Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (short: NIS Directive)
What kind of incidents will be notifiable by the operators of essential services?
The Directive (EU) 2016/1148 does not define threshold of what is an significant incident requiring notification to the relevant national authority. It defines 3 parameters which should be taken into consideration:
- Number of users affected
- Duration of incident
- Geographic spread
These parameters may be further clarified by means of guidelines adopted by the national competent authorities acting together within the Cooperation Group.
What kind of incidents will be notifiable by the DSPs?
The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. It defines 5 parameters which should be taken into consideration:
- Number of users affected
- Duration of incident
- Geographic spread
- The extent of the disruption of the service
- The impact on economic and societal activities
These parameters will be further specified by the Commission by means of implementing acts.
Source: European Commission – Fact Sheet: Directive on Security of Network and Information Systems, Brussels, 6 July 2016.
Mandatory sector-specific reporting
Not all EU countries adopted legislation on security measures and incident reporting and there were big differences between the different national approaches.
To address these issues, the European commission (EC), have been working together on common EU wide legislation with the objective to have consistency and harmonization across the EU. The following areas are currently regulated by the European Commission, in terms of security measures and incident reporting at EU level:
- Mandatory incident reporting in the telecom sector (Art. 13a Telecom Framework Directive)
- Mandatory incident reporting for trust service providers (Art. 19 eIDAS regulation)
- Mandatory incident reporting for digital service providers (Art. 16 (4) NIS Directive)
The new regulation for electronic identification and trust services (Regulation (EU) No 910/2014, referred to as eIDAS), contains Article 19 which requires, among others, that providers of trust services 1) assess risks, 2) take appropriate security measures to mitigate the risks, and 3) notify the supervisory body about significant incidents/breaches.
Cyber Incident Reporting
- The two-pager Cyber Incident Reporting – a Unified Message for Reporting to the Federal Government provides concise information on how to report cyber inciddents.
- Department of Homeland Security
- Not mandatory
US-CERT Incident Reporting System
- The US-CERT Incident Reporting System is a form to report incidents to US-CERT
Computer Security Incident Handling Guide
The Computer Security Incident Handling Guide (2012) contains an describes following provisions to mitigate, prevent and report incidents:
- Creating an incident response policy and plan
- Developing procedures for performing incident handling and reporting
- Setting guidelines for communicating with outside parties regarding incidents
- Selecting a team structure and staffing model
- Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
- Determining what services the incident response team should provide
Privacy Incident Handling Guide
According to its Privacy Incident Handling Guidance, the Office and Management and Budget (OMB) requires agencies to report all Privacy Incidents to the United States Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident, as mandated by OMB Memorandum M-06-19 (OMB M-06-19), Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006, and OMB Memorandum M-07-16 (OMB M-07-16), Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007. The one hour time requirement begins when the DHS Chief Information Security Officer (DHS CISO) is notified of the incident.
Please note that every Federal State of the US has individual provisions as well.
White Paper on Defence and National Security (2013)
Report major incidents to ANSSI (Agence nationale de la sécurité des systèmes d‘information)
Military Programming Act 2013
According to article 22 of the Military Programming Act 2013 critical infrastructure providers are obliged to report any cybersecurity breach or incident to the ANSSI. Information required in reports of cyber threat depends on the sector the critical infrastructure provider is operating in.
French Data Privacy Act
The French Data Privacy Act (2018) transposes the GDPR to French law. According to article 34 bis internet service providers have to notify data breaches to Commission Nationale de l'Informatique et des Libertés (CNIL) immediately (not other specifications on the incident required)
Information to be reported to CNIL:
- Category of data effected
- Measures taken
- Description of consequences
- (Law 2018-133 of Feb 26 2018) portant diverses dispositions d'adaptation au droit de l'Union européenne dans le domaine de la sécurité (1))
According to Article 9 of the law Critical Infrastructure Providers are obliged to report any cyber incident to ANSSI (Agence nationale de la sécurité des systèmes d‘information).
The Network and Information Systems Regulations 2018
11. The duty to notify incidents
(1) An OES must notify the designated competent authority about any incident which has a significant impact on the continuity of the essential service which that OES provides (“a network and information systems (“NIS”) incident”).
(2) In order to determine the significance of the impact of an incident an OES must have regard to the following factors—
(a)the number of users affected by the disruption of the essential service;
(b)the duration of the incident; and
(c)the geographical area affected by the incident.
(3) The notification mentioned in paragraph (1) must—
(a)provide the following—
(i)the operator’s name and the essential services it provides;
(ii)the time the NIS incident occurred;
(iii)the duration of the NIS incident;
(iv)information concerning the nature and impact of the NIS incident;
(v)information concerning any, or any likely, cross-border impact of the NIS incident; and
(vi)any other information that may be helpful to the competent authority; and
(b)be provided to the competent authority—
(i)without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred; and
(ii)in such form and manner as the competent authority determines.
Reporting to the National Cyber Security Centre (NCSC)
Reporting an incident to the NCSC does not fulfil any legal or regulatory incident reporting requirement.
- GDPR. If you have been subject to a personal data breach that is required to be reported under the GDPR, please contact the ICO (Information Commissioner's Office). If there is malicious cyber activity related to this which you wish to report (either for information or for action), please fill in the form below.
- NIS Directive. If you are an Operator of Essential Services (OES) under the NIS Directive, please use the form below (provided in the link) in conjunction with reporting to your Competent Authority (CA). This is applicable for any cyber incident which you feel requires NCSC's support (for action) or is for wider interest (for information).
- All submissions are useful and will aid the NCSC. Please complete the form below if you are alerting the NCSC for information only or require technical assistance.
Communications Act 2003 (Article 105A. And 105B.) amended by The Electronic Communications and Wireless Telegraphy Regulations 2011
According to the Communications Act 2003 (Article 105A. And 105B.) amended by The Electronic Communications and Wireless Telegraphy Regulations 2011, network providers must take appropriate measures to manage risks to the security of public electronic communications network and communication services
- Prevent or minimize the impact of incidents on end-users and the public communications network
- Take measures to protect network availability
- Network providers must notify the Office of Communications of a breach.
- In urgent cases, according to the law, the Office of Communication has the power to deal with them
Privacy and Electronic Communications Regulations 2003
The Privacy and Electronic Communications Regulations obliges public electronic communications services provider to have appropriate security measures in place. If an incident occurs the provider has to inform its subscribers:
Security of public electronic communications services
5.—(1) Subject to paragraph (2), a provider of a public electronic communications service (“the service provider”) shall take appropriate technical and organisational measures to safeguard the security of that service.
(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.
(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of—
(a)the nature of that risk;
(b)any appropriate measures that the subscriber may take to safeguard against that risk; and
(c)the likely costs to the subscriber involved in the taking of such measures.
(4) For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to—
(a)the state of technological developments, and
(b)the cost of implementing it, it is proportionate to the risks against which it would safeguard.
(5) Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.
The Articles 25 and 59 of the Chinese Cybersecurity Law (2017) state (…) When cybersecurity incidents occur, network operators should immediately initiate an emergency response plan, adopt corresponding remedial measures, and report to the relevant competent departments in accordance with relevant provisions. And penalizes the disregard of Article 25 in Article 60 with fines.
As there are no detailed specifications on how to report a incident and there is no definition of a incident further guidelines were published.
Cyber Incident Response Plan
"The Plan" is formulated in context with the Chinese Cyber Security Law. Its main objective is to establish and improve the national incident response.
- "extremely serious", "serious", "relatively serious" and "general" and a "security threat". Furthermore it classifies potential security threats but has not given rise to actual harm into Grades I to IV (Grade I being the most serious category).
An entity is obliged to report an incident with the above named classification to the MIIT or CNCERT within the time limit specified by law:
- "extremely serious" or "serious" incidents or the existence of Grade I or II security threats must be reported to MIIT and the relevant provincial branch within two hours, with a copy to CNCERT
- "relatively serious" incidents or the existence of Grade III security threats must be reported to MIIT and the relevant provincial branch within four hours, with a copy to CNCERT
- the existence of Grade IV security threats must be reported within five business days of the discovery to CNCERT, with a copy to the relevant provincial MIIT branch
- "general" security incidents must be reported monthly to CNCERT, with a copy to the relevant MIIT provincial branch
Incident reporting has to comprise the following information:
- basic information about the entity
- the time when the incident took place
- a summary of the incident
- estimate of harm and effect
- measures that have been taken
- other related relevant information
Regulation on the Security Protection of Computer Information Systems (2017) (Draft Regulation – in Chinese only)
The draft regulation is formulated in context with the Chinese Cyber Security Law. It addresses not only the security protection of Critical Information Infrastructures but also the planning, establishment, operation, maintenance and use of CIIs.
Any cyber incident must be reported to the public security authority within 24 hours. The incident must be reported to the national security authority if the incident has an impact on the national security.
The report contains following information:
- Name of the notification party
- Description of the incident (including detailed information)
- Nature of incident
- Affected properties
- Affected personal information
- Measures that have been taken
- Assessment on the severity of the incident
Regulation for the Protection of the Critical Information Infrastructure (2017)
The draft regulation is formulated in context with the Chinese Cyber Security Law. It addresses not only the security protection of Critical Information Infrastructures but also the planning, establishment, operation, maintenance and use of CIIs.
The draft regulation (in Chinese only) defines the following sectors as critical infrastructures:
- government department, or an entity in the sector of energy, finance, transportation, water conservancy, health and medical services, education, social insurance, environmental protection, or public affairs
- information network including telecom network, broadcast network, and internet; provision of cloud computing, big data and other large-scale public information network service
- scientific research or manufacturing entity in the industry of science and technology for national defence, large equipment, chemicals, and food and medicine
- press units such as broadcasting station, TV station and news agency
- other important entities.
National Strategy for the protection of Switzerland against cyber risks 2018-2022
The Article 4.5 Vorfallbewältigung of the National Strategy for the protection of Switzerland against cyber risks 2018-2022 describes
- Incident Response
- Establishment of MELANI (Melde- und Analysestelle Informationssicherung, engl. Reporting and Analysis Center for Information Security )
Sector and critical infrastructure:
- financial services sector: mandatory notification to FINMA without delay regarding events of material relevance for the supervision of the relevant supervised entity
- telecommunications sector: notification to OFCOM in the case of faults in the operation of telecommunications networks that affect a significant number of customers
- aviation sector: notification to the Federal Office of Civil Aviation in the case of safety-related data breaches
- railway industry: notification to the Federal Department of the Environment, Transport, Energy and Communications in the case of severe incidents;
- nuclear sector: notification to the Swiss Federal Nuclear Safety Inspectorate in the case of safety-related data breaches.
MELANI (Swiss Reporting and Analysis Center for Information Security)
MELANI (Melde- und Analysestelle Informationssicherung) is interested in learning about incidents concerning the topics listed in the section threats and risks. Reports may be submitted anonymously. Reports with concrete questions or related to ongoing cases to which additional information may be given will receive a timely reply. Please understand that cases are prioritized by us and therefore you will not receive an answer immediately.
There is currently no obligation to notify cyber incidents or data breaches to the national authorities, though this will change by 2020.
Federal Law of the Russian Federation on the Safety of critical information infrastructure of the Russian Federation (2017)
The Federal Law of the Russian Federation on the Safety of critical information infrastructure of the Russian Federation (In Russian only) defines the following industries and sectors as critical information infrastructure: health care, science, transportation, communication, banking, finance market, energy, nuclear energy, defence, aerospace, mining, iron and steel and chemicals sectors.
There is an obligation to report any incidents that are threatening the security of critical infrastructures. Therefore Cyber Attack Prevention Centers were established in order to prevent unauthorized access to security related data. In case of an incident, the affected entity has to report the incident to the National Coordination Center for Computer Incidents.
National Cyber Security Policy (2013)
The Section E of the National Cyber Security Policy provides provisions for creating mechanisms for security threat early warning, vulnerability management and response to security threats, in order:
- To create National level systems, processes, structures and mechanisms to generate necessary situational scenario of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.
- To operate a 24x7 National Level Computer Emergency Response Team (CERT-In) to function as a Nodal Agency for coordination of all efforts for cyber security emergency response and crisis management. CERT-In will function as an umbrella organization in enabling creation and operationalization of sectoral CERTs as well as facilitating communication and coordination actions in dealing with cyber crisis situations.
- To operationalise 24x7 sectoral CERTs for all coordination and communication actions within the respective sectors for effective incidence response & resolution and cyber crisis management.
- To implement Cyber Crisis Management Plan for dealing with cyber related incidents impacting critical national processes or endangering public safety and security of the Nation, by way of well coordinated, multi disciplinary approach at the National, Sectoral as well as entity levels.
- To conduct and facilitate regular cyber security drills & exercises at National, sectoral and entity levels to enable assessment of the security posture and level of emergency preparedness in resisting and dealing with cyber security incidents.
Section 70 B of the Information Technology (Amendment) Act
The Section 70B of the Information Technology (Amendment) Act 2008 defines the organization and responsibilities of the Indian Computer Emergency Response Team to serve as national agency for incident response:
- The Central Government shall, by notification in the Official Gazette, appoint an agency of the government to be called the Indian Computer Emergency Response Team.
- The Central Government shall provide the agency referred to in sub-section (1) with a Director General and such other officers and employees as may be prescribed.
- The salary and allowances and terms and conditions of the Director General and other officers and employees shall be such as may be prescribed.
- The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-
- (a) collection, analysis and dissemination of information on cyber incidents
- (b) forecast and alerts of cyber security incidents
- (c) emergency measures for handling cyber security incidents
- (d) Coordination of cyber incidents response activities
- (e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
- (f) such other functions relating to cyber security as may be prescribed
- The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.
- For carrying out the provisions of sub-section (4), the agency referred to in sub-section (1) may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person
- Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6) , shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.
- No Court shall take cognizance of any offence under this section, except on a complaint made by an officer authorized in this behalf by the agency referred to in sub-section (1)
Draft Rules under section 70B (5) of the Information Technology (Amendment) Act
The Draft Rules under section 70B (5) of IT (Amendment) Act 2008 specify on the measures to be taken when it comes to an incident:
Service providers, intermediaries, data centers and body corporate shall report the cyber security incidents of following nature to CERT-In within a reasonable time of occurrence or noticing the incident:
- Repeated scanning or probing of critical computer networks and systems
- Compromise of or unauthorized access to critical computer networks, systems or information
- Defacement of or intrusion into website
- Detection of large scale propagation of computer contaminant
- Identity Theft, and phishing incidents
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) incidents
Service Providers, Data Centers, Body Corporates and Intermediaries have to report incidents without delay to the Indian CERT (email@example.com). See factsheet provided by CERT-IN on how to Report an incident.
Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.
The provisions in the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended in 2015) oblige online service providers to report security incidents, sharing information to the Ministry of Science and ICT (MSIP) or the Korea Internet & Internet Agency (KISA). Any violation of this obligation will result in a fine.
Cybersecurity Act 2018
(1) The owner of a critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:
(a) a prescribed cybersecurity incident in respect of the critical information infrastructure;
(b) a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure;
(c) any other type of cybersecurity incident in respect of the critical information infrastructure that the Commissioner has specified by written direction to the owner.
(2) The owner of a critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the critical information infrastructure, as set out in any applicable code of practice.
(3) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
Protection of Personal Information Act (POPI)
Article 22 of the Protection of Personal Information Act (POPI) (2013): Notification of security compromises
22. (1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
(a) the Regulator; and
(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
(2) The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
(3) The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a
criminal investigation by the public 30 body concerned.
(4) The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
(a) Mailed to the data subject’s last known physical or postal address;
(b) sent by e-mail to the data subject’s last known e-mail address;
(c) placed in a prominent position on the website of the responsible party;
(d) published in the news media; or
(e) as may be directed by the Regulator.
(5) The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
(a) a description of the possible consequences of the security compromise;
(b) a description of the measures that the responsible party intends to take or has taken to address the security compromise;
(c) a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
(d) if known to the responsible party, the identity of the unauthorized person who may have accessed or acquired the personal information.
(6) The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable
grounds to believe that such publicity would protect a data subject who may be affected by the compromise.
United Arab Emirates
Penal Code – Federal Law No. 3 (2011)
According to the Penal Code organizations must act in the interest of the share- and stakeholder. A cyber incident might be considered as opposing share-and stakeholder’s interests. So, there is an indirect obligation to report or disclose a cyber incident.
The notification (at a police station) should include following items:
- summary in Arabic,
- background information on incident, and
- supporting material.
Ministerial Resolution No. (1) of 2008 regarding the issuance of Certification Service Provider Regulation
Article (21) of the Ministerial Resolution No. (1) of 2008 regarding the issuance of Certification Service Provider Regulation obliges certification service providers to have a Risk Management and Security Plan and notify the corresponding authorities about an incident.
1. A Certification Service Provider shall prepare a risk management and security plan to face the following incidents:
(a) Threatening any of the Certification Service Provider’s Secure Authentication Procedures or devices, including Electronic Attestation Certificates, Signature Creation Devices and Electronic Information.
(b) Lack of system or network or a defect in either.
(c) A material breach of security.
(d) If registration or generation of Electronic Attestation Certificates or giving information on Electronic Attestation Certificate that have been suspended or revoked.
2. If any incident referred to above occurs, it shall be reported by the Certification Service Provider in writing to the Controller within twenty-four (24) hours from the time that the Certification Service Provider knew, or reasonably ought to have known, of its occurrence.
Protection of Privacy Regulations (Data Security) 5777-2017
Protection of Privacy Regulations (Data Security) 5777-2017: Regulation 11(a) A database controller is responsible to document every case in which an event was discovered, raising concern regarding a breach of the data integrity, unauthorized use thereof or deviation from authorization (hereinafter - “security incidents”); the said documentation will be based as much as possible on automatic records.
(b) In the data security procedure, a database controller will also prescribe instructions with respect to handling information security incidents, depending on the event severity and the information sensitivity level, including with respect to revoking authorizations and other necessary immediate measures, and with respect to the reporting of security incidents to the database controller and the actions taken in response.
(c) In a database subject to medium security level, the database controller will hold a discussion regarding data security incidents at least once a year and assess the need to update the data security procedure; in a database subject to high security level, such a discussion will be held at least quarterly.
(d) In case of a severe security incident -
(1) The database controller will immediately notify the Registrar and report to the Registrar on the measures he took following the incident;
(2) The Registrar may order a database controller, except a controller of the databases listed in Section 13(e) of the Law, and after consulting with the head of the National Cyber Defense Authority, to give a notice of the security incident to a data subject who may suffer damage as a result of the incident.
There is currently no obligation to notify cyber incidents or data breaches to the national authorities.
Privacy Amendment (Notifiable Data Breaches) Act 2017
The NDB scheme applies from 22 February 2018 to all agencies and organizations with existing personal information security obligations under the Privacy Act. It was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017.
The Notifiable Data Breaches Scheme includes an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.
Agencies and organizations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.
Notifications to the Commissioner should be lodged through the Notifiable Data Breach form.
(Office of the Australian Information Commissioner)
Australian Cybercrime Online Reporting Network (ACORN)
The iAustralian Cybercrime Online Reporting Network is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. Certain reports will be directed to Australian law enforcement and government agencies for further investigation. (ACRON)
There is currently no obligation to notify cyber incidents or data breaches to the national authorities. Though, it is a strategic priority.
National Cyber Security Plan 2022
There is currently no obligation to notify cyber incidents or data breaches to the national authorities. Reporting of security breaches and intrusion attempts including other computer incidents or events shall be mandatory to all government agencies including agencies and offices that have centralized Collection and repository of information.
NIS Legislative Decree 65/2018
National implementation of the EU NIS Directive.
Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz, BSIG)
Section 8 of the BSIG defines measures for the protection of critical infrastructures and digital service providers and corresponding duties. The notification of IT incidents is to the BSI is obligatory. Non-compliance may be fined.
IT-Sicherheitsgesetz 2015 (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme; Version 2.0 is currently in legislative process)
The IT Security Law amends the BSIG and focuses on the protection of critical infrastructures. It amends the Telemediengesetz and the Telekommunikationsgesetz e.a. as well. Therefore, the providers of critical Infrastructure are subject to higher security standards and defined security measures and are obliged to report any cyber incident to the BSI.
Gesetz zur Umsetzung der NIS-Directive
According to section 109a of the Telekommunikationsgestz providers of telecommunications networks or services have to report any IT breach to Federal Network Agency immediately (description of incident, indication of category of the affected data, subjects affected, description of measures taken)