BLOG

Understanding Incident Reporting Under the NIS2 Directive: Key Insights for Managed Service Providers and Managed Security Service Providers

Incident reporting is a crucial component of maintaining cybersecurity and operational resilience across the European Union. As outlined in Article 23 of the NIS2 Directive entities falling under its scope are required to report “significant incidents” to the CSIRT (Computer Security Incident Response Team or the relevant competent authority without undue delay. In Ireland, the NCSC encompasses the National/Governmental Computer Security Incident Response Team (CSIRT-IE) and will act as the main contact point for incident reporting under the NIS2 Directive, serving as the National Competent Authority.

Defining a ‘Significant Incident’

For organizations in the sectors of ICT Service Management, Digital Infrastructure, and Digital Providers, including Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), understanding what qualifies as a “significant incident” is crucial for compliance with the NIS2 Directive. This key legislative framework within the European Union offers a broad definition of an “incident” under Article 6(6). According to this article, an incident is defined as “any event that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the services offered by, or accessible via, network and information systems.”

Article 23(3) further clarifies that an incident is considered significant if it: (a) has caused, or is capable of causing, severe operational disruption of services or financial loss for the entity concerned; or (b) has affected, or is capable of affecting, other natural or legal persons by causing considerable material or non-material damage.

While the NIS2 Directive outlines these general criteria, it does not provide a specific definition of what constitutes a “significant” incident. This gap is addressed by the draft implementing regulation published for feedback on June 27, 2024, which details criteria to help organizations assess whether an incident warrants mandatory reporting. Although this regulation, covering sectors such as ICT Service Management (Business-to-Business), Digital Infrastructure, and Digital Providers, is still in draft form, it is scheduled to take effect on October 18, 2024.

Criteria for a Significant Incident under the Proposed Draft Implementing Regulation

According to Article 3 of the draft implementing regulation, an incident is considered significant if it meets one or more of the following conditions:

Financial Loss: The incident has caused or is capable of causing financial losses exceeding EUR 100,000 or 5% of the entity’s annual turnover, whichever is lower.
Reputational Damage: The incident leads to or could lead to considerable reputational damage. This can include media coverage, user complaints, failure to meet regulatory requirements, or a potential loss of customers that materially impacts the business.
Exfiltration of Trade Secrets: The unauthorized access and potential exfiltration of trade secrets as defined in EU Directive 2016/943.
Impact on Human Life and Health: The incident results in or could result in the death of a person or considerable damage to a person’s health.
Unauthorized Access: A successful and potentially malicious unauthorized access to network and information systems.
Recurring Incidents: Even if individual incidents are not significant, they are considered significant when they recur at least twice within six months and share the same apparent root cause.
Sector-Specific Criteria: The regulation also includes additional specific criteria for different sub-sectors, such as MSPs and MSSPs, which must also be considered when determining the significance of an incident (see Table 1).

Table 1. Sector-Specific Criteria for a Significant Incident under the Draft Implementing Regulation for Managed Service Providers and Managed Security Service Providers

Sector	Criteria for Significant Incident
Managed Service Providers and Managed Security Service Providers	Managed service completely unavailable for >10 minutes. SLA not met for >5% or 1 million users for >1 hour. Availability of services with no SLA is impacted. Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% users.

Exclusions and Special Considerations

Planned maintenance-related service downtimes are not considered significant incidents. This distinction separates routine service interruptions from genuine security or operational failures that require reporting.

Who Needs to Be Notified?

Entities affected by significant incidents based on the criteria above are required to notify their CSIRT or relevant competent authority. They must also inform service recipients about significant cyber threats that could impact them and suggest any appropriate response measures (Article 23(1)).

How to Report a Significant Incident

All relevant entities must submit the following reports to the CSIRT or competent authority:

An early warning within 24 hours of becoming aware of the significant incident, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
An incident notification within 72 hours of becoming aware of the significant incident, updating information provided in the early warning and including, indicate an initial assessment including its severity and impact, and the indicators of compromise.
An intermediate report if requested by the CSIRT, providing relevant status updates.
A final report no later than one month after the submission of the incident notification, detailing the incident, its severity, impact, the likely threat or root cause, mitigation measures applied or ongoing, and the cross-border impact of the incident where applicable,

In the event of an ongoing incident, entities must provide a progress report at the time of the submission of the final report and a final report within one month of handling the incident.

How Centripetal Supports Compliance with Incident Reporting Requirements

Centripetal helps organizations reduce the frequency of incidents and the need for extensive reporting through our CleanINTERNET® solution. By offering a robust network security solution and proactive monitoring, we address Recitals 10 and 16 of the draft implementing regulation. Our solution not only enhances threat detection, including defense against network-based attacks like DDoS, but also supports incident reporting. In the event of an incident, Centripetal aids in comprehensive reporting by supplying detailed logs, data, and expert analyses of your organization’s network traffic.

Advanced Threat Detection and Reporting

CleanINTERNET® employs deep packet inspection and behavioral analysis to detect and investigate complex threats at the perimeter of your entities network. It delivers a thorough overview of inbound and outbound threats and supplies the detailed logs and data needed for accurate incident reporting.

Augmented Human Analysis

Our Security Operations team, supported by our AI Analyst, delivers in-depth reports on security alerts, combining human expertise with advanced technology for thorough incident evaluation. CleanINTERNET® enhances the analysis and contextual understanding of security events, including whether alerts were blocked or monitored, relevant threat intelligence, and a timeline of activity.

Key Benefits of CleanINTERNET®

Proactive Threat Detection: CleanINTERNET® provides real-time, automated protection using over 100 billion indicators of compromise, ensuring that threats are identified and blocked before they can enter your network, thus minimizing the need for reactive incident reporting.

Actionable Threat Intelligence: The solution integrates the largest collection of high-confidence threat intelligence, updated every 15 minutes. This continuous feed of actionable intelligence helps organizations stay ahead of potential incidents and provides crucial details for accurate and timely reporting.

Real-Time Enforcement: CleanINTERNET® utilizes the fastest packet filtering technology, with latency of less than 50 microseconds, to dynamically block threats. This real-time enforcement reduces the number of incidents requiring reports by preventing malicious activities from reaching your network.

Centripetal not only secures your network, minimizes incidents, and optimizes IT resource management but also enhances the incident reporting process. By supplying the necessary logs, data, and expert insights, we help organizations prepare comprehensive reports for CSIRT or competent authorities. This approach streamlines your path to NIS2 compliance, reduces operational burdens, and allows your organization to focus on core objectives.