ENISA publishes a comprehensive guideline on how to implement incident notification requirements for Digital Service Providers, in the context of the NIS Directive.
The EU’s first DSP mandatory incident notification requirements as part of the first EU-wide set of rules on cyber-security, are a major step towards achieving a common level of cyber-security across the Union. ENISA’s comprehensive technical guideline supports stakeholders in addressing mandatory incident notification for Digital Service Providers (DSPs) in the context of the NIS Directive. Based on the requirements of the Directive and valuable input from Member States and DSPs directly impacted by the Directive, this guideline touches the following topics:
- identifying types of incidents to be reported
- definitions and clarifications on parameters and thresholds
- defining substantial incidents
- description of the incident reporting process and the stakeholders involved
- cross border sharing of incidents
- identification of DSPs
This report represents an outline technical proposal used as input for the discussions regarding the implementation of article 16 of the NIS Directive, concerning mandatory incident notification for DSPs.
The full report is available here