Major security incidents can cause serious problems for users. These incidents can be man-made (such as the loss of millions of user IDs and passwords through hacking), or ‘acts of God’, such as the communications havoc wrought by the destructive power of the storm known as Dagmar in Scandinavia at the end of last year.
But ENISA has found that many such incidents are either not reported or simply undetected. “Cyber incidents,” comment the report’s authors, “are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes.”
“It is important that national authorities and the EC discuss, agree, and clarify the scope of legislation on electronic communications and address these and other gaps,” says the report. It examines existing and planned legislation to cover the requirement for mandatory incident disclosure in the EU. It identifies areas for improvement, and looks forward to the coming EU Cyber Security Strategy. It expects that this strategy will emphasize incident reporting and the importance of exchange across the EU about incidents and how to address them.
Key to improved European cyber security, suggests ENISA, is more effective implementation, expansion and enforcement of Article 13a of the Telecommunications Regulatory Directive. This specifies that not only must providers take appropriate measures to manage the risks posed to the security of their networks and services, Member States must also ensure that those providers notify the national regulatory authorities of any significant breach of security or loss of integrity.
The Executive Director of ENISA, Professor Udo Helmbrecht, explained, “Incident reporting is essential to obtain a true cyber security picture. The EU’s cyber security strategy is an important step and one of its goals is to extend the scope of reporting provisions like Article 13a beyond the telecommunications sector.”