Recently at an NIS 2 workshop with a client’s management team.
Topic: Reporting requirements for IT security incidents.
The central BSI portal for reporting security incidents has recently been launched – which is good and right. But then came the crucial question from C-level:
What happens if an IT security incident also affects personal data?
Is reporting to the BSI sufficient, or do we also have to inform the data protection supervisory authority?
The short answer: No, one report is not enough.
The long answer is precisely the problem.
For NIS 2-regulated companies, reporting is done via the BSI portal.
For data protection incidents, on the other hand, the state data protection authorities are responsible, depending on the company’s headquarters.
Result:
Different responsibilities
Different portals
Different registrations
No data exchange
Currently, I am not aware of any option in the BSI portal to submit a report to the relevant data protection authority at the same time or to inform the BSI directly from a data protection reporting portal.
From a management perspective, this raises the strategic question:
→ How can companies ensure that they don’t overlook anything in an emergency?
My question to you—especially to CISOs, CIOs, CFOs, and CEOs:
Would such a “one-stop reporting process” be useful in your opinion,
or even necessary? I look forward to hearing your views.
Tags
Share post
