The European Network and Information Security Agency (ENISA) published this week a report on cyber incidents reporting in the EU. Cyber security incidents often affect millions of citizens, businesses and consumers (e.g., in 2012 millions of business network passwords were exposed through hacking of LinkedIn; in 2011 due to a failure in the UK datacenter millions of users of BlackBerry across the EU and globally could not send or receive emails), but pursuant to the report these incidents are often not reported or even not detected.
Dr Marnix Dekker and Chris Karsberg, the report’s co-authors, argue: “Cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes.” (EU agency ENISA analyses cyber security legislation & spots implementation gaps; incidents remain undetected or not reported)
The study analyses the adopted EU measures on mandatory incident reporting from the Telecom package, e-Privacy Directive as well as the proposed e-ID regulation and the Data Protection reform, showing the differences and commonalities of their provisions and trying to create an overview of the EU cyber security strategy (see: roadmap). Areas for improvement have been identified in the paper, as well. Hopefully, new measures developed by the ENISA, like an incident reporting format will help national regulators to overcome the lack of transparency and increase the amount of information about these incidents. Harmonisaton of these issues is crucial, taking into account that often cyber security incidents taking place in one country impact citizens in other Member States.