Over the past few years, many countries, including the United States, Australia, and India, have imposed mandatory cyber incident reporting requirements. The European Union recently expanded its mandatory reporting requirements through its Network and Information Security Directive 2.0. While the broad requirements are in place in the U.S. and the EU, the specific regulations and guidance to operationalize these laws are still being developed. In the U.S., the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is drafting the regulations necessary to bring the law into effect; that process will run through mid-2025. Under the EU directive process, each member state has to adopt laws to implement it, and, in this case, they have until October 2024 to do so. Other countries are considering similar laws.
Reporting Cyberattacks Will Soon Be Mandatory. Is Your Company Ready?
Mandatory reporting regimes are coming to many countries in the next few years, whether businesses support the idea or not. While the details vary, these requirements are intended to increase the government’s visibility regarding the scope, scale, and intensity of malicious cyber activity in their countries. The business case for such reporting from the government’s perspective is clear; no government currently has the incident information it needs to protect its national security, economic prosperity, or public health and safety in cyberspace. For companies, however, what they get from these regimes is often unclear. But if the regulations are set up properly, businesses could reap clear benefits. Therefore, the business community must take this opportunity to shape these reporting regimes into a structure that will not only benefit governments and society, but individual businesses at the same time.
HBR Learning