Recently at an NIS 2 workshop with a client’s management team.
Topic: Reporting requirements for IT security incidents.

The central BSI portal for reporting security incidents has recently been launched – which is good and right. But then came the crucial question from C-level:

What happens if an IT security incident also affects personal data?

Is reporting to the BSI sufficient, or do we also have to inform the data protection supervisory authority?

The short answer: No, one report is not enough.
The long answer is precisely the problem.

For NIS 2-regulated companies, reporting is done via the BSI portal.
For data protection incidents, on the other hand, the state data protection authorities are responsible, depending on the company’s headquarters.

Result:
Different responsibilities
Different portals
Different registrations
No data exchange

Currently, I am not aware of any option in the BSI portal to submit a report to the relevant data protection authority at the same time or to inform the BSI directly from a data protection reporting portal.

From a management perspective, this raises the strategic question:
→ How can companies ensure that they don’t overlook anything in an emergency?

My question to you—especially to CISOs, CIOs, CFOs, and CEOs:

Would such a “one-stop reporting process” be useful in your opinion,
or even necessary? I look forward to hearing your views.

Tags

Share post

More articles

What is actually the difference between a Vulnerability Scan and a Penetration Test? There seem to be interesting misconceptions about this, as we would like to show with the following practical example.
Cost-effective solution for medium-sized businesses Watchdog by TEN IM is our managed SIEM (Security Incident & Event Management) solution that makes automated detection of attacks and vulnerabilities accessible to SMEs. We are often asked: how...
A serious vulnerability exists in the popular Samba server, which provides Windows file and print services in Linux environments. Linux systems should be updated as soon as possible, because the vulnerability with the identifier CVE-2020-27840...