Jason Oxman President and Chief Executive Officer at Information Technology Industry Council | Official website
BRUSSELS – Today, global tech trade association ITI called on the European Commission to target reporting thresholds, fully leverage existing standards, and adopt a flexible compliance timeline in its response to the Commission’s draft implementing regulation on cybersecurity risk management and reporting obligations for digital infrastructure.
“While ITI supports the goals of the proposed Implementing Regulation, we are concerned that the currently proposed incident reporting thresholds are not sufficiently targeted and that risk management obligations are not fully aligned with European and international standards,” said ITI Policy Manager for Europe Laura Wiesenfeld. “In order to avoid overreporting and conflicts with globally-recognized standards, we urge the Commission to use more targeted incident reporting criteria and thresholds, fully leverage existing standards, and adopt a flexible compliance timeline.”
Among its recommendations, ITI suggests the Commission:
- Target incident reporting criteria to avoid overly inclusive or low thresholds.
- Limit incident reporting to confirmed or verified incidents that have caused actual harm.
- Fully leverage existing European and international standards such as C5, CEN/TS 18026, and ISO/IEC27001.
- Adopt a flexible timeline for compliance leading up to 18 April 2027.
- Align reporting requirements across borders.
ITI has been deeply engaged in work on cybersecurity incident reporting policy development around the world, including in Europe, Australia, and the United States. As part of its engagement, ITI developed and released two sets of policy principles: Global Policy Principles for Cybersecurity Incident Reporting and Policy Principles for Security Incident Reporting in the US. The organization hopes these can inform the Commission’s cybersecurity work. ITI recommends that the Commission consider the international landscape for incident reporting requirements while finalizing the Implementing Regulation. International collaboration and alignment in cybersecurity approaches should be strengthened given the global nature of cyber threats.
