A cornerstone of European Union cybersecurity legislation (mandatory) is cybersecurity breach reporting. Cybersecurity breach reporting is important not only for the public but also to help national authorities with their supervision tasks, to understand cybersecurity trends, cross-cutting issues, weaknesses in the sector, etc., without having to rely on just media reports, which may not always give a balanced view. 

 In the EU there are several different breach reporting laws in place. In 2018, the EU Directive on Security of Network and Information Systems (called NIS Directive) came into force, introducing cybersecurity incident notification rules for operators of essential services in a wide range of critical sectors, such as energy and transport, finance and health.

Before the NIS Directive, there were already breach reporting rules in place for telecom providers (under the Telecom Framework directive) and trust service providers (under the eIDAS regulation). There are also breach reporting rules for payment service providers (under the payment service directive), manufacturers of medical devices (under the medical device regulation), and for data controllers under the General Data Protection Regulation (GDPR). 

  • Telecom security breach reporting: Since 2010 ENISA has been supporting the EU telecom security authorities with the implementation of EU wide telecom breach reporting, under Article 13a of the Framework directive. ENISA develops procedures, templates, tooling and analysis and publishes an annual report yearly - see Cybersecurity incident reporting in the Telecom sector.
  • Trust services security breach reporting: Since 2016 ENISA has been supporting Supervisory bodies for EU trust services with cybersecurity breach reporting under Article 19 of the eIDAS regulation. ENISA develops procedures, templates, tooling and analysis and publishes an annual report yearly - see Cybersecurity incident reporting in the Telecom sector.
  • NIS Directive breach reporting: ENISA is providing guidance and support to the Commission, the EU Member States on the implementation of cybersecurity breach reporting under the NIS Directive.
  • CIRAS Visual tool: ENISA publishes anonymized and aggregated data from the telecom security incident reporting and the trust services security incident reporting in a visual tool.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information