Digital resilience and cyber security reporting requirements in the UK and EU

A wealth of recent and incoming legislation in the EU and UK requires certain businesses to report a variety of cyber-related incidents.  The requirements vary across legislation, sector and, in the wake of Brexit, between the EU and UK.  We provide a high-level overview of the consolidated requirements. Please note, this is a summary which outlines the main overarching requirements. Exceptions or other sector specific requirements (particularly in relation to financial and payment services) as well as voluntary notification requirements may apply. You should always get specific advice about your obligations and we are happy to help.

UK cyber and digital resilience reporting requirements

EU cyber and digital resilience reporting requirements

Coping with compliance - practical challenges and tips for building a compliant incident reporting regime

Establish applicable requirements

Organisations need to determine which legislation applies to its operations directly and then understand the related incident reporting requirements. They also need to determine if any legislation applies to them indirectly, eg certain service providers will also be impacted and may be required by their regulated customers to enable certain incident reporting capabilities. For such service providers of regulated customers, understanding which requirements might be relevant to their services will be key, to ensure that they are allowing customers to use their services in a compliant manner, while not taking on more responsibility within their customer's incident reporting regime than they are required to.

Understand when a reporting requirement has been triggered

Organisations need to map out when an 'incident' has occurred under each piece of applicable legislation. For entities that may be impacted indirectly (eg, service provider to in-scope entities), this exercise will be slightly different; they will need to understand their contractual obligations around what a reportable incident is (this may differ for different services/business lines) and what their reporting obligations are to various customers.

Design a policy

Organisations in scope may need to design or update their existing incident reporting policy to reflect any new requirements. Maintaining a policy is explicitly required under some of the legislation, but having a consolidated policy of these requirements might be helpful. For entities impacted indirectly (service provider to in-scope entities), understanding the legislative requirements on incident reporting will also be beneficial to help shape their contractual position and guide negotiations with regulated customers.  

Setting a high bar

Given the varying timelines for reporting, organisations might wish to establish a high bar for incident scanning and reporting, guided by the most stringent applicable requirement.

Get advice

We can help you navigate these complex requirements.  Please do contact us and let us know how we can assist.