Case study: The decision-support framework and NIS2, CER, and DORA incident reporting obligations

Abstract

The European Union is committed to enhancing cybersecurity across its Member States by introducing legislation that impacts organizations cybersecurity preparedness. These laws include the Network and Information Security 2 Directive (NIS2), the Critical Entities Resilience Directive (CER), and the Digital Operational Resilience Act (DORA). These legislations mandate that organizations report cyber incidents to authorities. Currently, there are few guidelines available to help organizations understand how to report incidents to authorities. With the new legislations, it becomes even more crucial for organizations to comprehend how to report cyber incidents effectively to authorities. This research aims to determine do organizations current practices align with the decision-support framework and does the new legislations warrant adaptions to the framework in question. This thesis was conducted as a case study, beginning with a comprehensive literature review on existing research on incident reporting and the legislations. Data was gathered through semi-structured interviews with cybersecurity professionals who have observed cybersecurity exercises simulating real-life cyber incidents. The data was analyzed using deductive coding. The results indicate that the decision-support framework partially corresponds to real-life operations; however, the specifics vary depending on the particular incident and the organization's processes. The key findings highlight that clear roles and responsibilities, established communication paths, a diverse team, and knowledgeable individuals in the core group related to the incident are essential. These team members must understand the legislative obligations and have experience in incident management, making sure that the organization can effectively handle the complexities of reporting under the new legislations.