Most cyberincidents aren’t detected or reported, the European Network and...

in national implementation of those laws mean most cyberattacks aren’t dealt with, it said. Large scale outages and data breaches get plenty of media attention, but many breaches remain unnoticed or aren’t reported to authorities or the public, ENISA said. There’s no overall view across the digital society of the incidents, their root causes or their impact on users, it said. This lack of transparency and information makes it hard for policymakers to understand why they need to take action, and complicates industry efforts to address the problem, it said. Legislation can play a key role, and there are now several EU security measures, including in the telecom reform package, e-privacy directive and data protection regulations, as well as an upcoming European cybersecurity strategy, it said. But regulatory gaps remain, it said. Some security incidents don’t fall within existing laws and aren’t being discussed by providers and national regulators, it said. The agency urged the European Commission and national authorities to “discuss, agree, and clarify the scope of legislation on electronic communications and address these and other gaps.” The ultimate goal is to limit the effects of security and personal data breaches or prevent them altogether by making sure appropriate security measures are taken, it said. “This type of governance is crucial and not easy,” so national regulators should share knowledge to create an effective mix of high-level legal obligations and technical implementation requirements, it said. ENISA also recommended better incident reporting procedures and information-sharing among national response teams.