- From: Georg Philip Krog <georg@signatu.com>
- Date: Mon, 3 Jul 2023 10:39:39 +0200
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
- Message-ID: <CAPOUEwkzKyK6NTRnVO_43GNHkBr=4rNLHQjbeCKki=2_anBc9Q@mail.gmail.com>
Dear all,
In DPVCG, we build support for data breach notifications.
I propose we also build support for incident notifications in NIS2
Directive and DORA.
These are the incident notification types:
NIS2
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555
NIS2 notification types:
1.
Early incident warning (NIS2 Preamble 102, Art 23.4(a)) => shall
indicate whether the significant incident is suspected of being caused by
unlawful or malicious acts or could have a cross-border impact
2.
Incident notification (NIS2 Preamble 102, Art 23.4(b)) => shall update
the information referred to in Art 23.4(a)) and indicate an initial
assessment of the significant incident, including its severity and impact,
as well as, where available, the indicators of compromise
3.
Intermediate report (NIS2 Preamble 102, Art 23.4(c)) => shall update
relevant status (upon the request of a CSIRT)
4.
Final report (NIS2 Preamble 102, Art 23.4(d)) => shall include the
following::
1.
(i) a detailed description of the incident, including its severity
and impact;
2.
(ii) the type of threat or root cause that is likely to have
triggered the incident;
3.
(iii) applied and ongoing mitigation measures;
4.
(iv) where applicable, the cross-border impact of the incident
5.
Progress report (NIS2 Preamble 102, Art 23.4(e)) => in the event of an
ongoing incident at the time of the submission of the final report referred
to in Art 23.4(d), Member States shall ensure that entities concerned
provide a progress report at that time and a final report within one month
of their handling of the incident.
NIS2 Art 6(6) definition of ‘incident’:
For the purposes of this Directive, the following definitions apply:
‘incident’ means an event compromising the availability, authenticity,
integrity or confidentiality of stored, transmitted or processed data or
of the services offered by, or accessible via, network and information
systems;
—-----
DORA
https://eur-lex.europa.eu/eli/reg/2022/2554/oj
DORA Art 3(8) and 3(9) definitions of ‘incident’:
For the purposes of this Regulation, the following definitions shall apply:
(8) ‘ICT-related incident’ means a single event or a series of linked
events unplanned by the financial entity that compromises the security of
the network and information systems, and have an adverse impact on the
availability, authenticity, integrity or confidentiality of data, or on the
services provided by the financial entity;
(9) ‘operational or security payment-related incident’ means a single event
or a series of linked events unplanned by the financial entities referred
to in Article 2(1), points (a) to (d), whether ICT-related or not, that has
an adverse impact on the availability, authenticity, integrity or
confidentiality of payment-related data, or on the payment-related services
provided by the financial entity;
DORA notification types:
1.
Initial notification (DORA Art 19.4(a))
2.
Intermediate report (DORA Art 19.4(b)) => after the initial notification
referred to in Art 19.4(a), as soon as the status of the original incident
has changed significantly or the handling of the major ICT-related incident
has changed based on new information available
3.
Updated notifications (DORA Art 19.4(b)) => every time a relevant status
update is available, as well as upon a specific request of the competent
authority
4.
Final report (DORA Art 19.4(a)) => when the root cause analysis has been
completed, regardless of whether mitigation measures have already been
implemented, and when the actual impact figures are available to replace
estimates
Best regards,
--
Georg Philip Krog
signatu <https://signatu.com>
Received on Monday, 3 July 2023 08:40:28 UTC