Refining the Mandatory Cybersecurity Incident Reporting Under the NIS Directive 2.0: Event Types and Reporting Processes

The NIS Directive (NISD) and sector-specific cybersecurity regulations require the security incident reporting to supervisory authorities. Following the risk-based approach adopted in the NISD 1.0, the European Commission's Proposal for an NISD 2.0 requires the reporting of incidents that have caused/have the potential to cause substantial or considerable harm, as well as cyberthreats to the competent national authorities in order to acquire a full picture of the threat landscape. The European Parliament strongly opposes any extension of reporting obligations beyond actual security incidents, whereas the European Council's compromise approach supports at least the mandatory reporting of incidents with the potential to cause significant harm. This paper outlines and analyses the concepts utilized in the trilogue negotiation-'significant incident', 'near miss' and 'cyberthreat'-from a legal perspective. Further, the distinct reporting processes and timelines proposed are addressed. In consideration of the increased attack surface and threat scenario, deficits of the NISD identified before the mitigation measures by the NISD 2.0 Proposal are assessed.