NIS2 Directive, adding that entities will also have to report any major cyber threat they identify that could lead to a significant incident. Regarding the term “cybersecurity,” it follows the definition laid down in the Regulation on ENISA (the European Union Agency for Cyber Security) and on Certification of Cyber Security of Information and Communication Technology — the Cybersecurity Act. This regulation defines cybersecurity as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.” An incident is considered significant if the incident results or may result in significant operational disruption or financial losses for the entity concerned or if the incident has affected or may affect natural or legal persons by causing significant material or immaterial damage.

Voluntary notifications

Entities outside the scope of the NIS2 Directive may voluntarily report significant incidents, cyber threats, or near misses. The competent authority or CSIRT shall follow the procedure described under the “two-stage notification”. Voluntarily submitted reports may not be subject to any additional obligations. Thus, if an entity makes a voluntary notification, it should not be subject to more onerous obligations than if it had not submitted it.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.