The European Union Agency for Cybersecurity publishes the aggregated data and analysis of the incident reports for telecom services and trust services.
Incident reporting is the invaluable tool used across the EU for the notification of significant cybersecurity incidents, their impact assessment and the evaluation of trends. The national regulatory authorities (NRAs) of each EU Member State provide a summary of these incidents to the EU Agency for Cybersecurity, ENISA on a yearly basis but also on an ad-hoc basis.
The two reports published today provide an extensive analysis on incident root causes, the impact of incidents that occurred in 2020 and assesses multiannual trends.
Juhan Lepassaar, EU Agency for Cybersecurity Executive Director said: “Incident reporting allows to make projections and to continually maintain a view over the cyber threat landscape. The EU Agency for Cybersecurity is dedicated to support national authorities and the wider cybersecurity community to ensure coherence, coordination and efficiency in incident reporting and analysis.”
EU-wide agreed thresholds apply in how incidents are selected although Member States have the right to deviate at national level. Such reports therefore only provide information related to incidents reported by Member states. However, as thresholds can change over the years, ENISA takes precautionary measures to perform the analysis of trends in a coherent and informed way.
Why is incident reporting important?
The major objective of telecom services and trust services incident reporting is to help national authorities with their supervision tasks, to map cybersecurity trends as well crosscutting issues and sector weaknesses. Aggregating this information is important to understand gaps and to identify and address emerging issues.
ENISA has been supporting the EU telecom security authorities since 2011 and the supervisory bodies for EU trust services since 2016 on the respective incident reporting. The role of ENISA is to develop procedures, information gathering templates and data processing tools in relation to these incidents and to publish a report every year on the previous year’s incidents.
What are the key takeaways of the reports on 2020 incidents?
The annual report on telecom security incidents for 2020 reveals that faulty software changes and/or updates constitute a major aggravating factor in terms of impact resulting in 346 million hours lost which is equivalent to 40 % of the total number of hours lost.
System failures continue to dominate as the most frequent cause of incidents leading to severe adverse impact.
The total of incidents caused by human errors or third-party failures remain similar to the levels seen in 2019.
The multiannual trends show that although system failures continue to be the most frequent cause of incidents (61%), these incidents are decreasing in size.
The analysis also reveals that incidents cause by human errors have been on the increase between 2016 and 2020, reaching 26% of the total number of incidents.
The annual report on trust services incidents also reveals system failures remain the dominant root cause of incidents with human errors ranking second.
Overall, the level of severity remains steadily low, which indicates that Trust Service Providers (TSPs) report more incidents, even those that are less severe.
In 2020, 69% of total incidents had an impact on qualified trust services when compared with approximately 33% of incidents reported on non-qualified trust services. The study highlights a concern over non-qualified trust services incidents considered to be under reported although such services are very widely used. A good example of this is website certificates used by 80 % of websites globally. The rather limited number of incident reports on non-qualified trust services under the eIDAS regulation suggests there is still under-reporting in the specific market. Nevertheless, it is worth mentioning that one Member State reported 11 incidents during 2020.
Besides, the analysis also revealed PDF sign-in vulnerabilities with the emerging of new “shadow attacks” affecting a wide range of software products.
The information collected and analysed in the telecom and trust services security incident reports is stored on CIRAS, an online visual tool that allows the analysis of incidents and can be used to generate custom graphs.
ENISA is considering issuing a consolidated report in 2022. More reporting activities are expected in the future with the revision of the NIS directive.
Event – Trust Services Forum 2021
Together with the European Commission, ENISA will organise the Trust Service Forum on 21st September 2021. This edition takes place for the 7th year in 2021 following its inception in 2015. Collocated with D-TRUST/TUVIT CA Day on 22 September 2021, the event is to take place in Berlin, Germany, provided that the travelling and gathering controls allow for this. More information: Trust Services Forum – CA Day 2021
Background information
On electronic communications, providers in the EU have to notify telecom security incidents having significant impact to the national authorities for telecom security in their country. At the beginning of every calendar year, the authorities send summary reports about these incidents to the EU Agency for Cybersecurity.
Established in 2010, the European Competent Authorities for Secure Electronic Communications expert group (ECASEC), or former Article 13a group, consists of about 100 experts from national telecom security authorities from EU Member States, European Free Trade Association (EFTA) and European Economic Area (EEA) countries, as well as EU candidate countries.
Electronic trust services include a range of electronic services around digital signatures, digital certificates, electronic seals, timestamps, etc. used to secure electronic, online, transactions.
The eIDAS regulation is the EU wide legal framework meant to ensure the interoperability and security of the electronic trust services across the EU. One of the goals of the eIDAS is to ensure electronic transactions can have the same legal validity as traditional paper – based transactions, to create a framework in which a digital signature has the same value as a hand-written signature.
Security is an important pillar of the overall framework. Article 19 of the eIDAS regulation requires trust service providers in the EU to assess risks, take appropriate security measures, and mitigate security breaches.
Further Information
ENISA website – Incident Reporting Topic
Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS)
Building Trust in the Digital Era: ENISA boosts the uptake of the eIDAS regulation
Article 19 Expert Group Portal
European Electronic Communications Code Directive
Technical Guideline on Incident Reporting under the EECC
Security supervision changes in the new EU telecoms legislation