Re: Proposal to add incident notification from Harshvardhan J. Pandit on 2023-07-03 (public-dpvcg@w3.org from July 2023)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Mon, 3 Jul 2023 13:22:55 +0100
To: Georg Philip Krog <georg@signatu.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <2ebe4f7b-25ca-501c-0b8d-44920377dd17@harshp.com>
Hi Georg. Thanks for the research and proposals.

Undertaking this means taking on NIS2 and DORA within the scope of 
DPVCG. Even if we limit it to incident reports and notifications, it 
means modelling something additional with legal relevance. I will add 
this as an item to the agenda for this Thursday's meeting.

My thoughts:

In matters of security, NIS2 (even as a directive) is broader in 
considerations of security whereas GDPR data breach requirements are 
concerned with assessment and reporting obligations. Further, NIS2 
considers incidents on any data and any service whereas GDPR limits 
itself to involvement of personal data and its processing.

Ideally, we can look into deriving from the NIS2 a generic structure for 
security incidents that then becomes specialised into the GDPR's data 
breach concepts.

Regards,
Harsh

On 03/07/2023 09:39, Georg Philip Krog wrote:
> Dear all,
> 
> In DPVCG, we build support for data breach notifications.
> 
> I propose we also build support for incident notifications in NIS2 
> Directive and DORA.
> 
> These are the incident notification types:
> 
> NIS2
> 
> https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555 
> <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555>
> 
> 
> NIS2 notification types:
> 
> 
> 
>  1.
> 
>     Early incident warning(NIS2 Preamble 102, Art 23.4(a)) => shall
>     indicate whether the significant incident is suspected of being
>     caused by unlawful or malicious acts or could have a cross-border impact
> 
>  2.
> 
>     Incident notification(NIS2 Preamble 102, Art 23.4(b)) => shall
>     update the information referred to in Art 23.4(a)) and indicate an
>     initial assessment of the significant incident, including its
>     severity and impact, as well as, where available, the indicators of
>     compromise
> 
>  3.
> 
>     Intermediate report(NIS2 Preamble 102, Art 23.4(c)) => shall update
>     relevant status (upon the request of a CSIRT)
> 
>  4.
> 
>     Final report(NIS2 Preamble 102, Art 23.4(d)) => shall include the
>     following::
> 
>      1.
> 
>         (i) a detailed description of the incident, including its
>         severity and impact;
> 
>      2.
> 
>         (ii) the type of threat or root cause that is likely to have
>         triggered the incident;
> 
>      3.
> 
>         (iii) applied and ongoing mitigation measures;
> 
>      4.
> 
>         (iv) where applicable, the cross-border impact of the incident
> 
>  5.
> 
>     Progress report(NIS2 Preamble 102, Art 23.4(e)) => in the event of
>     an ongoing incident at the time of the submission of the final
>     report referred to in Art 23.4(d), Member States shall ensure that
>     entities concerned provide a progress report at that time and a
>     final report within one month of their handling of the incident.
> 
> 
> 
> NIS2 Art 6(6) definition of ‘incident’:
> 
> For the purposes of this Directive, the following definitions apply:
> 
> ‘incident’ means an event compromising the availability, authenticity, 
> integrity or confidentiality of stored, transmitted  or processed data 
> or of the services offered by, or accessible via, network and 
> information systems;
> 
> 
> —-----
> 
> 
> DORA
> 
> https://eur-lex.europa.eu/eli/reg/2022/2554/oj 
> <https://eur-lex.europa.eu/eli/reg/2022/2554/oj>
> 
> 
> DORA Art 3(8) and 3(9) definitions of ‘incident’:
> 
> For the purposes of this Regulation, the following definitions shall apply:
> 
> (8) ‘ICT-related incident’ means a single event or a series of linked 
> events unplanned by the financial entity that compromises the security 
> of the network and information systems, and have an adverse impact on 
> the availability, authenticity, integrity or confidentiality of data, or 
> on the services provided by the financial entity;
> 
> (9) ‘operational or security payment-related incident’ means a single 
> event or a series of linked events unplanned by the financial entities 
> referred to in Article 2(1), points (a) to (d), whether ICT-related or 
> not, that has an adverse impact on the availability, authenticity, 
> integrity or confidentiality of payment-related data, or on the 
> payment-related services provided by the financial entity;
> 
> 
> DORA notification types:
> 
>  1.
> 
>     Initial notification(DORA Art 19.4(a))
> 
>  2.
> 
>     Intermediate report (DORA Art 19.4(b)) => after the initial
>     notification referred to in Art 19.4(a), as soon as the status of
>     the original incident has changed significantly or the handling of
>     the major ICT-related incident has changed based on new information
>     available
> 
>  3.
> 
>     Updated notifications (DORA Art 19.4(b)) => every time a relevant
>     status update is available, as well as upon a specific request of
>     the competent authority
> 
>  4.
> 
>     Final report (DORA Art 19.4(a)) => when the root cause analysis has
>     been completed, regardless of whether mitigation measures have
>     already been implemented, and when the actual impact figures are
>     available to replace estimates
> 
> 
> Best regards,
> -- 
> Georg Philip Krog
> 
> signatu <https://signatu.com>

-- 
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/
Received on Monday, 3 July 2023 12:23:04 UTC