Incident reporting is increasingly required in Europe, but it is being imposed in an ad hoc manner. Regulated industries, such as the telecommunications and finance sectors, are already obligated by law to report incidents. Provisions within the General Data Protection Regulation will require all companies to report incidents involving personal information – but not otherwise.
To fill in the gaps, the European Commission published a proposed Network and Information Security (NIS) Directive in 2013. This directive includes the proposal for a general reporting requirement for 'incidents with a significant impact.' ENISA's new report is not intended to be a guide on how to implement the proposed NIS directive, but starts from the assumption that the increasing reliance on the cloud in Europe will mean cloud security incidents are likely to be 'incidents with a significant impact.'
As Professor Udo Helmbrecht explains,“Incident reporting is crucial to enable better understanding of the security and resilience of Europe’s critical information infrastructures. Cloud computing is now becoming the backbone of our digital society, so it is important that cloud providers improve transparency and trust by adopting efficient incident reporting schemes.”
The ENISA report, titled Cloud Security Incident Reporting – Framework for reporting about major cloud security incidents, looks at four separate cloud computing scenarios: services used by a critical infrastructure operator; services used by customers in multiple critical sectors; government clouds; and cloud services used by SMEs and the public.
In doing so, it isolated a number of existing problems. Firstly, most European countries do not have a national authority. Secondly, cloud services often use other cloud services, which increases complexity and complicates incident reporting. Thirdly, customers do not currently insist on incident reporting obligations in their cloud contracts.
"The goal of this report," it says, "is to provide government authorities (ministries, regulators, cyber security agencies) with an overview of issues and challenges when implementing (national and pan-European) schemes for reporting about significant security incidents in cloud computing."
To solve these problems and foster a Europe wide incident reporting framework for cloud providers, ENISA makes a series of eight separate recommendations. For example, government authorities should address incident reporting obligations in their procurement requirements. So indeed should private industry. Since some sectors are already required to report their own incidents, and more are likely to be so required under the General Data Protection Regulation, cloud customers should address incident reporting as part of the SLA contract with their providers.
An area of particular concern is the need for harmonized legislation across Europe. At the moment, the EC's NIS proposal is a directive, which would allow different member states to interpret its implementation under their own preferences. "Cloud providers," says the report, "often work across borders, which means that customers and regulators from several countries are involved. To allow for a level playing field and a competitive single digital market it is important to harmonize the implementation of incident reporting legislation whenever possible."
Part of that harmonization should include improved sharing between different national authorities. "By sharing summaries of incident reports with other authorities, they can discuss trends, common threats, as well as security measures and best practices. Only in this way can authorities feed-back relevant information to the industry."
ENISA suggests, "Think big, but start small." In this way a pan-European and effective incident reporting framework can evolve. And that, it suggests, would be a win-win result for both customers and providers.