What are incident reporting obligations according to NIS 2

The NIS 2 Directive only specifies reporting obligations in Article 23, but this article is quite lengthy and quite demanding. So, which incidents do you need to report, to whom do you need to report them, and how do you need to do so?

NIS2 requires essential and important entities to report significant incidents to the CSIRT or competent authority through:
  • An early warning
  • An incident notification
  • An intermediate report
  • A final report
  • A progress report

What is a significant incident according to NIS2?

According to NIS 2, an incident “means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.”

NIS 2 requires only significant incidents to be reported – it defines a significant incident as “any incident that has a significant impact on the provision” of the services that essential and important entities provide, if:

  • “a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
  • (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.”

Recital (101) in the preamble of NIS 2 says “Indicators such as the extent to which the functioning of the service is affected, the duration of an incident or the number of affected recipients of services could play an important role in identifying whether the operational disruption of the service is severe.”

Other than this, no guideline has been published on what a “severe financial loss” would mean, or what “considerable material or non-material damage” would be.

Both essential and important entities need to report significant incidents, while there are no requirements to report other types of incidents.

What are incident reporting obligations according to NIS 2 - Advisera

To whom are incidents reported?

NIS 2 requires essential and important entities to notify the following parties of significant incidents:

  • The computer security incident response team (CSIRT) or a competent authority (these authorities are designated by Member States to be responsible for cybersecurity and for the supervisory tasks)
  • Recipients of services from essential or important entities that are potentially affected by the significant incident

How are significant incidents reported?

Article 23 requires companies to report significant incidents in the following ways:

NIS2 requirement Relevant NIS2 article When to report What to report Suggested document name
A notification (for the recipients of services that are potentially affected by a significant cyber threat) Article 23, paragraph 2 Without undue delay Any measures or remedies that those recipients are able to take in response to that threat; also inform those recipients of the significant cyber threat itself Significant Incident Notification for Recipients of Services
An early warning (for CSIRT or competent authority) Article 23, paragraph 4, point (a) Without undue delay and, in any event, within 24 hours of becoming aware of the significant incident Indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact Significant Incident Early Warning
An incident notification (for CSIRT or competent authority) Article 23, paragraph 4, point (b) Without undue delay and, in any event, within 72 hours of becoming aware of the significant incident Indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise Significant Incident Notification for CSIRT/competent authority
An intermediate report (for CSIRT or competent authority) Article 23, paragraph 4, point (c) Upon the request of a CSIRT or the competent authority Relevant status
updates
Significant Incident Intermediate Report
A final report (for CSIRT or competent authority) Article 23, paragraph 4, point (d) Not later than one month after the submission of the incident notification (i) A detailed description of the incident, including its severity and impact;
(ii) the type of threat or root cause that is likely to have triggered the incident;
(iii) applied and ongoing mitigation measures;
(iv) where applicable, the cross-border impact of the incident
Significant Incident Final Report
A progress report (for CSIRT or competent authority) Article 23, paragraph 4, point (e) In the event of an ongoing incident (not specified) Significant Incident Progress Report

Hope for the best; prepare for the worst

Once you implement all cybersecurity measures required by NIS2, you will significantly lower the chances of an incident, especially for significant incidents.

But there is no perfect cybersecurity — in spite of all your efforts, such an incident might happen. This is why you have to be prepared not only to respond to it, but also to report it properly.

To find all the documents needed for complying with the NIS 2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic