External cybersecurity incident reporting for resilience

Abstract

Reporting cybersecurity incidents to external authorities is a newer requirement mandated by several complex and multi-layered laws. It is non-trivial, however, to determine what constitutes a reportable incident, the reporting timeframe, report recipients, and which data to include in the report, as it varies by country, organizational size and industry sector. This research aims to help organizations navigate the various external cybersecurity incident reporting (ECIR) requirements, both to help them avoid penalties and to assist international cybersecurity efforts. This research focuses on EU and Swedish legal acts, and addresses which EU and Swedish laws govern the external incident reporting requirements of organizations located in Sweden, including the details of reportable incidents, report contents, recipients and timeframes. A survey research strategy based on document analysis was used to synthesize the regulatory landscape for ECIR. 16 laws were found governing ECIR within Sweden; nine at the EU level and seven at the Swedish level (plus three pending at the Swedish level). The answers to the research questions are presented along with a discussion of the complexity of the legislation and double-reporting. Further research avenues are suggested.