EU proposes single-entry point for cyber incident reporting, but is it really “report once, share many”?

As part of the recently announced Digital Omnibus simplification package (see our blog on that here), the European Commission plans to streamline cybersecurity and data incident reporting in the EU, by channelling incident notifications through a new “single-entry point” (SEP).

For organisations in the EU today, a common headache is that a single cybersecurity incident or data breach can trigger multiple reporting obligations under separate legal regimes, each involving different authorities, timeframes and requirements. Under this new proposal, organisations would instead only need to report once using the central SEP, which would then filter out the information to the relevant authorities (the so-called “report once, share many” principle).

Which regulations does this affect?

The bulk of changes to introduce the SEP would be implemented through an amendment to the NIS2 Directive, and its incident notification obligations would be covered by the changes. Changes would also be made to the General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), the Directive on the Resilience of Critical Entities (CER) and Regulation on digital identity and authentication (eIDAS) to bring their reporting obligations in scope.

The Commission has flagged that it also plans to bring additional sectoral specific reporting obligations under the SEP, including the network code on cybersecurity aspects of cross-border electricity flows (NCCS), and relevant instruments for the aviation sector.

What will this single-entry point look like?

Details on what the SEP will look like (and how it will work) are still high-level. The platform (or “interface”) will first need to be developed by the European Union Agency for Cyber Security (ENISA). It will be at least 18 months (from when the Digital Omnibus is approved) before the SEP will take effect, and that may be extended by a further 6 months if the Commission does not believe ENISA’s solution is ready following pre-launch testing.

The proposals do, however, require ENISA to develop and maintain an SEP system that:

• allows organisations to submit a single notification of information, to fulfil reporting obligations under any regulations falling under the single-entry point regime (and to retrieve or supplement information they have previously submitted);
• takes into account, and ensures interoperability between, the specificities of the various incident reporting requirements under the relevant regulations; and
• has technical arrangements which allow the competent authorities under the relevant regulations to access, submit and retrieve information from the single-entry point using their own systems.

One suggestion is that the system could build on the single-reporting platform ENISA is already developing under the Cyber Resilience Act (CRA). The proposals also discuss having common reporting templates, and learning from the experience gained around the use of such common templates under DORA.

Will this actually help?

The problem the proposals are seeking to solve is clear – the EU’s current web of digital regulations has created multiple reporting obligations which are both duplicative and inconsistent, creating a regulatory burden for organisations. In principle, simplification of the system would therefore be welcomed.

However, it remains to be seen whether reporting will actually become simpler under the current proposals. In particular, the Commission will not be changing the “underlying legal requirements for incident reporting” meaning organisations will still need to navigate differing notification timeframes, thresholds and information requirements albeit while using a single reporting platform. Interestingly, the only change under the Digital Omnibus to the EU’s notification timeframes is a proposed extension to the GDPR’s data breach rule. At a time when new regimes such as NIS2 have introduced an initial 24 hour incident notification obligation, the GDPR’s data breach notification would move from 72 hours to 96 hours (see our blog on the proposed GDPR changes here).

Given these different reporting timeframes and information requirements, will businesses still need to make multiple submissions in practice (or at least, supplement their existing submissions to the SEP)?

Reports suggest that several EU member states are also raising practical concerns around the SEP. These include concerns around its security (especially noting the implication that ENISA will be retaining this sensitive reporting data, to permit future retrieval), technical feasibility, interoperability with existing national systems and laws, and even the potential for the SEP to become a “single point of failure”.

It will therefore be important for the Commission and ENISA to address these potential complexities and concerns to ensure that the SEP can in fact deliver on its simplification promise.

Next steps:

As for what’s next, like the rest of the Digital Omnibus, the SEP is still only a proposal at this stage. It will require approval by the EU Parliament and Council, where further debate and amendment is likely.