Abstract
Reporting cybersecurity incidents to external authorities is a newer requirement mandated by several complex and multi-layered laws. It is non-trivial, however, to determine what constitutes a reportable incident, the reporting timeframe, report recipients, and which data to include in the report, as it varies by country, organizational size and industry sector.
This research aims to help organizations navigate the various external cybersecurity incident reporting (ECIR) requirements, both to help them avoid penalties and to assist international cybersecurity efforts. This research focuses on EU and Swedish legal acts, and addresses which EU and Swedish laws govern the external incident reporting requirements of organizations located in Sweden, including the details of reportable incidents, report contents, recipients and timeframes.
A survey research strategy based on document analysis was used to synthesize the regulatory landscape for ECIR. 16 laws were found governing ECIR within Sweden; nine at the EU level and seven at the Swedish level (plus three pending at the Swedish level). The answers to the research questions are presented along with a discussion of the complexity of the legislation and double-reporting. Further research avenues are suggested.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Article 29 Data Protection Working Party: Guidelines on personal data breach notification under regulation 2016/279 (2018)
Björck, F., Henkel, M., Stirna, J., Zdravkovic, J.: Cyber resilience - fundamentals for a definition. In: Rocha, A., Correia, A., Costanzo, S., Reis, L. (eds.) New Contributions in Information Systems and Technologies. Advances in Intelligent Systems and Computing, vol. 353, pp. 311–316. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16486-1_31
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018. Official Journal of the European Union, L26, 48–51 (2018)
Commission Regulation (EU) No 611/2013 of 24 June 2013. Official Journal of the European Union, L173, 2–8 (2013)
Datainspektionen: Datainspektionen 1973–2018. Retrieved from Datainspektionen: https://www.datainspektionen.se/om-oss/historik/ (2018)
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (NIS Directive). Official Journal of the European Union, L194, 1–30 (2016)
Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002. Official Journal of the European Union, L108, 33–50 (2002)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002. Official Journal of the European Union, L201, 37–47 (2002)
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC. Official Journal of the European Union, L337, 11–36 (2009)
Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC. Official Journal of the European Union, L337, 37–69 (2009)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. Official Journal of the European Union, L281, 31–59 (1995)
El Kharbili, M.: Business process regulatory compliance management solution frameworks: a comparative evaluation. In: Proceedings of the Eighth Asia-Pacific Conference on Conceptual Modelling (APCCM 2012), vol. 130, pp. 23–32, Melbourne (2012)
European Banking Authority (EBA): Guidelines compliance table (EBA/GL/2017/10). European Banking Authority (2017a)
European Banking Authority (EBA): Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (2017b, July 27)
European Commission and High Representative of the European Union for Foreign Affairs and Security Policy: European cyber security strategy: an open, safe and secure cyberspace (2013)
European Commission: Joint communication to the European parliament, the council, the European economic and social committee and the committee of the regions: cybersecurity strategy of the European Union. European Commission, Brussels (2013)
Lagrådsremiss: Brottsdatalag. Retrieved from http://www.regeringen.se/492bb7/contentassets/be861421338643ccb72f10076581e9d8/brottsdatalag.pdf (2018)
Porcedda, M.G.: Regulation of data breaches in the European Union: private companies in the driver’s seat of cybersecurity? In: Bures, O., Carapaccio, H. (eds.) Security Privatization: How Non-Security-Related Private Businesses Shape Security Governance, pp. 275–299. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-63010-6_12
Proposition 2017/18:105 Ny dataskyddslag. Stockholm (2018)
Proposition 2017/18:205 Informationssäkerhet för samhällsviktiga och digitala tjänster. Stockholm (2018)
Proposition 2017/18:77 Nya regler om betaltjänster. Stockholm (2018)
Proposition 2017/18:89 Ett modernt och stärkt skydd för Sveriges säkerhet - ny säkerhetsskyddslag. Stockholm (2018)
PTSFS 2012:1 Post- och telestyrelsens föreskrifter och allmänna råd om underrättelse om integritetsincidenter samt innehållet i förteckning över integritetsincidenter (2012)
PTSFS 2012:2 Post- och telestyrelsens föreskrifter och allmänna råd om rapportering av störningar eller avbrott av betydande omfattning. Post- och telestyrelsen (2012)
PTSFS 2014:2 Post- och telestyrelsens föreskrifter om upphävande av föreskrifter (PTSFS 2012:1) och allmänna råd om underrättelse om integritetsincidenter (2014)
Regeringskansliet. Stärkt skydd av informationssystem. Retrieved from Regeringskansliet: http://www.regeringen.se/pressmeddelanden/2018/02/starkt-skydd-av-informationssystem/, 15 February 2018
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Official Journal of the European Union, L119, 1–88 (2016)
Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010. Official Journal of the European Union, 24 November 2010
Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013. Official Journal of the European Union, L165, 41–58 (2013)
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (eIDAS). Official Journal of the European Union, L257, 73–114 (2014)
SFS 1973:289 Datalag. Svensk Författningssamling. Justitiedepartementet, Stockholm (1973)
SFS 1996:627 Säkerhetsskyddslag. Svensk Författningssamling. Justitiedepartementet, Stockholm (1996)
SFS 1996:633 Säkerhetsskyddsförordning. Svensk Författningssamling. Justitiedepartementet, Stockholm (1996)
SFS 1998:204 Personuppgiftslag. Svensk Författningssamling. Justitiedepartementet, Stockholm (1998)
SFS 2003:389 Lag om elektronisk kommunikation. Svensk Författningssamling. Näringsdepartementet, Stockholm (2003)
SFS 2003:396 Förordning om elektronisk kommunikation. Svensk Författningssamling. Näringsdepartementet, Stockholm (2003)
SFS 2008:1002 Förordning med instruktion för Myndigheten för samhällsskydd och beredskap. Svensk Författningssamling. Justitiedepartementet, Stockholm (2008)
SFS 2015:1052 Förordning om krisberedskap och bevakningsansvariga myndigheters åtgärder vid höjd beredskap. Svensk Författningssamling. Justitiedepartementet, Stockholm (2015)
SFS 2018:218 Lag med kompletterande bestämmelser till EU:s dataskyddsförordning, 24 April 2018
SOSFS 2008:1 Föreskrifter om användning av medicintekniska produkter i hälso- och sjukvården. Socialstyrelsens författningssamling. Socialstyrelsen, Stockholm (2008)
Splittgerber, A., Schonhofen, S.: Pre-Christmas Update on the ePrivacy Regulation. Retrieved from Technology Law Dispatch: https://www.technologylawdispatch.com/2017/12/privacy-data-protection/pre-christmas-update-on-the-eprivacy-regulation/, 13 December 2017
Voss, W.G.: Internal compliance mechanisms for firms in the EU General Data Protection Regulation. Revue juridique Thémis de l’Université de Montréal 50(3), 783–820 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Andreasson, A., Fallen, N. (2018). External Cybersecurity Incident Reporting for Resilience. In: Zdravkovic, J., Grabis, J., Nurcan, S., Stirna, J. (eds) Perspectives in Business Informatics Research. BIR 2018. Lecture Notes in Business Information Processing, vol 330. Springer, Cham. https://doi.org/10.1007/978-3-319-99951-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-99951-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99950-0
Online ISBN: 978-3-319-99951-7
eBook Packages: Computer ScienceComputer Science (R0)