A report published by the European Network and Information Security Agency (ENISA) shows that millions of citizens and businesses were seriously impacted by Cyber security incidents. However, most incidents are not reported or not even detected.

The new “Cyber Incident Reporting in the EU” report published by the European Network and Information Security Agency (ENISA) underlined important steps forward in cyber security legislation but also identifies gaps in national implementation, as most incidents are not reported. According to Dr Marnix Dekker and Chris Karsberg, the report’s co-authors, cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes. The European Commission launched a consultation on a future EU Network and Information Security legislative initiative in July 2012.

Each time, millions of citizens and businesses were seriously impacted. But most incidents are not reported or not even detected. As examples: In 2012, millions of business network passwords were exposed; In 2011, the storm Dagmar wrecked millions of Scandinavian communication links; In 2011, a British data centre failure interrupted millions of business communications worldwide; In 2011, a certificate authority was breached exposing the communications of millions of users; In 2010, a Chinese telecom provider hijacked 15% of the world’s internet traffic for 20 minutes. Only one of the above-mentioned incidents was within the scope of the national regulators mandate, indicating that there are gaps in the regulation. Thus, EU-wide sharing of incident reports sharing should be improved, says the report.

The report also shows that much progress has been made recently. An ENISA working group for national regulators has developed both a common set of security measures and an incident reporting format. ENISA just received reports on 51 large incidents from the regulators, describing impact, root causes, actions taken and lessons learnt. This material is used as input for the European cyber security strategy and the European cyber security exercise.