The Federation of European Risk Management Associations (FERMA) is advocating for the simplification of cyber incident reporting requirements within the European Union [6] [7]. This initiative emphasizes the need for a unified approach that considers the insurance implications of cyber-related legislation, addressing the complexities and challenges posed by varying regulations across jurisdictions.

## Description

The Federation of European Risk Management Associations (FERMA) is advocating for the simplification of cyber incident reporting requirements within the European Union [6] [7], emphasizing the need for a unified approach that considers the insurance implications of cyber-related legislation. This call for consistency is particularly relevant given the distinct reporting obligations imposed by various regulations, including the General Data Protection Regulation (GDPR) [4] [5] [6] [7] [9], the Network and Information Security (NIS) Directive [4] [5] [6] [7] [9], the NIS2 Directive [3] [8] [9], the Digital Operational Resilience Act (DORA) [4] [5] [6] [7] [9], and the Cyber Resilience Act (CRA) [4] [5] [6] [7] [9]. The NIS2 Directive [3] [8] [9], effective from January 16, 2023 [8], expands upon the original NIS directive to enhance cybersecurity across the EU [8], mandating approximately 160,000 organizations to implement comprehensive cybersecurity measures [8], including risk analysis [8], incident handling [3] [8], business continuity [8], and supply chain security [3] [8]. In Ireland, the National Cyber Security Bill 2024 aims to transpose the NIS2 Directive into national law, designating the National Cyber Security Centre (NCSC) as the competent authority for managing large-scale cybersecurity incidents and crises [3].

Under the Bill [3], all entities in Ireland are required to implement appropriate technical [3], operational [3] [4] [5] [6] [7] [9], and organizational measures to manage cybersecurity risks [3], including conducting risk assessments and addressing supply chain security and cyber hygiene practices [3]. Entities must report certain cyber incidents to the NCSC [3], with a strict timeline for initial reporting within 24 hours of awareness of a breach [3]. The differing requirements across jurisdictions can create significant financial and administrative challenges for organizations, particularly due to varying reporting timelines and compliance expectations.

FERMA president Charlotte Hedemark has highlighted the increasing reporting burden on companies and stressed the importance of clarity regarding applicable reporting requirements and the specific scenarios in which they apply, as penalties for non-compliance can be severe [4]. A key requirement of the NIS2 Directive is the establishment of protocols for the swift reporting of significant cyber incidents to national authorities [8], facilitating coordinated responses [8]. Philippe Cotelle [6], chair of FERMA’s Digital Committee [6], pointed out the absence of specific regulations addressing cyber risk management and its insurance implications [6], noting that while risk management is crucial for resilience against cyber-attacks [6], there are no regulations detailing the necessary risk management measures [6] [9].

In light of these challenges, FERMA has urged European institutions to simplify cyber reporting obligations and consider the insurance implications of cyber legislation [9]. A recent report titled “Cyber Reporting Stack: Navigating EU Incident Reporting Requirements for Risk Managers,” produced in collaboration with WTW [2] [5] [6], provides guidance on managing these obligations and outlines the evolving cyber policy landscape. It emphasizes the need for a streamlined and consistent set of requirements for reporting cyber incidents [6] [9], recommending the establishment of a “single point of entry” for notifications and advising EU Member States to enhance their processes and reduce the number of entities involved. The report includes case studies on critical breach scenarios and underscores the critical role of risk managers in identifying risks and implementing effective mitigation strategies. Additionally, it highlights the lack of technical specifications regarding risk management measures related to incident reporting [4], complicating compliance and effective incident response, particularly in conjunction with existing obligations under the GDPR.

FERMA emphasizes the importance of managing cyber risks for organizations [6], particularly concerning client data confidentiality and network security [5]. As the 2024 deadline approaches for the transposition of the NIS2 Directive into national law, organizations must adopt advanced cybersecurity solutions to navigate the regulatory landscape effectively and maintain high standards of network security [8]. The findings of this report will be presented at the FERMA Forum in Madrid on October 22, aiming to assist policymakers in streamlining processes and allowing companies to focus more on risk assessment and management [2].

## Conclusion

The advocacy by FERMA for streamlined cyber incident reporting within the EU highlights the pressing need for regulatory coherence and the consideration of insurance implications. By addressing the complexities of current reporting obligations, organizations can better manage financial and administrative challenges [1]. The proposed simplifications and the establishment of a unified reporting framework aim to enhance cybersecurity resilience and facilitate effective incident response. As the regulatory landscape evolves, organizations must remain proactive in adopting advanced cybersecurity measures to protect client data and ensure network security. The outcomes of FERMA’s report and discussions at the upcoming FERMA Forum are expected to guide policymakers in refining processes, ultimately enabling companies to prioritize risk assessment and management [2].

References

[1] https://thenimblenerd.com/article/eus-cyber-reporting-chaos-ferma-warns-of-costly-confusion-ahead-of-new-laws/
[2] https://www.ferma.eu/publication/cyber-reporting-stack-2024/
[3] https://www.mhc.ie/hubs/legislation/the-national-cyber-security-bill-2024
[4] https://www.infosecurity-magazine.com/news/eu-urged-harmonize-incident/
[5] https://www.captiveinternational.com/ferma-calls-for-streamlined-cyber-reporting-requirements
[6] https://www.insurancebusinessmag.com/uk/news/cyber/ferma-urges-eu-to-simplify-cyber-incident-reporting-for-companies-508331.aspx
[7] https://www.reinsurancene.ws/ferma-urges-eu-to-streamline-cyber-reporting-processes/
[8] https://netop.com/2024/10/07/the-nis2-directive-elevating-cybersecurity-standards-across-the-eu-and-netops-pivotal-role/
[9] https://dig.watch/updates/ferma-calls-on-european-institutions-to-simplify-cyber-reporting-obligations