Raising the alarm: a closer look at incident reporting under the General Scheme for the National Cyber Security Bill

Incident reporting

This is our second article on the General Scheme of the National Cyber Security Bill (the Scheme), which will (once finalised) transpose the EU’s Network and Information Security Directive (EU) 2022/2555 (NIS2). In this article, we look at the incident reporting obligations that apply to in-scope entities under Head 15 of the Scheme, which largely mirrors Article 23 of NIS2.

Reporting threshold

In-scope entities must notify the National Cyber Security Centre (NCSC), as the designated computer security incident response team under the Scheme, without undue delay of any incident that has a ‘significant impact’ on the provision of their services (Head 15(1) of the Scheme). The Scheme provides that an incident will be considered ‘significant’ if it has caused or is capable of causing severe operational disruption or financial loss to the entity concerned, or if it has affected or is capable of affecting other persons by causing them considerable material or non-material damage.

What is a “significant impact”?

The European Commission has separately published a draft Implementing Regulation and Annex which sets out a list of technical specifications and criteria which will determine if an incident should be considered as having a significant impact. The draft Implementing Regulation applies to certain of the services which fall within the scope of NIS2 (for example, cloud computing services, data centre services, providers of online marketplaces, online search engines and social networking services). The public consultation period for the draft Implementing Regulation closed in July, and we expect the final text to be adopted by the European Commission in the coming weeks.

Notably, the draft Implementing Regulation does not apply to providers of public electronic communication services (ECSs) which are within scope of NIS2. There has also been no indication from the European Commission that it intends to introduce a separate Implementing Regulation in respect of ECSs. Recital 95 of NIS2 appears instead to envisage ECSs assessing incidents against existing national guidelines adopted for the transposition of the European Electronic Communication Code (EECC) and/or guidelines developed by the European Union Agency for Cybersecurity. 

Phased reporting

The reporting obligations under the Scheme apply on a phased basis.

1. Early warning: In-scope entities must send an early warning notification to the NCSC without undue delay, and in any event within 24 hours of becoming aware of the significant incident. This notification will include details such as whether the incident could have a cross-border impact. (Head 15(6)(a) of the Scheme).
2. Incident notification: In-scope entities must send an incident notification to the NCSC without undue delay, and in any event within 72 hours of becoming aware of the significant incident. This notification includes more detailed information such as an initial assessment of the incident, including its severity and impact. (Head 15(6)(b) of the Scheme).
3. Final / progress report: In-scope entities must send a final report to the NCSC no later than one month after the submission of the incident notification. If an incident is ongoing at the time this report is due, in-scope entities must submit a progress report and follow-up one month later with a final report. (Head 15(6)(d) of the Scheme).

Service recipient notifications

Head 15(2) of the Scheme also provides that in-scope entities must notify, without undue delay, the recipients of their services of significant incidents that are ‘likely to adversely affect the provision of those services’. The Scheme is silent on the types of incidents that are likely to meet this threshold. There is also no commentary on this point in the European Commission’s draft Implementing Regulation. 

Interplay with other regimes

Head 25 of the Scheme clarifies that where in-scope entities are required to notify significant incidents under sector-specific legislation (and where such obligations are at least equivalent to those under NIS2), the obligations under NIS2 will not apply to those entities. The European Commission guidelines on the interplay between NIS2 and sector specific legislation recognises that the incident reporting provisions of the Digital Operational Resilience Act (Regulation (EU) 2022/2554) will take precedence over the equivalent provisions of NIS2 once both come into effect. The absence of any reference to the EECC in those guidelines suggests that the incident reporting requirements under that regime would not be given the same level of precedence over NIS2.

As a result, in-scope entities that are caught by the EECC will likely need to comply with the relevant reporting requirements in parallel. In practical terms, this means that some in-scope entities may need to assess an incident against multiple regimes (e.g. NIS2, EECC, GDPR, etc.) and potentially submit several incident reports - in some cases, this may involve reporting in multiple jurisdictions.

Practical steps

We set out below some practical steps that organisations should consider taking in order to prepare themselves for the NIS2 incident reporting requirements.

• Determine which - if any - of your services are in-scope of NIS2 (if you have not already done so).
• Prepare a playbook for dealing with NIS2 incident reports for each in-scope service (or update your existing playbook). Depending on the service, different thresholds for reportability may apply to different services. Given the tight reporting deadlines, it will be particularly important that organisations have a process in place for escalating incidents to relevant decision makers and understanding what constitutes a ‘significant incident’.
• Carry out table top exercises to test your organisation's ability to deal with significant incidents. This will be particularly important given the potential for in-scope entities to be subject to several overlapping incident reporting requirements in respect of the same incident (e.g. the GDPR, ePrivacy Directive, EECC, etc.).
• Familiarise yourself with the NIS2 incident reporting form once it is published on the NCSC website (the current NIS1 form for digital service providers is available here, which should give organisations a sense of the level of information they will likely need to provide to the NCSC when reporting a significant incident).

The transposition date for NIS2 was 17 October which Ireland has now missed. The latest update we have received from the Joint Committee on Transport and Communications is that they are meeting on 17 October to discuss pre-legislative scrutiny of the Scheme, but we are likely still some time away from the Bill being in a final form. We expect the passing of the transposition date, and regulatory pressure from the EU, will push Ireland to move quickly in finalising the legislation.

For further information in relation to this topic, or if you would like assistance preparing for NIS2 incident reporting requirements, please contact Aideen Burke, partner, Eoghan O'Keeffe, knowledge consultant, Evan Doyle, associate or any member of ALG's Technology team.

Date published: 17 October 2024