Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive

Abstract

The NIS Directive and sector-specific cybersecurity regulations require the reporting of (security) incidents to supervisory authorities. Following the risk-based approach adopted in the NIS Directive, the NIS 2 Directive enlists as a basic security element the reporting of significant incidents that (i) have caused or (ii) are capable to cause harm, as well as (iii) notifying the service recipients of cyber threats. Although during the interinstitutional negotiations between the European Commission, the European Parliament, and the Council of the European there was consensus that the NIS Directive’s reporting framework needs to be reformed, views on the determination of what needs to be reported varied. This paper outlines and analyses the different concepts of a report-worthy significant incident that have been proposed during the legislative procedure for the NIS 2 Directive from a legal and policy perspective. Irrespective of further motives that may inhibit reporting, legal compliance is difficult to achieve where legal requirements are vague. In that regard, the difficulties to determine the reporting thresholds in the past and in the future are addressed. In consideration of the increased attack surface and threat scenario, it is argued that incidents where no harm has materialized should not be treated any different than incidents that have actually resulted in harm in order to acquire the envisaged full picture of the threat landscape and create value for business and society.