
The European Union Agency for Cybersecurity (ENISA) releases today the 2021 incident reports on telecom and trust services.
The 2021 reports: what are the key take-aways?
The 2021 annual report on Telecom Security Incidents showcases a total of 90% of user hours lost in the reporting year due to human errors, with the total of user hours lost in 2021 reaching 5106 million user hours. This is more than four times higher than 2020. This was identified as the result of a substantial EU cross-border incident separately reported by three different Member States.
Over-The-Top (OTT) incidents were reported as well and require further attention by decision-making authorities
The annual report 2021 on Trust Services Security incidents showcases that notified incidents are steadily increasing and that the incidents mostly reported are those related to qualified certificates. Incidents with either minor or large impact continue to increase. This follows the trends of the past five years. 47% of incidents are due to system failures, and thus remain a dominant root cause of incidents. In 2021, incidents caused by malicious actions also increased by 20%.
The analysis is made possible thanks to the information ENISA receives from the national regulatory authorities (NRAs) of each EU Member State.
The ENISA reports aggregate and anonymise the data received and enable a comprehensive analysis to be performed. Based on EU-wide thresholds this analysis still takes into account possible variables when Member States decide for a different approach. The thresholds establish the way incidents are selected and classified and determine the coherence of the analysis.
Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity (ENISA) stated: “Incident reporting helps us understand and analyse the state of cybersecurity. If we want to adequately respond to our current cybersecurity challenges, we need to agree on a common approach to incident reporting for the benefit of us all. The NIS2 Directive provides a much needed push to improve this. ENISA will continue to support the EU, Member States and the cybersecurity community to address this challenge.“
Incident Reporting: why does it matter?
Incident reporting is a process by which major cybersecurity incidents are reported on an annual basis and then further analysed. With it, we can identifiy specific aspects of an incident such as the context, the type of incidents, the recurrence, the impact, the level of severity, the root causes and assets affected, etc.
The knowledge gathered therefore allows us to draw a map of current trends, weaknesses, patterns, etc.
The ultimate purpose of incident reporting is to facilitate more informed and efficient decision-making on the measures and actions needed to prevent or better deal with these incidents.
Policy developments: how legislation will improve incident reporting in the EU?
The upcoming NIS2 Directive will consolidate incident reporting under the European Electronic Communications Code (EECC), the NIS and the eIDAS Regulation. ENISA will therefore engage with national authorities and regulators on how to implement consolidated incident reporting under the NIS2 Directive.
Under Article 40 of the EECC, the incident reporting provisions have also changed with mandatory incident reporting now also applying to independent interpersonal communications services (OTT communications services).
The current eIDAS Regulation and its provisions for incident reporting have been in place for five years. The European Commission is now working on a new eIDAS Regulation proposal whereby most of the reporting obligations under ART 19 of eIDAS will be transferred to the NIS 2 Directive.
Background information
In the area of electronic communications, providers in the EU have to notify telecom security incidents which have a significant impact to the respective national authorities for telecom security. At the beginning of every calendar year, the authorities send summary reports about these incidents to the EU Agency for Cybersecurity.
Established in 2010, the European Competent Authorities for Secure Electronic Communications expert group (ECASEC), or former Article 13a group, consists of about 100 experts from national telecom security authorities from EU Member States, European Free Trade Association (EFTA) and European Economic Area (EEA) countries, as well as EU candidate countries.
Electronic trust services include a range of electronic services around digital signatures, digital certificates, electronic seals, timestamps, etc. used to secure electronic, online, transactions.
The eIDAS Regulation is the EU wide legal framework meant to ensure the interoperability and security of the electronic trust services across the EU. One of the goals of the eIDAS is to ensure electronic transactions can have the same legal validity as traditional paper-based transactions, to create a framework in which a digital signature has the same value as a hand-written signature.
Security is an important pillar of the overall framework. Article 19 of the eIDAS Regulation requires trust service providers in the EU to assess risks, take appropriate security measures, and mitigate security breaches.
Further Information
Telecom Security Incidents 2021 – ENISA Annual Report
Trust Services Security Incidents 2021 – ENISA Annual Report
ENISA website – Incident Reporting Topic
Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS)
Building Trust in the Digital Era: ENISA boosts the uptake of the eIDAS regulation
Article 19 Expert Group Portal
European Electronic Communications Code Directive
Technical Guideline on Incident Reporting under the EECC
Security supervision changes in the new EU telecoms legislation
Fachartikel

ChatGPT bei der Arbeit nutzen? Nicht immer eine gute Idee

Das Aktualisieren von Software-Agenten als wichtige Praktik der Cyberhygiene auf MSP-Seite

Kosteneinsparungen und Optimierung der Cloud-Ressourcen in AWS

CVE-2023-23397: Der Benachrichtigungston, den Sie nicht hören wollen

Wie sich kleine und mittlere Unternehmen proaktiv gegen Ransomware-Angriffe wappnen
Studien

Studie zeigt 193 Millionen Malware-Angriffe auf Mobilgeräte von Verbrauchern im EMEA-Raum

2023 State of the Cloud Report

Trotz angespannter Wirtschaftslage: die Security-Budgets steigen, doch der IT-Fachkräftemangel bleibt größte Hürde bei Erreichung von Security-Zielen

BSI-Studie: Viele Software-Produkte für Onlineshops sind unsicher

Wie Cloud-Technologie die Versicherungsbranche revolutioniert
Whitepaper

Arctic Wolf Labs Threat Report: Deutlicher Anstieg der erfolgreichen Fälle von Business-E-Mail-Compromise

Aufkommende Trends in der externen Cyberabwehr

Cyber-Sicherheit für das Management – Handbuch erhöht Sicherheitsniveau von Unternehmen

Aktueller Datenschutzbericht: Risiko XXL am Horizont

Vertrauen in die Lieferkette durch Cyber-Resilienz aufbauen
Unter4Ohren

Optimierung der Cloud-Ressourcen und Kosteneinsparungen in AWS

DDoS – der stille Killer

Continuous Adaptive Trust – mehr Sicherheit und gleichzeitig weniger mühsame Interaktionen

Datenschutz und -kontrolle in jeder beliebigen Cloud bei gleichzeitiger Kostensenkung, Reduzierung der Komplexität, Verbesserung der Datenverfügbarkeit und Ausfallsicherheit
