Press Center

Malware and antivirus software

News

The duty to report

Created: 2023-03-14 09:52:33

With the advent of the NIS2 Directive, in addition to the duty of care, the duty to report, which already existed under the original NIS Directive, will be fleshed out.

Under the first NIS Directive, a duty to report incidents that significantly impact service continuity was introduced. According to the Directive, an incident is said to occur when there is “any event with an actual detrimental effect on the security of network and information systems”. Security refers to ‘the ability of network and information systems to withstand actions that affect the availability, integrity, confidentiality, and authenticity of network and information systems with a certain degree of reliability’. To assess whether an incident has significant impact, the guideline describes several parameters to be considered, including the number of users affected, the duration of the incident, and the size of the geographical area affected by the incident. If, for a supplier, an incident appears to have a significant impact on the continuity of the service provided, the incident must be reported without delay to the local  Computer Security Incident Response Team (CSIRT), or competetent authority as designated by the Member State. The report’s content must contain sufficient information to enable the competent authority or the CSIRT to determine the cross-border impact of the incident.

The notifications
The NIS2 Directive provides for a “two-stage approach” to incident reporting. The first notification aims to limit the potential spread of incidents and to allow entities to seek support. The second reporting should be thorough, ensuring that lessons can be learned from previous incidents. It is important to note, however, that further clarifications might be required to clearly assess the incident and its consequences. In addition, it also aims to gradually improve the resilience of individual companies and entire sectors to cyber threats. Apart from the obligation to file the first report, the first report focuses on dealing with incidents.

1. First notification — Without undue delay and, in any case, an initial notification should be made to the competent authority or the nationally relevant CISRT within 24 hours of becoming aware of the incident, indicating, if possible, whether an unlawful or malicious act caused the incident. This provision satisfies the strictly necessary information. Within 72 hours of submitting the first alert, the affected entity is also required to submit an update and initial assessment with more detail on the attack and measures put in place. If requested by the entity, it is possible to receive guidance on implementing potential mitigation measures and, if required, additional technical support. In the case of a criminal incident, the impacted entity also receives guidance on reporting the incident to law enforcement authorities.

2. Final notification — Finally, within one month of the submission of the initial notification or first report, a final report must be submitted, including (i) a detailed description of the incident, its severity and consequences, (ii) the type of threat or cause likely to have led to the incident, and (iii) applied and ongoing mitigation measures.

Significant cyber threats

The provision regarding reporting incidents with significant consequences has been adopted in the NIS2 Directive, adding that entities will also have to report any major cyber threat they identify that could lead to a significant incident. Regarding the term “cybersecurity,” it follows the definition laid down in the Regulation on ENISA (the European Union Agency for Cyber Security) and on Certification of Cyber Security of Information and Communication Technology — the Cybersecurity Act. This regulation defines cybersecurity as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.” An incident is considered significant if the incident results or may result in significant operational disruption or financial losses for the entity concerned or if the incident has affected or may affect natural or legal persons by causing significant material or immaterial damage.

Voluntary notifications

Entities outside the scope of the NIS2 Directive may voluntarily report significant incidents, cyber threats, or near misses. The competent authority or CSIRT shall follow the procedure described under the “two-stage notification”. Voluntarily submitted reports may not be subject to any additional obligations. Thus, if an entity makes a voluntary notification, it should not be subject to more onerous obligations than if it had not submitted it.




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.