Annual Report Trust Services Security Incidents 2017

Pablo López-Aguilar Beltrán

Summary

The Annual report Trust Services security incidents 2017 marks the 1st full year of annual reporting about significant security incidents in the EU's trust services sector. The legal framework for this incident reporting process is Article 19 of the eIDAS regulation.

Impact description

The Annual Report Trust Services Security Incidents 2017, aggregates and analyses the annual summary reports from EU Member States about security breaches notified by trust service providers. It draws the following conclusions:

  • The number of notified security breaches increased significantly, in comparison to the previous year. This should not be interpreted as a sign of decreasing security. Also in the first years of security incident reporting in the telecom sector there was a gradual increase of the number of reported incidents, because it takes some time for service providers to become familiar with the breach reporting obligations and the procedure.
  • Almost half of the notified breaches, 43%, involve certificates for electronic signatures and electronic seals.
  • System failures, third party failures and human errors are the main root causes. Only 7% of the breaches are caused by malicious actions.
  • Almost half of the notified breaches, 46%, had an impact across borders. This shows that indeed the EU trust services sector is to a large extent cross-border with suppliers and providers offering services across the EU.
  • Half of the incidents were rated as having a severe (level 4) or disastrous impact (level 5). Half of the crossborder incidents were rated has having a disastrous impact (level 5).
  • A number of notified breaches had the same underlying cause, i.e. the ROCA case.

The general conclusions of the report is that cross-border collaboration and information exchange are very important when it comes to supervision and ensuring the security of trust services in the EU. eIDAS provides the legal basis for collaboration and information exchange mechanisms between supervisory bodies. The sooner organizations learn about threats and incidents, the sooner they can decide the best course for mitigation. Good information exchange about threats and incidents makes mitigation easier.

The full report is available in the following LINK.