Insights European Union Agency for Network and Information Security (ENISA) publishes Guidelines on Incident Notification for Digital Service Providers (DSPs)

ENISA has published comprehensive Guidelines on how to implement incident notification requirements for DSPs, in the context of the Network and Information Security Directive.

ENISA says that the EU’s first DSP mandatory incident notification requirements as part of the first EU-wide set of rules on cyber-security are a “major step towards achieving a common level of cyber-security across the Union”.

ENISA’s comprehensive technical Guidelines support stakeholders in addressing mandatory incident notification for DSPs in the context of the NIS Directive. Based on the requirements of the Directive and valuable input from Member States and DSPs directly impacted by the Directive, the Guidelines cover the following topics:

  • identifying types of incidents to be reported;
  • definitions and clarifications on parameters and thresholds;
  • defining substantial incidents;
  • description of the incident reporting process and the stakeholders involved;
  • cross-border sharing of incidents; and
  • identification of DSPs.

To access the Guidelines, click here.