Previous parts of this series have focused on entities and their obligations under the new draft Cybersecurity Act. This time we will discuss how cyber security incidents should be reported and managed under the draft law.
Cyber security incident reporting and management
Within the same timeframe, i.e. no later than 1 year from the delivery of the registration decision, the provider will be obliged to report and manage cyber security incidents. We will address these obligations in the next installment of this series.
A provider under the higher obligations regime will have to report to the NUCIB all cyber security incidents where intentional culpability cannot be excluded. The provider under the lower obligation regime will report to the National CERT those incidents that have a significant impact and for which intentional culpability cannot be excluded. Reports will be made via the NCIB Portal.
How to report incidents?
- Initial report – will need to be made without undue delay, within 24 hours at the latest, and should include identifying details, basic information about the incident and whether it may have been caused by unlawful interference or could have a cross-border impact
- In the case of a provider in the higher duty regime, which will report all incidents, the NUCIB will indicate whether the incident has a significant impact. If it does not have a significant impact, this step ends the process.
- Notification – submitted by the provider within 72 hours, this will be an update of information and initial assessment of the incident and the impact and indicators of compromise.
- Interim report – the provider shall submit this at the request of NUCIB or the National CERT and shall indicate significant changes in the status of incident management.
- Final Incident Resolution Report – will be required to be submitted within 30 days of notification.
- If the incident is still ongoing after this 30-day period, the provider shall submit an interim report on the current status of incident management. It shall then submit a final report within 30 days of the date of resolution of the incident.
Incident management
The National CERT or NUCIB shall provide a statement on the incident without undue delay. The provider will be obliged to provide the necessary information and cooperation. Upon request, the NCIB shall provide methodological or technical support for the management of the incident.
The provider will also be obliged to keep records of data on cybersecurity incidents, events, threats and vulnerabilities.
Countermeasures
The NCIB may propose appropriate countermeasures in relation to cyber incidents, events, threats and vulnerabilities:
- alert = informing the public about an incident or a breach of an obligation under the Cybersecurity Act by the NCSC or the provider,
- Warning = issued by NUCIB in the event of a serious threat or vulnerability,
- reactive countermeasures = to be carried out by the provider at the request of the NUCIB.
The bill is currently in its first reading in the Chamber of Deputies.
If you would like more information in this regard, please do not hesitate to contact us.
This article is for informational purposes only and does not constitute legal advice or guidance for any particular case.