EU Cybersecurity chief says incident reporting system not working as intended

Despite a series of cyber attacks on governments and businesses across the European Union, the bloc still does not have an adequate incident reporting system.

That assessment came from Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity (ENISA) who was speaking at a roundtable on how to offer better protections, especially given worries about Moscow-directed attacks in retaliation for sanctions.

“We need something which is agile, that works and where information can be shared in a secure manner,” Lepassaar said. “More resilience in critical sectors is definitely something we need to look at.”

Lepassaar called for better information sharing between the EU’s 27 member states to keep track of disparate threats in a complex landscape – something that falls squarely within the Athens-based ENISA’s remit.

An update of the EU Directive on Security of Network and Information Systems (NIS) is being negotiated in the EU institutions though consensus may take some time to reach.

Dutch MEP Bart Groothuis is leading the revision of NIS Directive and told news site Euractiv that beyond issues of information sharing that EU computer security incident response teams (CSIRTs) need to be improved.

ENISA believes cybersecurity breach reporting is critical, not only for the public but also to help authorities recognize and respond to current trends and weaknesses. The original NIS Directive passed in 2018, introduced cybersecurity incident notification rules for operators of essential services in critical sectors.

But Lepassaar told the roundtable that the NIS system is not working as intended and EU structures are being bypassed. He noted that in 2021not a single cross-border incident was reported under the NIS Directive although the SharkBot Trojan attacked many banks and there was an attack on a European e-ticketing platform.

“The problem is that we are dependent on the information that we get from the member states.” The reporting system itself was felt by many to be too “cumbersome” and “bureaucratic,” which discouraged it being used more.

Lepassaar’s remarks come less than 18 months since a new EU cybersecurity strategy was presented by the European Commission. That prioritized critical infrastructure, such as hospitals, energy grids and railways but also showed how open to attack homes and offices were too. ENISA has been left to grasp at hopes that member states will co-operate.

“We need to be sure that our systems are reliable,” Tanel Sepp, Estonian ambassador-at-large for cybersecurity told Euronews. The EU is proposing a cybershield  of security operations centers that use artificial intelligence and machine learning as an early-warning system for cyberattacks and a joint unit to share information and collectively respond to threats.

Last month, the European Court of Auditors (ECA) warned that cyberattacks against EU bodies were increasing sharply and criticised existing arrangements across the European institutions.