Photo: WhataWin/Adobe Stock
This select list provides an overview of key cyber incident reporting requirements globally. You may find more updated information on each agency’s website.
In the United States, many of the cyber incidents reporting requirements stem from the Cybersecurity and Infrastructure Security Agency (CISA). These are outlined in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law by President Biden in 2022. Under CIRCIA, covered entities must report any covered cyber incidents to CISA within 72 hours from the time the entity reasonably believes the incident occurred. Additionally, CIRCIA includes a Federal Incident Report Sharing Initiative, under which any federal entity receiving a report on a cyber incident must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours. Finally, under CIRCIA, covered entities must report any ransom payments made as a result of a ransomware attack within 24 hours to CISA. CISA must share such reports with federal agencies. Reporting requirements also vary from state to state, especially for non-personal identifiable information-related incidents on critical infrastructures. This report from the National Association of Regulatory Utility Commissioners compiles all the reporting requirements issued by state legislatures, public utility commissions, and other agencies as of 2022.
Aside from CISA, the Securities and Exchange Commission (SEC), National Credit Union Administration (NCUA), and U.S. Computer Emergency Readiness Team (US-CERT) also have cybersecurity disclosure requirements. Under the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure mechanism, public companies must disclose both cybersecurity incidents and information regarding their cybersecurity risk management, strategy, and governance on an annual basis, or within four business days after a cyber incident has occurred. NCUA implemented its Cyber Incident Notification Requirements in 2023. Under these requirements, all federally insured credit unions must notify NCUA no later than 72 hours after experiencing a reportable cyber incident or received.
Finally, US-CERT has issued reporting guidance for the federal government departments and agencies. Under the Federal Information Security Modernization Act of 2014 (FISMA), federal Executive Branch civilian agencies must report information security incidents to the US-CERT within one hour of being identified by the agency’s top-level Computer Security Incident Response Team, Security Operations Center, or IT team. The notification requirement includes all incidents where the confidentiality, integrity, or availability of the federal information system is potentially compromised.
In the European Union (EU), under Article 40 of the European Electronic Communications Code (EECC), cyber incidents affecting the “confidentiality, authenticity, integrity, and availability of the following assets: the networks, services, the stored or transmitted or processed data, other services offered via those e-communications services” must be reported to the European Union Agency for Cybersecurity (ENISA) “without undue delay.” Aside from Article 40, there are several other initiatives related to the security of public electronic communications networks and services, such as the NIS 2 Directives. NIS 2 Directives introduced EU-wide cybersecurity legislation and outline cyber incidents reporting requirements through a tiered reporting timeline:
The Directives emphasize that only significant incidents should be reported. Article 23(3) of the Directives outlines the requirements for an incident to be considered “significant”. They also establish criteria of evaluation such as the extent of disruption, the impact on economic and societal activities, the duration of the incident, and the role of the target entity within the supply chain.
Additionally, the EU Digital Operational Resilience Act (DORA) is a framework designed to ensure the operational resilience of EU financial entities. DORA states that financial institutions must report significant ICT-related incidents to their respective national competent authorities. The initial notification should be sent within 24 hours of the incident. Intermediate reports must be sent as more information becomes available; a final report is required once the incident has been resolved.
Similarly, the 2024 EU Cyber Resilience Act (CRA) is a legal framework that aims at enhancing the security of connected devices (IoT), hardware, and software products across the EU. Under CRA, manufacturers must report actively exploited vulnerabilities or significant cybersecurity threats to ENISA within 24 hours of becoming aware of the issue. This report from ENISA and the EU Joint Research Center identifies the most relevant existing cybersecurity standards for each CRA requirement to facilitate standardization and implementation.
Finally, the EU General Data Protection Regulations (GDPR) requires organizations to report any personal data breach to their national competent authority within 72 hours.
In the United Kingdom (UK), cyber incidents are to be reported to the National Cyber Security Center (NCSC), within 72 hours of becoming aware of the incident. Additionally, the UK follows the 2018 NIS Directives, which require operators of essential services and digital service providers to notify relevant authorities within 72 hours.
Due to Brexit, the UK has not implemented the EU’s NIS 2 Directives. A forthcoming Cyber Security and Resilience bill has however been announced as part of the July 2024 King’s Speech. The bill will aim to strengthen the UK’s cyber defenses through, for example, increased incident reporting to give government better data on cyber-attacks.
Similarly to the EU, in the UK under GDPR, if a cyber incident results in a personal data breach, the organization must notify the Informational Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.
In Australia, under the Security of Critical Infrastructure Act 2018 (SOCI Act), organizations must notify the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) within 12 hours after becoming aware of a critical incident, and within 72 hours if not considered as a critical incident. The guidelines for reporting cybersecurity incidents as of September 2024 can be found here.
Additionally, in accordance with the Notifiable Data Breaches (NDB) Scheme and under the 1998 Privacy Act, if a data breach is likely to result in the harm of individuals, organizations must notify the Office of the Australian Information Commissioner as soon as possible, under 30 days.
Finally, under the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234, financial institutions regulated by the APRA must report material cyber incidents within 72 hours of detection.
Cyber incident reporting in Japan is governed by the Act on the Protection of Personal Information (APPI), the Cybersecurity Basic Act, and other sectoral guidelines. Under the amendments to the APPI that took effect in April 2022, organizations must report data breaches to the Personal Information Protection Commission (PPC) “promptly” (three to five days).
Additionally, under the Financial Services Agency (FSA)’s Guidelines for Protection of Personal Information in the Finance Sector, organizations must immediately report breaches to the FSA.
Similarly, the Telecommunications Business Act requires telecom companies to report incidents to the Ministry of Internal Affairs and Communications “without delays.” This applies to incidents that cause service interruptions or affect users' personal data.
Finally, all government agencies are required to report cyber incidents immediately to the Cybersecurity Incident Response Team (CSIRT) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC)
In Singapore, cyber incidents reporting requirements are governed by the Cybersecurity Act 2018 and the Personal Data Protection Act (PDPA) 2012. Under the Cybersecurity Act 2018, operators of critical information infrastructures must report significant incidents to the Cyber Security Agency (CSA) within two hours of discovering the incident. Under the PDPA, amended in 2020, organizations that experience data breaches resulting in significant harm to individuals or affecting five hundred or more individuals must notify the Personal Data Protection Commission (PDPC) within 72 hours.
In the Republic of Korea (hereafter “South Korea”), reporting on divulgence of personal information goes through the Korea Internet Security Agency (KISA) and the Personal Information Protection Commission (PIPC), acting under Articles 34 and 39-4 of the Personal Information Protection Act (PIPA), and Article 39-4 of the Credit Information Use and Protection Act: