A comparison between incident report contents

Introduction

Directive (EU) 2016/1148 (NIS), requires that member states shall ensure that operators of essential services and digital service providers notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide or of any incident having a substantial impact on the provision of an online marketplace or an online search engine or a cloud computing service. (Articles 14 and 16). 

The NIS does not specifically define the minimum information to be attached within these incident notifications but rather requires that “Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.”

To further support the fulfilment of this requirement by the member states, the NIS Cooperation Group published the following documents related to incidents: 

  • Cybersecurity incident taxonomy
  • Guidelines on notification of Operators of Essential Services incidents (formats and procedures)
  • Guidelines on notification of Digital Service Providers incidents (formats and procedures)
  • Reference document on incident notification for Operators of Essential Services (circumstances of notification)

These documents provide details on the procedures that could be followed for reporting a cybersecurity incident for operations and organizations within the scope of NIS. 

Each member state, has incorporated these requirements and guidelines as needed in their national legislation, templates or guidelines on incident reporting. 

For example:

  • Decision 39/2022 of the Digital Authority of Cyprus, on the notification of incidents. 
  • Ministerial Decree 1027/2019 of the Greek Government.
  • Guía Nacional de Notificación y Gestión De Ciberincidentes, aprobado por el Consejo Nacional de Ciberseguridad el día 21 de febrero de 2020, Spain.
  • Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz, Germany
  • NIS Compliance guidelines for operators of essential services, National Cyber Security Centre, Ireland. 

Analysis

Since there is a variety of documents available regarding incident reporting under the NIS, the project team decided to investigate the commonalities and differences between a sample of these documents. 

Specifically, the analysis involved the comparison between:

Two relevant standards:

  • ISO/IEC 27035-2:2023(en). Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response and
  • CEN/CENELEC CWA 18024 – Emergency management – Incident situational reporting for critical infrastructures. (08/2023)

Two legislative documents:

  • Decision 39/2022 of the Digital Authority of Cyprus, on the notification of incidents. 
  • Ministerial Decree 1027/2019 of the Greek Government.

Two guidelines:

  • Guía Nacional de Notificación y Gestión De Ciberincidentes, aprobado por el Consejo Nacional de Ciberseguridad el día 21 de febrero de 2020, Spain.
  • NIS Compliance guidelines for operators of essential services, National Cyber Security Centre, Ireland. 

One incident form template:

  • Incident report form by the National Cybersecurity Authority of Greece.

One incident reporting tool:

  • The LUCIA (Listado Unificado de Coordinacion de Incidentes y Amenazas) system of CCN-CERT Spain.

Results

  • The incident report is a living document. In all cases, either within the proposed template or as re-submissions of the same document, the organization experiencing a cybersecurity incident should document all stages of the incident from identification to resolution and lessons learned. 
  • ISO/IEC 27035-2 proposes that the following categories of information are included in the incident report: Details on the reporting entity, details on the report itself, People involved in the incident (entire lifecycle), Details on the incident (from the timeline to the impact and root cause), Response details, Resolution details, notification details and the results of the post incident review. 
  • The following table shows the elements existing within each one of the analyzed documents.
  • The legislative documents provide only high-level information on the type of information to be included in the incident report, whereas the templates, guidelines and tools request more specific and enhanced information on the incident. 
  • In all cases, the details of the incidents are provided.
  • On the other hand, in a minority of cases, details on the post incident results are requested. 

The Phoeni2x project, aims to provide Alerting, Reporting & Information Exchange mechanisms & processes enabling collaboration between private and public critical sector actors at the national and European level, utilizing incident response playbooks with notification functionalities. 

Chatzopoulou Argyro

APIROPLUS Solutions Ltd. 

Links

  1. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53646
  2. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53677
  3. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53675
  4. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53644
  5. https://www.iso.org/standard/78974.html
  6. https://www.cencenelec.eu/media/CEN-CENELEC/CWAs/RI/cwa18024.pdf
  7. https://dsa.cy/images/pdf-upload/Decision-39-2022.pdf
  8. https://mindigital.gr/wp-content/uploads/2020/01/3739B-19-1.pdf
  9. https://www.incibe.es/sites/default/files/contenidos/guias/doc/guia_nacional_notificacion_gestion_ciberincidentes.pdf
  10. https://www.ncsc.gov.ie/pdfs/NIS_Compliance_Security_Guidelines_for_OES.pdf
  11. https://mindigital.gr/wp-content/uploads/2020/01/Incident_Report.pdf
  12. https://loreto.ccn-cert.cni.es/index.php/s/oDMEEdtuVB4YeY2?path=%2FDocumentacion