How organizations can master incident reporting obligations under NIS2 

The new NIS2 directive is designed to strengthen the cyber resilience of over 160,000 companies that operate in the EU -- either directly or indirectly. Coming into force by 17th October, NIS2 regulations will outline how these essential entities can combat increasingly sophisticated and frequent cyber attacks.

Notwithstanding delays in the implementation of local legislation, the NIS2 directive provides an indication of the compliance obligations affecting those organizations which fall within the scope of the new rules. Ultimately, NIS2 aims to reduce inconsistencies in cyber security resilience by being the “single source of truth” for regulatory bodies to oversee how organizations implement increasingly stringent cybersecurity frameworks. As we have seen in recent weeks, these are crucial, especially during large-scale cybersecurity incidents or crises.  

As member states prepare to formulate and publish their local versions of the NIS2 directive into law, organizations must update their incident response plans to ensure they are prepared to comply with the new reporting requirements. Whilst many member state countries are well on track, some have acknowledged they are unable to meet the deadline. As October rapidly approaches, this leaves organizations somewhat in the dark about the requirements they will need to comply with – having a detrimental impact on their overall cybersecurity posture. 

Organizations Need to be Clear on Incident Reporting Requirements  

Firstly, it is important to recognize that any organization conducting business in the EU must comply with the new regulations, even if they are headquartered outside the EU. This significantly widens the scope of NIS2’s reach and should alert CISOs and senior cybersecurity decision makers -- if not already -- to NIS2’s wider implications and touchpoints. 

When comparing the requirements of NIS2 to other regulations such as GDPR, clear similarities and some important differences are crucial to highlight. For instance, questions arise as to what the directive defines as an "incident"? To whom does an incident need to be reported, and what time limits are put in place for each stage of the reporting process? These issues become even more complex for organizations operating under various regulatory regimes or in multiple jurisdictions. 

Article 21 of NIS2 outlines a series of minimum cyber-risk management measures that organizations are expected to implement. Those under NIS2’s regulations member states will be expected to incorporate these measures into local legislation, including incident handling. Incident handling is further defined by NIS2 as "actions and procedures aiming to prevent, detect, analyze, contain, respond to, and recover from an incident.”  

Many large and even smaller organizations will likely implement an incident response policy, however rudimentary. If an organization does not have an incident response strategy it is imperative to begin putting one in place as soon as possible. 

Even organizations with a robust incident response plan might discover that it does not account for the stringent reporting requirements outlined in NIS2. Organizations are obligated to inform their competent authority about a significant incident within 24 hours, provide additional details regarding the scope and impact within 72 hours, and submit a comprehensive report within a month.  

Defining a Cybersecurity Incident Under NIS2 Regulations 

The definition of an incident also warrants careful consideration. NIS2 states that an incident shall be considered significant if either: 

• The incident has caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned. 
• The incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses. 

For organizations operating across multiple EU countries, ensuring that local incident response planning complies with the requirements of each jurisdiction adds another layer of complexity. 

Drawing from past experiences with GDPR, the EU data privacy regulation obligates organizations to report a data breach in all affected jurisdictions. If a breach impacts data subjects in multiple countries where an organization operates, they must comply with the reporting requirements of each national data protection regulator. This becomes increasingly complex when data is shared across national boundaries for backup, operational resilience, and cloud processing. 

Similar considerations will likely come into play when organizations plan their local strategies for implementing NIS2-compliant incident response measures. National authorities will expect organizations to not only have compliant incident response policies and procedures but also to complement these with effective playbooks. 

Additionally, organizations will be required to ensure a high standard of testing and rehearsal of their incident response provisions through tabletop exercises and other simulation activities. 

A Culture of Proactive Security is Paramount 

Testing the effectiveness and operational viability of incident response plans before a real emergency arises goes beyond technical considerations. It also involves an organization's ability to effectively bring together relevant stakeholders to mount an effective response. 

To effectively prepare an incident handling strategy also requires an organization to understand its infrastructure, digital assets, and data landscape. Organizations with effective endpoint tooling and up-to-date digital assets and data registers are better positioned to identify, collect, preserve, and analyse data after an incident.  

Moreover, such organizations are more capable of containing, eradicating, and recovering from an incident, as well as mitigating future risks through effective root cause analysis. Most organizations will need to carefully adjust their incident response planning to meet stricter reporting requirements.  

While incident response plans should adhere to best practices, customizing specific actions and strategies to align with the organizations structure, compliance obligations, data landscape, and operational needs is crucial. 

Image credit: ojka/Shutterstock

Alisdair McLaughlin is Technical Solutions Architect at BlueVoyant