Skip to main content
SpringerLink
Log in
Book cover

International Conference on Business Informatics Research

BIR 2018: Perspectives in Business Informatics Research pp 3–17Cite as

External Cybersecurity Incident Reporting for Resilience

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 330))

Abstract

Reporting cybersecurity incidents to external authorities is a newer requirement mandated by several complex and multi-layered laws. It is non-trivial, however, to determine what constitutes a reportable incident, the reporting timeframe, report recipients, and which data to include in the report, as it varies by country, organizational size and industry sector.

This research aims to help organizations navigate the various external cybersecurity incident reporting (ECIR) requirements, both to help them avoid penalties and to assist international cybersecurity efforts. This research focuses on EU and Swedish legal acts, and addresses which EU and Swedish laws govern the external incident reporting requirements of organizations located in Sweden, including the details of reportable incidents, report contents, recipients and timeframes.

A survey research strategy based on document analysis was used to synthesize the regulatory landscape for ECIR. 16 laws were found governing ECIR within Sweden; nine at the EU level and seven at the Swedish level (plus three pending at the Swedish level). The answers to the research questions are presented along with a discussion of the complexity of the legislation and double-reporting. Further research avenues are suggested.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  • Article 29 Data Protection Working Party: Guidelines on personal data breach notification under regulation 2016/279 (2018)

    Google Scholar 

  • Björck, F., Henkel, M., Stirna, J., Zdravkovic, J.: Cyber resilience - fundamentals for a definition. In: Rocha, A., Correia, A., Costanzo, S., Reis, L. (eds.) New Contributions in Information Systems and Technologies. Advances in Intelligent Systems and Computing, vol. 353, pp. 311–316. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16486-1_31

    Chapter  Google Scholar 

  • Commission Implementing Regulation (EU) 2018/151 of 30 January 2018. Official Journal of the European Union, L26, 48–51 (2018)

    Google Scholar 

  • Commission Regulation (EU) No 611/2013 of 24 June 2013. Official Journal of the European Union, L173, 2–8 (2013)

    Google Scholar 

  • Datainspektionen: Datainspektionen 1973–2018. Retrieved from Datainspektionen: https://www.datainspektionen.se/om-oss/historik/ (2018)

  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (NIS Directive). Official Journal of the European Union, L194, 1–30 (2016)

    Google Scholar 

  • Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002. Official Journal of the European Union, L108, 33–50 (2002)

    Google Scholar 

  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002. Official Journal of the European Union, L201, 37–47 (2002)

    Google Scholar 

  • Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC. Official Journal of the European Union, L337, 11–36 (2009)

    Google Scholar 

  • Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC. Official Journal of the European Union, L337, 37–69 (2009)

    Google Scholar 

  • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. Official Journal of the European Union, L281, 31–59 (1995)

    Google Scholar 

  • El Kharbili, M.: Business process regulatory compliance management solution frameworks: a comparative evaluation. In: Proceedings of the Eighth Asia-Pacific Conference on Conceptual Modelling (APCCM 2012), vol. 130, pp. 23–32, Melbourne (2012)

    Google Scholar 

  • European Banking Authority (EBA): Guidelines compliance table (EBA/GL/2017/10). European Banking Authority (2017a)

    Google Scholar 

  • European Banking Authority (EBA): Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (2017b, July 27)

    Google Scholar 

  • European Commission and High Representative of the European Union for Foreign Affairs and Security Policy: European cyber security strategy: an open, safe and secure cyberspace (2013)

    Google Scholar 

  • European Commission: Joint communication to the European parliament, the council, the European economic and social committee and the committee of the regions: cybersecurity strategy of the European Union. European Commission, Brussels (2013)

    Google Scholar 

  • Lagrådsremiss: Brottsdatalag. Retrieved from http://www.regeringen.se/492bb7/contentassets/be861421338643ccb72f10076581e9d8/brottsdatalag.pdf (2018)

  • Porcedda, M.G.: Regulation of data breaches in the European Union: private companies in the driver’s seat of cybersecurity? In: Bures, O., Carapaccio, H. (eds.) Security Privatization: How Non-Security-Related Private Businesses Shape Security Governance, pp. 275–299. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-63010-6_12

    Chapter  Google Scholar 

  • Proposition 2017/18:105 Ny dataskyddslag. Stockholm (2018)

    Google Scholar 

  • Proposition 2017/18:205 Informationssäkerhet för samhällsviktiga och digitala tjänster. Stockholm (2018)

    Google Scholar 

  • Proposition 2017/18:77 Nya regler om betaltjänster. Stockholm (2018)

    Google Scholar 

  • Proposition 2017/18:89 Ett modernt och stärkt skydd för Sveriges säkerhet - ny säkerhetsskyddslag. Stockholm (2018)

    Google Scholar 

  • PTSFS 2012:1 Post- och telestyrelsens föreskrifter och allmänna råd om underrättelse om integritetsincidenter samt innehållet i förteckning över integritetsincidenter (2012)

    Google Scholar 

  • PTSFS 2012:2 Post- och telestyrelsens föreskrifter och allmänna råd om rapportering av störningar eller avbrott av betydande omfattning. Post- och telestyrelsen (2012)

    Google Scholar 

  • PTSFS 2014:2 Post- och telestyrelsens föreskrifter om upphävande av föreskrifter (PTSFS 2012:1) och allmänna råd om underrättelse om integritetsincidenter (2014)

    Google Scholar 

  • Regeringskansliet. Stärkt skydd av informationssystem. Retrieved from Regeringskansliet: http://www.regeringen.se/pressmeddelanden/2018/02/starkt-skydd-av-informationssystem/, 15 February 2018

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Official Journal of the European Union, L119, 1–88 (2016)

    Google Scholar 

  • Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010. Official Journal of the European Union, 24 November 2010

    Google Scholar 

  • Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013. Official Journal of the European Union, L165, 41–58 (2013)

    Google Scholar 

  • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (eIDAS). Official Journal of the European Union, L257, 73–114 (2014)

    Google Scholar 

  • SFS 1973:289 Datalag. Svensk Författningssamling. Justitiedepartementet, Stockholm (1973)

    Google Scholar 

  • SFS 1996:627 Säkerhetsskyddslag. Svensk Författningssamling. Justitiedepartementet, Stockholm (1996)

    Google Scholar 

  • SFS 1996:633 Säkerhetsskyddsförordning. Svensk Författningssamling. Justitiedepartementet, Stockholm (1996)

    Google Scholar 

  • SFS 1998:204 Personuppgiftslag. Svensk Författningssamling. Justitiedepartementet, Stockholm (1998)

    Google Scholar 

  • SFS 2003:389 Lag om elektronisk kommunikation. Svensk Författningssamling. Näringsdepartementet, Stockholm (2003)

    Google Scholar 

  • SFS 2003:396 Förordning om elektronisk kommunikation. Svensk Författningssamling. Näringsdepartementet, Stockholm (2003)

    Google Scholar 

  • SFS 2008:1002 Förordning med instruktion för Myndigheten för samhällsskydd och beredskap. Svensk Författningssamling. Justitiedepartementet, Stockholm (2008)

    Google Scholar 

  • SFS 2015:1052 Förordning om krisberedskap och bevakningsansvariga myndigheters åtgärder vid höjd beredskap. Svensk Författningssamling. Justitiedepartementet, Stockholm (2015)

    Google Scholar 

  • SFS 2018:218 Lag med kompletterande bestämmelser till EU:s dataskyddsförordning, 24 April 2018

    Google Scholar 

  • SOSFS 2008:1 Föreskrifter om användning av medicintekniska produkter i hälso- och sjukvården. Socialstyrelsens författningssamling. Socialstyrelsen, Stockholm (2008)

    Google Scholar 

  • Splittgerber, A., Schonhofen, S.: Pre-Christmas Update on the ePrivacy Regulation. Retrieved from Technology Law Dispatch: https://www.technologylawdispatch.com/2017/12/privacy-data-protection/pre-christmas-update-on-the-eprivacy-regulation/, 13 December 2017

  • Voss, W.G.: Internal compliance mechanisms for firms in the EU General Data Protection Regulation. Revue juridique Thémis de l’Université de Montréal 50(3), 783–820 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cybercom Sweden, P.O. Box 7574, 103 93, Stockholm, Sweden

    Annika Andreasson & Nicole Fallen

Authors
  1. Annika Andreasson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicole Fallen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Annika Andreasson .

Editor information

Editors and Affiliations

  1. Stockholm University, Kista, Sweden

    Jelena Zdravkovic

  2. Riga Technical University, Riga, Latvia

    Jānis Grabis

  3. Université de Paris 1 Panthéon - Sorbonne, Paris, France

    Selmin Nurcan

  4. Stockholm University, Kista, Sweden

    Janis Stirna

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Andreasson, A., Fallen, N. (2018). External Cybersecurity Incident Reporting for Resilience. In: Zdravkovic, J., Grabis, J., Nurcan, S., Stirna, J. (eds) Perspectives in Business Informatics Research. BIR 2018. Lecture Notes in Business Information Processing, vol 330. Springer, Cham. https://doi.org/10.1007/978-3-319-99951-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-99951-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-99950-0

  • Online ISBN: 978-3-319-99951-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation