Looking to better align approaches to cyber incidents on both sides of the Atlantic, the U.S. Department of Homeland Security (DHS) and the European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) recently launched a new comparison initiative.
For this, the two agencies compared cyber incident reporting elements to better inform reporting requirements by both the United States and European Union (EU).
“Cyber incidents do not recognize borders, and multinational companies are often required to report incidents across numerous jurisdictions,” Robert Silvers, DHS Under Secretary for Policy and Chair of the Cyber Incident Reporting Council, said. “We are committed to harmonizing incident reporting rules domestically and with like-minded partners like the European Union whenever feasible. Our approach will allow governmental authorities to get the information they need to provide cyber defense while streamlining the process for victim organizations.”
To begin this relationship, the pair produced a joint report with support from their respective cybersecurity agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and the European Agency for Cybersecurity (ENISA). It assessed proceedings from both organizations to identify their main similarities and differences, splitting items into six main areas:
- Definitions and reporting thresholds
- Timelines, triggers, and types of cyber incident reporting
- Contents of cyber incident reports
- Reporting mechanisms
- Aggregation of incident data
- Public disclosure of cyber incident information
This new ground for U.S.-EU relations gained steam as a result of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law by President Joe Biden in 2022. This created the Cyber Incident Reporting Council under DHS, which outlined various actions the government could take to streamline and harmonize the reporting of cyber incidents and protect critical infrastructure.
That push has been echoed by Europe in recent years.
“Across the Atlantic, we seek to work together to compare relevant reporting requirements, including the form or format of information requested seeking ways to minimize the administrative burden on reporting entities,” Roberto Viola, EC Director-General for Communications Networks, Content and Technology, said.
The two sides have invited private industry to share their inputs and reactions on such a collaboration and their ongoing approach to evaluating cyber incident reporting processes. This is, however, only the beginning.
“Over the next year, our teams plan to continue our cooperation on a more technical level, including by mapping elements such as cybersecurity incident taxonomies, reporting templates, and the content of reports and formats,” Iranga Kahangama, DHS Assistant Secretary for Cyber, Infrastructure, Risk and Resilience, said. “We will conduct an in-depth crosswalk of the DHS-developed Model Reporting Form against the NIS 2 required contents of reports to identify where there is overlap and disparities in the types of data being requested. As we continue these efforts moving forward, we must remain agile and adapt to the quickly evolving cyber threat landscape as nothing remains static in our digital world for long.”