Yesterday we covered CISA’s new guidance for reporting. Today, let’s dive into Politico’s look at similar reporting around the world.
In the EU, Members of the European Parliament are seeking to expand their existing program to cover all medium-sized and large organizations that operate within several critical infrastructure sectors. Companies would have 24 hours to submit an initial report about the incident and one month to submit a final report. The proposed changes also include fines of at least 10 million euros or 2 percent of total global revenue for organizations that don’t report properly.
In the UK, regulators are considering a few of the same changes as the EU and tweaks to what kinds of incidents companies need to report. The U.K. could also adopt fines and the EU’s proposed two-tiered reporting timelines.
And in Australia, a new cyber reporting program earlier this month, known as the Security Legislation Amendment (Critical Infrastructure) Act of 2021, gives affected critical infrastructure operators up to 12 hours to share details about a “critical” incident with the Australian Cybersecurity Centre — one of the tightest reporting timelines globally. While CISA will only focus on “significant” cyber incidents, Australia’s rules require affected entities to report both significant and non-critical incidents.
Why do we care?
For listeners in those countries, this is the reality on the ground. For those in the US, two reasons to care. First, any organization you work with, a customer or vendor that crosses boundaries falls under these laws.
Second is the broader reason – if these other laws become defacto baseline requirements… note that it’s all the calories without the great taste of actual protection. Is that the position we want to be in?