A single-entry point for incident reporting to streamline the process across multiple regulations

The Digital Omnibus proposal introduces a single-entry point for incident reporting to streamline the process across multiple regulations. This single-entry point will be developed and maintained by ENISA (European Union Agency for Cybersecurity) and will serve as a unified platform for entities to report incidents and vulnerabilities under various EU legal frameworks.

Below is an outline of the reporting requirements:

Single-Entry Point for Incident Reporting:

Purpose: To provide a unified platform for entities to fulfil their reporting obligations under multiple EU legal acts. To reduce administrative burdens by enabling entities to report incidents once, fulfilling obligations across different regulations.

Mandated Regulations:

Directive (EU) 2022/2555 (NIS2 Directive): Reporting of significant cybersecurity incidents by essential and important entities.
Regulation (EU) 2016/679 (GDPR): Reporting of personal data breaches.
Regulation (EU) 2022/2554 (DORA): Reporting of major ICT-related incidents and voluntary notifications of significant cyber threats in the financial sector.
Regulation (EU) 910/2014 (eIDAS Regulation): Reporting of incidents related to trust services and electronic identification.
Directive (EU) 2022/2557 (CER Directive): Reporting of incidents that significantly disrupt or have the potential to disrupt the provision of essential services.

Cyber Resilience Act

The single-entry point for incident reporting will build on the single reporting platform established under the Cyber Resilience Act (CRA). The proposal simplifies reporting in instances where a business or entity fall under the scope of both laws—as “essential entities” under NIS2 and “manufacturers” under CRA.

Key Features: “Report Once, Share Many” Principle: Entities can submit a single report to fulfil multiple legal obligations.

Interoperability: The single-entry point will be interoperable with other reporting systems and compatible with European Business Wallets.

Secure Information Flow: ENISA will ensure the secure transmission of incident reports to the relevant authorities under the respective regulations.

Implementation Timeline: The single-entry point is expected to be operational within 18 months of the entry into force of the Digital Omnibus Regulation. If the Commission finds that the single-entry point does not meet the required standards, the timeline may be extended to 24 months.

Incident Reporting Requirements: Entities must report incidents that meet the criteria set out in the respective regulations (e.g., significant impact on services, high risk to data subjects’ rights and freedoms, major ICT-related incidents, etc. ). Reporting must be done through the single-entry point once it is operational.

ENISA’s Role: ENISA will develop and maintain the single-entry point. ENISA will consult with the Commission, CSIRTs network, and competent authorities to ensure the platform meets the specific requirements of each regulation. ENISA will pilot the single-entry point and ensure its proper functioning, reliability, integrity, and confidentiality before full implementation.

Standardised Reporting Templates: The Commission will adopt common reporting templates for incident notifications under the respective regulations to ensure consistency and reduce administrative burdens.

Summary:

The single-entry point for incident reporting aims to simplify compliance for entities by consolidating reporting obligations under multiple EU regulations into one platform. ENISA will oversee its development and ensure interoperability, security, and alignment with existing frameworks. This initiative is expected to reduce administrative costs and improve the efficiency of incident reporting across the EU.

The single-entry point for incident reporting is expected to be implemented within 18 to 24 months after the Digital Omnibus Regulation enters into force. Until then existing reporting mechanisms will remain in place and the Cyber Resilience Act single reporting platform will still be necessary to meet the September 2026 deadline.

This is exactly the gap the CRA-AI project addresses for SMEs — providing an AI-driven platform and expert training to make conformity achievable.

To find our more details on the Digital Omnibus find the link here: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal