Incident Reporting Requirements

NIS2 establishes stringent incident reporting requirements that organizations must follow to ensure timely notification and appropriate response to cybersecurity incidents.

Incident Classification and Thresholds

Significant Incident Criteria

  • Service disruption affecting essential or important services
  • Compromise of network and information system integrity
  • Unauthorized access to sensitive or personal data
  • Incidents with potential cross-border impact
  • Supply chain compromise affecting service delivery

Incident Severity Levels

  • Critical: Immediate threat to essential services or public safety
  • High: Significant impact on service delivery or data protection
  • Medium: Notable impact with containment options available
  • Low: Minor impact with minimal service disruption
  • Informational: Potential security events requiring monitoring

Reporting Timelines and Requirements

24-Hour Early Warning

  • Initial notification within 24 hours of incident awareness
  • Basic incident information and preliminary impact assessment
  • Identification of affected systems and services
  • Initial containment measures implemented
  • Contact information for follow-up communications

72-Hour Detailed Report

  • Comprehensive incident analysis and root cause investigation
  • Detailed impact assessment and affected stakeholder identification
  • Technical details of attack vectors and vulnerabilities exploited
  • Response actions taken and their effectiveness
  • Lessons learned and improvement recommendations

Reporting Content and Format

Mandatory Reporting Elements

  • Incident identification and classification information
  • Timeline of incident detection, containment, and resolution
  • Description of affected network and information systems
  • Technical details of the incident and attack methodology
  • Assessment of impact on service delivery and stakeholders
  • Cross-border implications and affected Member States
  • Response measures implemented and their effectiveness

Supporting Documentation

  • Forensic evidence and technical analysis reports
  • Communication logs and stakeholder notifications
  • Recovery and restoration procedures implemented
  • Third-party involvement and coordination activities
  • Post-incident review and improvement plans

Coordination and Communication

Competent Authority Coordination

  • National competent authority notification procedures
  • Cross-border incident coordination mechanisms
  • European Union Agency for Cybersecurity (ENISA) reporting
  • Law enforcement coordination when appropriate
  • Information sharing with relevant stakeholders

Stakeholder Communication

  • Customer and user notification requirements
  • Business partner and supplier communications
  • Media and public relations coordination
  • Regulatory compliance notifications
  • Insurance provider and legal counsel engagement