|
[To Eurosmart members only]
ENISA report on Trust Services Security Incidents
ENISA published its 2020 report on security incidents affecting trust services. Pursuant to Article 19 of eIDAS, trust service providers have an obligation to notify breaches to national supervisory bodies. Every year, these authorities must send summary reports to ENISA and the Commission. ENISA aggregates the data and presents an overview.
The 2020 ENISA report shows that qualified trust service providers are more likely to report an incident, while non-qualified trust service providers tend to under-report. In most cases, notification is done by a trust service provider that also offers qualified services, reporting an incident that has affected both their qualified and non-qualified services.
A vast majority of reported incidents were minor. Only one incident had a very large (disastrous) impact and three had a large impact.
System failure remains the number one root cause for reported incidents. 53% of 2020 incidents have system failures as root cause. Typically, system failures are due to either hardware failures or software bugs. This could result, for instance, in the unavailability of the eSignature service due to an outage of the front-end application component. Only 5% of the incidents were flagged as malicious actions. Human errors account for 39% of incidents.
The ENISA report also looks into the detailed causes of incidents. It clearly shows that faulty software change/update is the main cause of incident.
eSignature is by far the most affected service. 69% of reported incidents had an impact on electronic signatures. eSeal and eTimestamp came second with both 11%.
The impact on subservices is mainly divided between certificate management (47% of the incidents) and certificate generation (42% of the incidents).
|
