US, EU collaborate on comparative analysis of cyber incident reporting for critical infrastructure

The U.S. Department of Homeland Security (DHS) and the European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) announced this week a comparison of cyber incident reporting elements. The effort aims to shape cyber incident reporting requirements for the U.S. and the European Union (EU) under the NIS 2 Directive. 

The collaborative effort between the U.S. and EU strengthens their commitment to safeguarding their citizens, critical infrastructure, and businesses from harmful cyber activities. The initiative involves analyzing the similarities and differences between the recommendations in the DHS Report on Harmonization of Cyber Incident Reporting to the federal government and the cybersecurity incident reporting framework outlined in the NIS 2 Directive in the EU.

To inform the ongoing implementation of CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) and the NIS 2 Directive by the respective authorities and to support entities active in multiple jurisdictions in their efforts to respond to cyber incidents, DHS and DG CONNECT are publishing the present joint report that identifies the main similarities and divergences in the DHS Report’s recommendations and the NIS 2 Directive.

The collaborative report crafted by DHS and DG CONNECT, with backing from their cybersecurity agencies – the Cybersecurity and Infrastructure Security Agency (CISA) and the European Agency for Cybersecurity (ENISA), offers a comprehensive evaluation and factual summary of recommendations from the U.S. Cyber Incident Reporting Council, the 2023 DHS report on Harmonization of Cyber Incident Reporting to the Federal Government, and the EU’s Directive 2022/2555 on measures for high cybersecurity standards across the Union (NIS 2 Directive). This analysis identifies key similarities and differences between the guidelines.

The findings in this report will help inform DHS and DG CONNECT’s approach to evaluating cyber incident reporting processes in the future. The report identifies six main areas for comparative analysis between the DHS’s report and the EU’s Directive, including definitions and reporting thresholds; timelines, triggers, and types of cyber incident reporting; contents of cyber incident reports; reporting mechanisms; aggregation of incident data; and public disclosure of cyber incident information.

The initiative also aligns with the 2024 Joint Statement between Secretary of Homeland Security Alejandro N. Mayorkas and European Commissioner for Internal Market Thierry Breton. The move marks the beginning of a process to align transatlantic cyber incident reporting where feasible. DHS and DG CONNECT invite industries from both the U.S. and EU to share their input and reactions to the collaboration and approach to evaluating cyber incident reporting processes.

“Cyber incidents do not recognize borders and multinational companies are often required to report incidents across numerous jurisdictions,” Robert Silvers, DHS Under Secretary for Policy and Chair of the Cyber Incident Reporting Council, said in a media statement. “We are committed to harmonizing incident reporting rules domestically and with like-minded partners like the European Union whenever feasible. Our approach will allow governmental authorities to get the information they need to provide cyber defense while streamlining the process for victim organizations.”

“Across the Atlantic, we seek to work together to compare relevant reporting requirements, including the form or format of information requested, seeking ways to minimize the administrative burden on reporting entities,” said Roberto Viola, EC Director-General for Communications Networks, Content and Technology.

“Over the next year, our teams plan to continue our cooperation on a more technical level, including by mapping elements such as cybersecurity incident taxonomies, reporting templates, and the content of reports and formats,” according to Iranga Kahangama, DHS Assistant Secretary for Cyber, Infrastructure, Risk and Resilience. “We will conduct an in-depth crosswalk of the DHS-developed Model Reporting Form against the NIS 2 required contents of reports to identify where there is overlap and disparities in the types of data being requested. As we continue these efforts moving forward, we must remain agile and adapt to the quickly evolving cyber threat landscape as nothing remains static in our digital world for long.”

The report detailed that the DHS Report and NIS2 use different language to define what is or would be reportable cyber incidents or otherwise describe the threshold of what is or would be reportable. The NIS 2 Directive requires entities to report ‘significant incidents,’ while the DHS Report uses the term ‘reportable cyber incidents,’ to describe what would be reportable. Although there are differences in definitions, there are several commonalities across the DHS Report and NIS2 definitions. 

For example, both definitions of an incident include criteria related to the Confidentiality, Integrity, and Availability (CIA) triad or operational disruption of services. 

When it comes to triggers and types of cyber incident reporting, the NIS2-defined ‘early warning’ and ‘incident notification’ reports could be compared to the DHS Report’s suggested ‘initial incident report,” which are recommended to generally be required within 72 hours. However, per NIS 2, the ‘early warning’ must occur within 24 hours. Separately, the intermediate report which is only required as part of NIS 2 when a CSIRT or competent authority requests such a report, is comparable to the DHS report’s suggested ‘supplemental’ and ‘incident update’ reports to make the initial report more complete or correct information that has already been submitted.

The content across both documents appears comparable at a thematic level. The DHS Report offers recommendations for how to align the content of cyber incident reports and to move toward a model reporting form or common data elements wherever practicable. While NIS 2 uses different terminology for the types of reports, demonstrating approximate parallels. 

A variety of reporting mechanisms are used by governing institutions in the U.S., the EU, and Member States. These could consist of web forms, web portals, secure file transmission systems, forms submitted via email, etc. Other mechanisms may include email messages, mail, fax, or phone communications to receive cyber incident reports in narrative form without any required format. 

While the DHS Report recommends the adoption of a model reporting form or ‘common data elements’ to harmonize reporting requirements and reduce the burden on regulated entities, it also recommends assessing the feasibility of developing a single portal to receive incident reporting. The NIS 2 Directive recommends that EU member states use technical means such as a single entry point, automated systems, online forms, user-friendly interfaces, templates, and dedicated platforms for the use of entities. The NIS 2 Directive specifies that the Commission may adopt implementing acts further specifying the type of information, the format, and the procedure of a notification submitted.

On public disclosure of cyber incident information, NIS 2 includes the possibility for EU Member States’ authorities or CSIRTs to inform the public of a significant incident or to require the entities to do so, where public awareness is necessary to prevent a significant incident or to deal with it. The DHS Report notes that most existing laws and regulations requiring public disclosure of certain types of cyber incidents allowed for a covered entity to delay disclosure at the request of an appropriate law enforcement official who determined that the disclosure could impede a criminal investigation or cause damage to public safety or national security. 

By this, the DHS Report recommends a model provision that is geared towards protecting ongoing criminal investigations or preventing disclosure of incidents that pose a significant risk to public safety, national security, or critical infrastructure. It also specifically calls out the Attorney General, Secretary of Homeland Security, or other appropriate law enforcement officials as officials who can delay public disclosure under appropriate circumstances.

When comparing the NIS 2 Directive and the DHS Report, several key areas of divergence or commonality were specified. In definitions and reporting thresholds, the Directive and the Report use different language to define reportable cyber incidents or otherwise describe the threshold of what is reportable, similarly, for timelines, triggers, and types of cyber incident reporting notes different timelines and triggers for notifications.

Nevertheless, the contents of cyber incident reports note that the content of incident reports across both documents appears comparable at a thematic level. Similarly, reporting mechanisms note the documents seek to reduce unnecessary complications or technical difficulties entities may encounter when trying to file a report. 

In case of aggregation of incident data, it outlines the (recommended or actual) requirements for including aggregated and anonymized incident data in reports under the NIS 2 Directive, while the DHS Report acknowledges this inclusion may be of benefit, but the inclusion of similarly aggregated data was not included in the recommendations issued. Finally, public disclosure of cyber incident information details the similarities and differences in each document’s provisions for public disclosure of certain cyber incidents.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.