top of page

Incident Reporting

The CRA demands that cyber incidents will handle carefully, including reporting obligations to agencies and customers within a strict timeline. 

The reporting obligation has an earlier deadline, and will be mandatory from September 2026.

Incident handling must be framed into a Incident Reporting Plan (IRP), with structured approach for identifying, reporting, and managing incidents that may jeopardize device security, data integrity, or user privacy.

 

The significance of an IRP is heightened by the increasing number of regulatory requirements and standards aimed at securing IoT devices and the data they process. The CRA mandates stringent reporting procedures and incident management protocols.

This page is designed to assist IoT manufacturers in developing a comprehensive Incident Reporting Plan that not only ensures compliance but also fosters a culture of security awareness and proactive incident management.

​Incident Reporting

Overview and key principles of vulnerability management for incident reporting.

Tools and Technologies

Identify tools, technologies, and resources that can be effectively integrated into your product.

Education and Awareness

Discover resources to enhance your knowledge of incident reporting.

Compliance and Standards

Explore resources to understand compliance and standards in incident reporting.

Designer (25).jpeg

Understanding Cyber Incidents and Reporting

Definition of a Cyber Incident

A cyber incident refers to any event that compromises the confidentiality, integrity or availability of information or systems.

 

Examples of cyber incidents include:

  • Data Breaches: Unauthorized access to sensitive data, which may include personal information, proprietary data, or intellectual property.

  • Malware Attacks: The introduction of malicious software that disrupts, damages, or gains unauthorized access to computer systems.

  • Denial of Service (DoS) Attacks: Attempts to make a network service unavailable by overwhelming it with traffic.

  • Unauthorized Access: Instances where hackers gain unauthorized access to systems or data, potentially leading to data theft or manipulation.

 

Important - As a manufacturer, you might experience two categories of cyber incident:

  1. An attack on your network: assets, users, accounts that consist of your IT network and might impact your business operation.

  2. An attack on devices that you sold. Those that are operated by your customers in the field and exploited by hackers due to mis-configuration, security vulnerability or other factor.

Incidents Reporting

When a cyber incident occurs, it is essential to adhere to established reporting protocols to ensure a prompt and effective response. The following steps are general guidelines applicable to any cyber incident within an organization:

  1. Identify the Incident: Clearly determine whether an event qualifies as a cyber incident based on predefined criteria established in your Incident Reporting Plan.

  2. Document the Details: Collect relevant information about the incident, including the nature of the incident, affected systems, potential impact and any immediate actions taken.

  3. Notify Appropriate Personnel: Report the incident to designated individuals or teams within the organization. This may include:

    • Security Team: The first point of contact for technical investigations and remediation efforts.

    • Compliance Officer: To assess compliance with legal and regulatory obligations.

    • Management: Senior leadership should be informed to enable decision-making and resource allocation.

  4. External Reporting: Depending on the severity and nature of the incident, you may also need to report the incident to external authorities, such as regulatory bodies or law enforcement, especially if it involves personal data breaches.

The CRA imposes strict deadlines for early warning notifications, which are vital for ensuring the swift dissemination of alerts concerning active vulnerabilities or cyber threats. This critical aspect of the legislation enables a reactive approach, allowing for rapid, preemptive actions to minimize damage and strengthen the resilience of digital infrastructure. The CRA reflects a proactive stance, emphasizing not only the anticipation and fortification against cyber threats but also the necessity for quick, precise actions in response to emerging risks.

Under the CRA guidelines, described in Article 14, manufacturers are required to notify relevant parties of any cyber incident, including:

  • An early warning notification of an actively exploited vulnerability within 24 hours of awareness, including details of the affected Member States where the product is available.

  • A comprehensive vulnerability notification within 72 hours of becoming aware of the exploited vulnerability, providing general information about the affected product, the exploit’s nature, and any corrective actions taken or required by users.

Additionally, a final report must be submitted within 14 days after a mitigation measure becomes available, including a description of the vulnerability, its severity, any identified malicious actors, and details about corrective actions or security updates made available.

Key point regarding Security Updates:

  • Mandatory updates: Manufacturers must ensure timely release of security updates to address known vulnerabilities.

  • Update duration: Security updates must be provided for a reasonable period after the product is on the market, covering the entire lifecycle.

  • Maximum reaction time: Manufacturers must respond promptly upon identifying a vulnerability, with flexibility depending on severity.

  • Information to users: Users must be informed of the availability of security updates and the risks of not applying them.

Recommended SLA for Critical Systems:

  • Severity Critical, response time 24-48 hours, report to CSIRT within 24 hours

  • High-Risk, response time 3-5 days, report to CSIRT within 24 hours

  • Moderate, response time 2 weeks, report to CSIRT within 24 hours

  • Low-Risk, response time 1-2 months, report to CSIRT within 24 hours

Recommended SLA for Non-Critical Systems:

  • Severity Critical, response time 3-5 days, report to CSIRT within 24 hours

  • High-Risk, response time 1 week, report to CSIRT within 24 hours

  • Moderate, response time 2-4 weeks, report to CSIRT within 24 hours

  • Low-Risk, response time 2-3 months or regular maintenance updates, report to CSIRT within 24 hours

The CVSS (Common Vulnerability Scoring System) helps assess the severity of vulnerabilities based on their potential impact. The scores range from 0 to 10, with higher scores indicating more severe vulnerabilities. Here are the categories:

  • Critical Vulnerabilities (CVSS 9.0-10.0): These vulnerabilities can lead to complete system compromise, data loss, or significant operational disruption, making them highly urgent to address.

  • High-Risk Vulnerabilities (CVSS 7.0-8.9): These may result in unauthorized access or system instability, though there are often available mitigations to reduce their impact.

  • Moderate Vulnerabilities (CVSS 4.0-6.9): These are exploitable flaws that may not immediately cause damage but still pose a security risk if left unresolved.

  • Low-Risk Vulnerabilities (CVSS 0.1-3.9): These are minor vulnerabilities that do not directly lead to system compromise but may still be worth addressing over time.

How to report and notify:

In EU it is expected that you will implement the national coordinated vulnerability Disclosure Policy by NIS Cooperation Group.

For more information refer to:

Key Elements:

  • Coordinated Vulnerability Disclosure: Manufacturers are required to establish a clear policy for reporting product vulnerabilities, including an accessible channel for third parties to submit reports. Vulnerability information must be shared with relevant organizations to ensure effective coordination and response.

  • Single Point of Contact (SPOC): Manufacturers must designate a Single Point of Contact for users to report vulnerabilities. If vulnerabilities are found in third-party or open-source components, the manufacturer is responsible for notifying the respective component maintainer.

  • Importer & Distributor Responsibilities: Importers and distributors must promptly report identified vulnerabilities to the manufacturer to ensure timely corrective actions.

  • Good Faith Security Research: The CRA encourages Member States to provide legal protection to security researchers acting in good faith to identify and report vulnerabilities.

  • Bug Bounty Programs: Manufacturers are encouraged to implement coordinated vulnerability disclosure programs, including bug bounty programs that offer recognition and compensation for identifying and reporting vulnerabilities.

Cyber Incident in Distributed IoT Devices
Immediate Response

  • Assess the Impact: Quickly evaluate the extent of the incident to determine which product lines are affected. Gather data on the vulnerabilities being exploited and the potential impact on users.

  • Containment: Implement measures to contain the incident and prevent further damage. This may involve disabling affected devices, applying temporary fixes, or providing users with guidance on securing their devices until a permanent solution is deployed.

Patching and Remediation

  • Develop a Patch: If the incident originates from a vulnerability in the software or firmware of the affected IoT devices, prioritize the development of a patch to resolve the issue. Ensure that the patch undergoes rigorous testing before deployment to prevent the introduction of new vulnerabilities.

  • Timely Deployment: Establish a clear timeline for patch deployment, aiming to resolve the issue as quickly as possible while ensuring thoroughness in testing and validation.

User Communication

  • Security Advisory: Prepare and distribute a comprehensive security advisory to affected users. This advisory should include:

    • Details of the Incident: Clearly explain what occurred, the vulnerabilities identified and how they could be exploited by malicious actors.

    • Actions Taken: Outline the steps your organization is taking to remediate the issue and any temporary measures users should take to protect their devices.

    • Patch Availability: Inform users when and how they can obtain the patch, along with instructions for applying it effectively. Provide links to the updated firmware and any additional resources for guidance.

  • Support Channels: Establish dedicated support channels for users to ask questions or report further issues related to the incident. Ensure that support staff are equipped with the necessary information to assist users effectively.

Cyber Incident Response Plan (CIRP)

European agencies require manufacturers and suppliers to have a comprehensive cyber incident response plan in place. The following plan provides a suggested framework for managing cyber incidents. It is designed to assist you in addressing threats in real-time and effectively managing the event. This structure aligns with ENISA guidelines, ensuring compliance with the CRA) and other relevant regulations. Please note that as part of the CRA certification process, you are required to submit a Cyber Incident Response Plan (CIRP).

The Plan

Have a dedicated document that will describe your preparation for cyber event. The requested info in 2-12 should be documented in the paper.

Incident Response Team (IRT)

  • Team Members: Identify roles and responsibilities (e.g., Incident Response Manager, Security Analyst, Legal Advisor, PR Team, etc.).

  • Contact Information: Provide a contact list with phone numbers and email addresses for all team members.

  • Escalation Procedure: Define the process for escalating incidents to senior management or external authorities.

Incident Classification

  • Incident Categories: Classify types of incidents (e.g., phishing, malware, DDoS, data breach).

  • Severity Levels: Define severity levels (e.g., Low, Medium, High, Critical), based on the incident's impact on confidentiality, integrity, availability and legal implications.

  • Impact Assessment: Criteria for determining potential impact (e.g., data loss, financial damage, reputational harm).

Incident Detection & Reporting

Incident Detection Methods: Document methods for identifying incidents (e.g., SIEM systems, threat intelligence feeds, anomaly detection).
Reporting Mechanism: Detail how incidents should be reported internally (e.g., email, ticketing system).
Incident Logging: Ensure all incidents are logged and assigned an identification number for tracking.

Incident Containment

  • Initial Containment: Define steps to prevent further damage (e.g., isolating affected systems, disabling network connections).

  • Short-Term vs. Long-Term Containment: Separate immediate actions from more permanent containment measures.

  • Collaboration: Guidelines for cooperating with third-party service providers, partners, or law enforcement if necessary.

Eradication

Root Cause Analysis: Determine and document the root cause of the incident.
Removal of Threats: Steps to eliminate malicious actors or malware from the environment (e.g., malware removal, patching vulnerabilities).
Validation: Ensure the threat has been fully removed and cannot reoccur.

Recovery

Restoration: Procedures for restoring affected systems and services (e.g., restoring backups, rebuilding systems).
Validation and Testing: Ensure systems are operational and secure before going back online (e.g., penetration testing).
Monitoring: Increase monitoring to detect any recurrence or related issues.

 Communication

Internal Communication: Define who needs to be informed (e.g., IT staff, executives, legal teams).
External Communication: Procedures for communicating with customers, media, partners, and regulatory authorities.
Incident Notification: Timely reporting to data protection authorities in compliance with GDPR if personal data is compromised.

Documentation & Reporting

Incident Reports: Post-incident report including timeline, root cause, actions taken, and impact assessment.
Lessons Learned: Analyze lessons learned and update policies or systems to prevent future incidents.
Legal Reporting: Ensure compliance with relevant regulations, including reporting to authorities as required by law.

Post-Incident Analysis

Post-Incident Review (PIR): Hold a formal meeting to review the incident response process.
Update Security Measures: Identify areas for improvement and implement necessary changes to security protocols.
Training: Provide additional training to staff if gaps in knowledge or procedure are identified.

Testing & Training

Tabletop Exercises: Conduct regular simulated cyber incident scenarios.
IR Plan Testing: Periodically test and validate the Incident Response Plan to ensure readiness.
Training: Ensure all members of the Incident Response Team are adequately trained on new threats and response tactics.

Continuous Improvement

  • Plan Review: Regularly review and update the Incident Response Plan to reflect new threats, technologies, or regulatory changes.

  • Feedback Loop: Create a feedback mechanism to incorporate insights gained from each incident into future response efforts.

Compliance and Standards

The Role of ENISA in Incident Reporting and CyCLONE
1. ENISA

The European Union Agency for Cybersecurity (ENISA) plays a crucial role in enhancing cybersecurity across Europe. Established in 2004, ENISA’s mission is to promote a high level of network and information security within the EU by providing expertise, guidance, and support to member states,
EU institutions, and stakeholders in the private sector. One of the agency's key functions is to facilitate incident reporting and response at both national and European levels.

2. ENISA’s Role in Incident Reporting

ENISA supports member states and organizations in developing and implementing effective incident reporting frameworks. This involves:

  • Guidance and Best Practices: ENISA publishes guidelines and best practice frameworks for organizations to enhance their incident response capabilities. These documents help establish a standardized approach to identifying, reporting, and managing cybersecurity incidents.

  • Incident Reporting Mechanisms: ENISA works with national Computer Security Incident Response Teams (CSIRTs) and other relevant bodies to create mechanisms for effective incident reporting and response. This collaboration helps ensure that incidents are reported in a timely manner and that appropriate responses are coordinated across borders.

  • Training and Capacity Building: The agency provides training and resources to enhance the skills of cybersecurity professionals in incident handling and reporting. This includes conducting workshops, seminars, and exercises that simulate incident scenarios.

  • Collaboration with Stakeholders: ENISA fosters collaboration among stakeholders, including public and private sectors, to share information about incidents and vulnerabilities. This collaborative approach helps improve overall cybersecurity resilience in Europe.

3. Introduction to CyCLONE
CyCLONE.jpeg

https://www.enisa.europa.eu/topics/incident-response/cyclone
CyCLONE (Cyber Crisis Liaison Organization Network) is an initiative supported by ENISA aimed at improving the coordination and response to cybersecurity incidents across Europe. It serves as a collaborative network that connects national and EU-level authorities, including CSIRTs, law enforcement agencies, and relevant stakeholders. The main objectives of CyCLONE include:

  • Crisis Coordination: CyCLONE facilitates communication and coordination among various entities involved in incident management, ensuring that information flows effectively during a cybersecurity crisis.

  • Real-Time Information Sharing: The network provides a platform for sharing real-time information about ongoing incidents, threats, and vulnerabilities. This enhances situational awareness and enables organizations to respond more effectively to emerging threats.

  • Joint Exercises and Training: CyCLONE organizes joint exercises and training sessions that simulate cyber crises, allowing participants to practice coordination and response strategies. This helps improve preparedness and enhances the capacity of organizations to manage incidents. 

  • Policy Development: The initiative also contributes to the development of policies and frameworks related to incident reporting and crisis management at the EU level. This ensures a harmonized approach to cybersecurity incidents across member states.

4. CyCLONE’s Contribution to Incident Reporting

CyCLONE plays a pivotal role in incident reporting in the following ways:

  • Streamlined Reporting Channels: By establishing clear reporting channels among member states, CyCLONE facilitates prompt reporting of significant incidents to relevant authorities. This streamlining helps reduce response times and ensures that necessary actions are taken swiftly.

  • Standardized Procedures: The initiative promotes standardized incident reporting procedures, enabling organizations across Europe to follow consistent practices when reporting incidents. This standardization helps improve data quality and enhances the ability to analyze trends across the EU.

  • Support for National CSIRTs: CyCLONE provides support to national CSIRTs, enabling them to collaborate effectively with one another and share insights on incident management. This collaboration enhances the overall response capacity of cybersecurity teams.

  • Feedback Loop: The initiative fosters a feedback loop where organizations can learn from past incidents and improve their incident reporting and response processes. Lessons learned from real incidents can inform future policies and best practices.

Industry Standards

In addition to legal requirements, several industry standards provide guidelines for incident management:

  • ISO/IEC 27001: This standard outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It includes guidelines for incident management processes.

  • ISO 27035: International standard for information security incident management, providing a structured framework for detecting, responding to, and recovering from security incidents. It outlines best practices for establishing an incident response process, minimizing damage, and improving cybersecurity resilience within organizations.

  • NIST Cybersecurity Framework: The National Institute of Standards and Technology (NIST) provides a comprehensive framework that can be adapted for IoT incident reporting, focusing on identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents.

Impact of the CRA on Incident Reporting

The Cybersecurity Regulation Act (CRA) is a cornerstone of the European Union's strategy to enhance the security of networks and information
systems. The CRA emphasizes the need for organizations to implement effective risk management measures and to report significant incidents. Key requirements include:

  • Incident Reporting: Organizations must report incidents that could have a substantial impact on the security of their network and information systems. Reports should be submitted to national authorities within specific timeframes. It includes vulnerabilities and incidents on products that they develop.

  • Risk Assessment: Regular assessments must be conducted to identify potential vulnerabilities and threats to IoT devices and systems.

Education and Awareness

Incident Response

Education and training are essential for the successful implementation of an Incident Reporting Plan. Cultivating a culture of security awareness ensures that all personnel understand their roles and responsibilities in incident management.

Awareness Programs

Developing awareness programs that educate employees about the importance of incident reporting is essential. These programs should cover:

  • Types of Incidents: Familiarize staff with various types of incidents that may occur, such as unauthorized access, data breaches, or physical security threats.

  • Reporting Procedures: Clearly outline the steps for reporting incidents, including who to contact and the information required for reporting.

Training Sessions

Regular training sessions should be conducted to reinforce knowledge and skills. Training can include:

  • Simulation Exercises: Conduct mock incident scenarios to practice response protocols and improve incident detection and reporting skills.

  • Updates on Regulations: Provide ongoing training on relevant laws and standards, ensuring that personnel are aware of compliance requirements.

Developing awareness programs that educate employees about the importance of incident reporting is essential. These programs should cover:

  • Types of Incidents: Familiarize staff with various types of incidents that may occur, such as unauthorized access, data breaches, or physical security threats.

  • Reporting Procedures: Clearly outline the steps for reporting incidents, including who to contact and the information required for reporting.

Online Courses and Resources

1. Coursera

  • Cybersecurity Incident Response

    • Provider: University of Colorado

    • Overview: This course provides an understanding of incident response processes, including how to effectively report incidents and manage them in real-time.

  • Introduction to Cybersecurity Specialization

    • Provider: NYU (New York University)

    • Overview: This specialization includes a course on security operations and incident management, emphasizing incident reporting best practices

2. edX

  • Cybersecurity Fundamentals

    • Provider: Rochester Institute of Technology

    • Overview: This professional certificate includes modules on incident detection and reporting as part of a broader cybersecurity curriculum.

  • Incident Management and Response

    • Provider: University of Washington

    • Overview: This course focuses specifically on incident management frameworks and the incident reporting process.

3. Udemy

  • Cybersecurity Incident Response: A Comprehensive Guide

    • Overview: This course covers the complete incident response lifecycle, including reporting and documentation practices.

  • Incident Response and Handling: A Practical Guide

    • Overview: This course teaches practical incident response techniques, including how to document and report incidents effectively.

4. Pluralsight

  • Incident Response Fundamentals

    • Overview: This course provides an overview of incident response processes, focusing on reporting, analysis, and remediation strategies.

5. SANS Institute

  • SANS Training Courses

    • Overview: SANS offers a variety of courses focused on incident response and reporting, including their FOR508: Cybersecurity Incident Response and Threat Hunting course, which covers incident reporting in-depth.

6. FutureLearn

  • Introduction to Cybersecurity

    • Provider: The Open University

    • Overview: This course includes modules on understanding cybersecurity incidents and the reporting procedures involved.

7. LinkedIn Learning

  • Incident Response and Handling

    • Overview: This course covers the incident response process, including strategies for reporting and managing incidents.

8. Cybersecurity & Infrastructure Security Agency (CISA)

  • Incident Command System (ICS) Training

    • Overview: CISA offers various resources and training for incident response, including modules on effective communication and reporting during incidents.

9. ENISA

https://www.enisa.europa.eu/

Tools and Technologies

Security Information and Event Management (SIEM) Tools

Tools and platforms that collect and consolidate security events to monitor and identify cyberattacks at early phase:

  • Splunk

    • Link: Splunk Security Solutions

    • Description: A powerful SIEM tool that provides real-time visibility into security incidents, allowing for effective monitoring and incident reporting.

  • IBM QRadar

    • Link: IBM QRadar

    • Description: A leading SIEM solution that integrates security data across the enterprise to provide insights and incident response capabilities.

  • ArcSight

    • Link: Micro Focus ArcSight

    • Description: A SIEM solution that offers advanced threat detection and response capabilities through real-time monitoring and incident reporting.

Incident Reporting Frameworks and Protocols

  • NIST Computer Security Incident Handling Guide (SP 800-61)

    • Link: NIST SP 800-61

    • Description: A comprehensive guide on incident handling, including processes for incident reporting, management, and response.

  • ENISA Incident Reporting Framework

    • Link: ENISA Incident Reporting

    • Description: Guidelines provided by ENISA on how to implement effective incident reporting mechanisms.

Threat Intelligence Platforms

  • Recorded Future

    • Link: Recorded Future

    • Description: A threat intelligence platform that provides real-time data to help organizations understand and respond to potential threats and incidents.

  • ThreatConnect

    • Link: ThreatConnect

    • Description: A threat intelligence platform that integrates incident reporting with actionable intelligence for enhanced security posture.

  • Threat Alliance

    • Link: Threat Alliance

    • Description: A threat intelligence sharing platform that enables organizations to share insights and collaborate on cybersecurity threats and incidents, enhancing collective security posture.

Incident Response services

Security firms and consultants can help to build a cyber incident response plan, they also provide services that us managed detection and response.

  • Check Point Software

    • Link: Check Point Software

    • Check Point Software offers a variety of services that are highly relevant to incident response. One of their key offerings is Incident Response as a Service (IRaaS). This service involves Check Point analysts who assess and respond to incidents on behalf of organizations, providing 24/7 coverage. This is particularly beneficial for companies looking to alleviate the workload on their Security Operations Center (SOC) or Help Desk teams In addition, Check Point provides Managed Detection and Response (MDR) services, which monitor, detect, investigate, and respond to threats across the entire IT infrastructure, including IoT devices. Their MDR services leverage advanced threat intelligence and AI analytics, allowing for proactive threat hunting and orchestrated response actions

      If you would like to explore more about Check Point's incident response offerings, you can visit their official pages on Incident Response as a Service and Managed Detection and Response Services.

  • FireEye

    • Mandiant, a division of FireEye, provides incident response and threat intelligence services, assisting organizations in managing and mitigating cyber incidents. FireEye Mandiant

  • NCC Group

    • They provide comprehensive incident response services tailored for various industries, including operational technology (OT) and IoT. Their expertise includes vulnerability assessments, penetration testing, and tailored security solutions for connected devices NCC Group Cyber Security

  • Nozomi Networks

    • Primarily focused on securing operational technology and IoT, Nozomi collaborates with top incident responders, including Mandiant and IBM, to enhance incident response capabilities specifically for IoT environments. Their services include threat detection, network monitoring, and incident response tailored to critical infrastructure. 
      Nozomi Networks

  • Avertium 

    • This firm offers incident response services specifically designed for IoT environments, addressing the unique security challenges that come with connected devices. They provide assessments, remediation, and ongoing monitoring to ensure robust security
      Avertium

  • Red Canary

    • While not exclusively focused on IoT, Red Canary offers incident response and threat detection services that include support for IoT devices as part of broader cybersecurity solutions. They emphasize proactive monitoring and rapid incident response
      Red Canary

Mitigations

When you have mitigation in place that can eliminate the feasibility to exploit the device, for example by configuration changes. You can issue a security advisory with instructions how to enable the mitigation, then you can reduce the criticality of the vulnerability.
Consider the following features that can help you mitigate vulnerabilities in the field:
Device-Level security

  • Access control policy in the device: Block incoming traffic from the Internet and allow access of the management of device only from LAN or from bluetooth, to reduce potential remote attacks

  • Enforce password policy complexity: no default passwords, brute-force protections

  • Disable permissive features and component by default

  • Virtual patching - need central or cloud management

  • Harden the device by integrating security features like open-nanosec, available for standalone devices as well

bottom of page