TLDR:
- The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation.
- Upcoming legislation such as the NIS2 Directive, DORA, and CRA each have rules around incident reporting timelines and practices, adding to the complexity for organizations.
The EU has been urged by a leading risk managers association to make cyber incident reporting requirements more consistent ahead of new legislation coming into force. FERMA emphasized the need for a streamlined and consistent set of requirements to ensure safe and secure reporting for organizations. The upcoming cybersecurity legislation in the EU, including the NIS2 Directive, DORA, and CRA, along with existing legislation like GDPR, all have incident reporting obligations that organizations need to comply with. Each piece of legislation imposes different reporting timelines and practices, leading to a significant administrative burden and potential costs for businesses. FERMA highlights the importance of clarity for organizations to understand which reporting requirements apply to them and how they should respond.
The FERMA report warns about the impact of non-compliance with the various rules, including fines and sanctions that may not be covered by insurance policies. The association urges the European Commission to consider the insurance implications of future EU cyber legislation. Practical advice is provided in the report for risk managers on how to comply with the different incident reporting requirements. Overall, FERMA hopes that streamlining the reporting process will allow companies to focus more on assessing, managing, and responding to cyber risks.