In recent years a number of EU Member States recognized the need for preventing cyber security incidents and they had started up, for example, voluntary or mandatory incident reporting schemes to create more transparency about cyber security incidents. In these countries often the focus was on the vital infrastructure for the digital society; the electronic communication networks and services.

Not all EU countries adopted legislation on security measures and incident reporting and there were big differences between the different national approaches. This had two main disadvantages:

  • Cyber security incidents in one country may well have an impact across national borders. The Diginotar incident shows how national incidents can have a cross-border impact. This means that to improve security across the EU, all countries should agree on common principles.
  • Furthermore, service providers often operate across EU countries, especially telecom companies and internet service providers. It is cumbersome for these providers to have to adapt their systems to different national requirements. A harmonized legislation across the EU avoids digital borders and allows for a level-playing field for providers across the EU market.

To address these issues, the European commission (EC), have been working together on common EU wide legislation with the objective to have consistency and harmonization across the EU.

The following areas are currently regulated by the European Commission, in terms of security measures, breach notification and incident reporting:

Mandatory incident reporting in the telecom sector (Art. 13a Telecom Framework Directive)

Mandatory incident reporting for trust service providers (Art. 19 eIDAS regulation)


For more information please contact: resilience [at] enisa [dot] europa [dot] eu.

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more