Incident reporting under NIS2: Entity Reporting Obligations

Significant Incidents According to NIS2

The official definition of an incident by NIS2 is the following:

''An incident is an event compromising the authenticity, integrity, availability or confidentiality of transmitted, stored or processed data or of the services offered by, or accessible via network and information systems.''

Since this is a broad definition, NIS2 requires only significant incidents to be reported. A significant incident is considered as ''any incident that has a significant impact on the provision of the services that important and essential entities provide'', in case:

1. The incident caused or is capable of causing significant operational disruption of the services or financial loss for the entity in question;
2. The incident has affected or has the ability to affect other natural or legal persons by causing considerable material or non-material damage

While NIS2 specifies indicators that help determine if an incident is indeed significiant; such as the extent to which the functioning of the services is affected, the duration of the incident, and the number of affected users/recepients; there are no clear guidlines on what are considered significant financial losses and considerable material and non-material damage.

Entity Reporting Obligations Timeline

A number of companies have already received a notification about their official classification under NIS2. This means they now know whether they fall into the essential or important entity category. Entities must reach full NIS2 compliance within a year of receiving the categorization notification.

However, their incident reporting obligations start way earlier – 30 days from the date of the classification notification.

This means that all entities expecting to fall under the nis2 scope, regardless of being an important or essential entity, must have an established incident response plan.

Reporting Significant Incidents

In case you suffer a significant incident, here are the reporting steps that are in line with the NIS2 Directive:

• Within 24 hours of knowing about the incident, you need to send an early warning to the CSIRT or a member state-nominated competent authority.
• Within 72 hours of knowing about the incident, you need to send a notification to the CSIRT.
• Update the information first provided to the CSIRT by submitting a temporary report.
• In case the incident is not resolved within a month of sending out the initial notification, a progress report must be sent.
•  One month after sending out the incident notification, you need to send the final report about the incident to the CSIRT.

NIS2 Incident Reporting Checklist

Article 23 of the NIS2 Directive provides clear guidelines on how to accurately report significant incidents.

Stay Ahead of NIS2 Incident Reporting Obligations

The NIS2 Directive introduces stricter requirements for incident reporting that apply to both essential and important entities. Understanding what qualifies as a significant incident, knowing the reporting timeline, and being familiar with the official reporting flow are all important factors for ensuring compliance.

While the definitions may leave room for interpretation, the key takeaway is the following: entities must be proactive. With reporting obligations kicking in just 30 days after classification notification, there’s little room for delay. A well-prepared incident response plan isn’t just a recommendation - it’s a requirement.

Download NIS2 Checklist

Feeling lost about where to start when it comes to the NIS2 Directive? That is why we decided to equip you with actionable steps on how to kick off your compliance journey and reach full compliance with ASEE.

Download eBook

Don’t wait for a breach or a compliance deadline. Start today. Contact us for solution-specific support.