Skip to main content
Marsh logo

Article

Streamlining information security incident reporting and strengthening supply chain resilience

Key takeaways from Marsh’s Europe H1 2026 Cyber Market Update on the Digital Omnibus, ENISA’s reporting conduit, and Marsh’s four‑phase TPRM framework.

18/06/2026 · 5 minute read

At our Europe H1 2026 Cyber Market Update webinar, Marsh welcomed a senior official from the European Commission who, alongside our specialists, discussed two important areas for organisations to consider: the Commission’s Digital Omnibus Bill to simplify incident reporting, and steps to accelerate third‑party risk management (TPRM) to strengthen supply‑chain resilience. The Digital Omnibus Bill, if passed, would establish a single, secure reporting platform run by the European Union Agency for Cybersecurity (ENISA) to cover multiple reporting obligations under EU regulations, including NIS2, GDPR, elements of the European Digital Identity Framework, and the Digital Operational Resilience Act (DORA). Below we summarise the key themes from the discussion.

What the Digital Omnibus proposes

The Digital Omnibus would establish a single, secure conduit for reporting incidents that may be reportable under multiple EU regulations. ENISA would develop and maintain the platform. Meanwhile, national agencies would remain the legally designated recipients and emergency respondents under the applicable laws. The proposal aims to reduce duplication reporting obligations for organisations, lower the administrative burden, and improve the timeliness and completeness of reporting.

Expected benefits and scope

Beyond estimated cost savings in administrative burden, the platform aims to reduce underreporting by simplifying the reporting process and improving authorities’ situational awareness. It would streamline incident submission without changing legal obligations. ENISA would operate the platform as a secure forwarding mechanism. It would not replace national agencies as the legal recipients where those instruments mandate them. The proposal emphasises strong security and interoperability, with technical specifications and piloting to be developed in close cooperation with member states. Where feasible, the Digital Omnibus Bill also seeks to harmonise reporting templates and timelines to avoid duplicate data requests.

Why this matters in practice

Multiple reporting channels have created administrative burdens and can discourage timely notification of incidents. Some entities currently notify several authorities for the same incident — with some organisations having to notify five different authorities for a single event. A single conduit should reduce duplication, lower the risk of underreporting, and speed coordinated responses — provided organisations adapt their internal processes accordingly.

Operational implications

In advance of the Digital Omnibus’s anticipated changes, organisations should take the following practical steps to secure benefits and ensure compliance:

Update incident response playbooks:

Map reporting obligations (NIS2, GDPR, DORA, and national rules) into a consolidated workflow. Clarify which incidents trigger which legal duties. Document the sequence for drafting, approving, and submitting consolidated reports, and preserve evidence of compliance for each applicable instrument.

  • Rehearse reporting and escalation: Run tabletop exercises that simulate incidents requiring cross‑instrument reporting and practice preparing a single, consolidated submission. Validate escalation paths so operational teams, legal counsel, and executives understand their roles and sign‑off requirements under pressure.
  • Track ENISA pilots and member state guidance: Technical specifications and pilot outcomes will determine integration options and interoperability details. Monitor ENISA and national guidance so you can adapt templates, data exports, and systems to the conduit’s formats and security requirements, once finalised.
  • Maintain legal clarity: The conduit simplifies submission logistics but does not change which incidents must be reported or who must receive them. Continue to track obligations at the instrument and national level and retain traceable evidence showing compliance with each legal requirement.

Regulatory uncertainty and strategic planning

EU regulation is evolving rapidly while national transpositions remain staggered. This uneven rollout creates uncertainty, driving demand for strategic, scenario‑based regulatory impact analysis rather than one‑off compliance projects. Organisations should develop multi‑year regulatory scenarios to inform investment, resourcing, and control decisions. Third‑party and supply‑chain vulnerabilities are a primary barrier to cyber resilience. According to the World Economic Forum, in 2026, 65% of large organisations identified third‑party and supply‑chain weaknesses as their principal obstacle to resilience, up from 54% in 2025. Regulatory drivers (including DORA and NIS2) and geopolitical tensions are amplifying focus on supplier controls, continuity, and transparency.

Marsh’s fourphase TPRM framework

To translate urgency into focused action, Marsh recommends a four‑phase approach:

  1. Inventory and criticality classification: Build and maintain a complete supplier inventory and classify providers by criticality to focus resources on high‑impact relationships.
  2. Control assessment: Evaluate supplier security controls (access management, vulnerability, patch management, and encryption) to determine residual risk and remediation priorities.
  3. Stress testing and response behaviour: Assess suppliers’ incident response, continuity planning, and reporting capabilities to understand performance under operational stress.
  4. Assurance and contractual reinforcement: Secure accountability through contracts, service level agreements (SLAs), attestations, audits, and insurance to close visibility and governance gaps.

Adopt a holistic view of thirdparty risk

Clients increasingly expect TPRM that integrates cyber with financial, reputational, and environmental, social, and governance (ESG) risks. Effective programmes must address this multidimensional risk rather than treat cyber in isolation.

Practical checklist for boards and security leaders

  • Treat reporting harmonisation as operational change: Update and test incident management procedures.
  • Prioritise supplier visibility: Identify critical vendors and apply the four‑phase model to drive rapid risk reduction.
  • Build regulatory foresight: Adopt scenario planning and multi‑year regulatory impact analysis to inform budgeting and controls.
  • Integrate risk dimensions: Align cyber TPRM with financial, reputational, and ESG assessments to manage cascading impacts.

EU policymakers are moving to make incident reporting more efficient, while market and geopolitical dynamics are placing supplier resilience at the centre of cyber strategy. The Digital Omnibus promises operational relief from duplicate reporting, but its benefits will be realised only if organisations proactively align incident response workflows and accelerate third-party risk programmes.

Contact our Marsh team

We’re here to help strengthen your supply‑chain resilience and advise on next steps in response to the Digital Omnibus proposals.

Related insights

Colorful car lights trail in motion on freeway

Event

SMMT International Automotive Summit 2026

30/06/2026
Person using smartphone in city setting with lights

Article

Privacy and ransomware risks intertwine as threat actors change tactics

17/06/2026
Rows of data storage units are present in a large facility at night. The lights from the units create a blue glow, showing the technology in use. The setting highlights the scale of storage.

Article

Cyber SLA Parametric Insurance for Data Centres

16/06/2026
Code writing in laptop

Report

UK Cyber Claims 2025

09/06/2026
View more