Comparative Assessment of the DHS Harmonization of Cyber Incident Reporting to the Federal Government Report and the Rules on Incident Reporting in the EU Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS 2 Directive)

The joint report developed by DG CONNECT and DHS, with support from their respective cybersecurity agencies, the European Agency for Cybersecurity (ENISA) and the Cybersecurity and Infrastructure Security Agency (CISA), provides a comparative assessment and factual overview of recommendations from the U.S. Cyber Incident Reporting Council and the 2023 DHS report on Harmonization of Cyber Incident Reporting to the Federal Government and EU’s Directive 2022/2555 on measures for high level of cybersecurity across the Union (NIS2 Directive) by identifying the main similarities and divergences. The findings in this report will help inform DG CONNECT and DHS’s approach to evaluating cyber incident reporting processes in the future. The report identifies six main areas for comparative analysis between the DHS’s report and the EU’s Directive, including: (i) definitions and reporting thresholds, (ii) timelines, triggers and types of cyber incident reporting, (iii) contents of cyber incident reports, (iv) reporting mechanisms, (v) aggregation of incident data, and (vi) public disclosure of cyber incident information.