Athens, 20 December, 2024
ENISA’s 2023 report on trust services security incidents provides the seventh round of security incident reporting for the EU’s trust services sector, analysing root causes, statistics and trends. It is an aggregated overview of the reported breaches for 2023 as conveyed to ENISA and the Commission by 27 EU Member States and 3 EEA countries.
Executive Summary
Every year national supervisory bodies must send annual summary reports about the notified breaches to ENISA and the Commission. ENISA’s 2023 report on trust services security incidents provides the seventh round of security incident reporting for the EU’s trust services sector, analysing root causes, statistics and trends.
It is an aggregated overview of the reported breaches for 2023 as conveyed to ENISA and the Commission by 27 EU Member States and 3 EEA countries.
In 2023, a total of 63 incidents were reported and analysed (1). Key findings from the 2023 incident reports are summarised in the following list of points:
- Two thirds of EU supervisory bodies (SBs) – 18 out of 27 – sent their respective reports with 0 incidents reported (2).
- Reported incidents increased by 80 % to a total of 63 incidents, compared with 35 in 2022 (3).
- The number of incidents caused by malicious actions – 9 – has increased since 2022 – 5 –, reaching the same level as in 2021. However, with 14 % of the total, it remains a constant percentage since 2022 for this root cause.
- The overall impact of the incidents amounted to 3,184 million user hours lost, compared with 405 million in 2022. 3 140 million hours were lost due to malicious actions, amounting to 98 % of the total (4). One million hours were lost due to system failures and 43 million hours due to human errors (5).
- In terms of impact, in all four categories – no impact, minor, large, very large – the number of incidents
almost doubled:- in 2023, 5 incidents with no impact were reported, 35 with minor impact, 18 large incidents
and 5 very large incidents; - the number of incidents with minor impact has almost doubled compared with 2022, but
remains in line with data from previous years; - the number of large and very large incidents has continued to increase.
- in 2023, 5 incidents with no impact were reported, 35 with minor impact, 18 large incidents
Reda the full report
—
(1) One type D incident, which is not analysed here, was reported under eIDAS in 2023. Type D: threat or vulnerability.
For instance, the discovery of a cryptographic weakness would be categorised as a type D incident.
(2) 2022:13/27; 2021: 17/27; 2020: 19/27; 2019: 17/27; 2018: 18/27; 2017: 17/27; 2016: 26/27.
(3) Among them, 46 incidents occurred in 9 EU SBs and 21 in SBs from EEA countries.
(4) In 2022 it was 0 million.
(5) In 2022 it was 34 million and 371 million, respectivel
Source – ENISA