NIS2: Incident Reporting
Incident Reporting [Art 23]
Rule: Entities must report significant incidents to their national CSIRT or competent authority within strict timelines: early warning (24h), incident notification (72h), final report (1 month).
Reporting Timeline [Art 23(4)]
| Stage | Deadline | Content Required |
|---|---|---|
| Early warning | Within 24 hours | Suspected incident, suspected malicious or unlawful, cross-border impact? |
| Incident notification | Within 72 hours | Update early warning, initial assessment of severity and impact, indicators of compromise (if available) |
| Intermediate report | On request | Status update requested by CSIRT/authority |
| Final report | Within 1 month | Detailed description, root cause, mitigation taken, cross-border impact |
What Is a Significant Incident? [Art 23(3)]
An incident is significant if it:
| Criterion | Threshold |
|---|---|
| Operational disruption | Has caused or is capable of causing severe operational disruption or financial loss |
| Other parties affected | Has affected or is capable of causing material damage to other natural or legal persons |
To Whom to Report [Art 23(1)]
Report to:
- CSIRT (Computer Security Incident Response Team), OR
- Competent authority (if Member State so requires)
Plus in some cases:
- Recipients of services — Must inform where incident affects service provision
- Other affected Member States — Via Single Point of Contact for cross-border incidents
Early Warning Content (24 hours)
Must include:
- That a significant incident has occurred (or is suspected)
- Whether incident is suspected to be caused by unlawful or malicious act
- Whether incident could have cross-border impact
Can be brief — Full details not required at this stage.
Incident Notification Content (72 hours)
Must include:
- Update to early warning information
- Initial assessment of the incident:
- Severity
- Impact
- Indicators of compromise (IoCs) where available
Final Report Content (1 month)
Must include:
- Detailed description of the incident
- Severity and impact assessment
- Type of threat or root cause that likely triggered incident
- Mitigation measures applied and ongoing
- Cross-border impact if applicable
Extension: If incident ongoing at 1-month mark, submit progress report + final report within 1 month of handling completion.
Reporting to Service Recipients [Art 23(2)]
Where significant incident affects provision of services, entity must:
- Inform recipients without undue delay
- Communicate measures recipients can take
- Include threat information where relevant
Cross-Border Incidents [Art 23(6)]
If incident has significant impact in other Member States:
- CSIRT/authority notifies other affected Member States
- Information shared via EU-CyCLONe network
Near-Miss Reporting [Art 30]
Entities may voluntarily report:
- Near misses — Events that could have been incidents
- Cyber threats — Potential threats observed
- Vulnerabilities — Weaknesses discovered
No penalty for voluntary reporting; encourages threat intelligence sharing.
Information Security [Art 23(8)]
Competent authorities must:
- Protect confidentiality of reported information
- Not disclose commercially sensitive data
- Share only with necessary parties
Comparison with Other Frameworks
| Framework | Notification Deadline | To Whom |
|---|---|---|
| NIS2 | 24h (early warning), 72h (full) | CSIRT/Competent authority |
| GDPR | 72 hours (personal data breach) | Supervisory authority |
| DORA | 4 hours (major ICT incident) | Competent authority |
Practical Implementation
Prepare in advance:
- Identify your CSIRT — Know who to contact
- Prepare templates — Pre-draft notification forms
- Define escalation — Internal escalation paths
- Assign responsibility — Who sends notifications?
- Test the process — Run incident exercises
Failure to Report
Failure to report significant incidents is a violation subject to:
- Administrative fines
- Remedial orders
- Potential personal liability for management