Why NIS2 incident reporting is more complex than GDPR
Most compliance professionals know the GDPR Art. 33 drill: 72 hours, supervisory authority, report if likely to result in a risk to individuals. NIS2 incident reporting is materially different — and harder. Directive (EU) 2022/2555 Art. 23 introduces a three-tier notification regime with different deadlines, different recipients (CSIRT not DPA), different content requirements at each stage, and the possibility of parallel obligations running simultaneously with GDPR.
Get it wrong and penalties for essential entities can reach €10 million or 2% of global annual turnover — whichever is higher. For important entities: €7 million or 1.4%.
Who must comply: essential vs important entities
NIS2 applies to medium and large organisations in sectors listed in Annex I (essential) and Annex II (important) of the Directive. EU Member States published their initial registers of in-scope entities by October 2024.
Annex I — Essential entities (EE): energy (electricity, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health (hospitals, labs, pharma, medical devices), drinking water, wastewater, digital infrastructure (DNS, TLD registries, IXPs, cloud computing, data centres, CDNs), ICT service management (B2B managed services), public administration, space.
Annex II — Important entities (IE): postal and courier, waste management, chemicals, food, manufacturing of critical products (machinery, vehicles, computers, electrical equipment, medical devices), digital providers (online marketplaces, search engines, social networking platforms), research organisations.
Essential entities face proactive supervision (ex-ante): NCAs can conduct on-site inspections, security audits, and targeted security scans at any time. Important entities face ex-post supervision: NCAs act when there's evidence of non-compliance. Both are subject to the same incident reporting obligations under Art. 23.
What counts as a "significant incident" (Art. 23(3))
This is the threshold question. Art. 23(3) defines a significant incident as one that:
- (a) Has caused or is capable of causing severe operational disruption of the services or financial loss to the entity; or
- (b) Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
The Commission may adopt delegated acts specifying how to assess significance. In practice, relevant indicators include: number of users affected, duration, geographic scope, financial loss, whether critical services are disrupted, cross-border impact, and whether the incident has reputational consequences at sector level.
Important note: the obligation triggers when the entity becomes aware of a significant incident — not when it confirms or fully understands the incident. The 24-hour clock starts at initial awareness, not at confirmed classification.
The three-tier notification regime
Tier 1: 24-hour Early Warning (Art. 23(1)(a))
Deadline: Without undue delay and in any event within 24 hours of becoming aware.
Recipient: Your national CSIRT (or NCA where Member State designates NCA for direct reporting).
Required content (Art. 23(3)):
- Indication that the incident is suspected to be caused by unlawful or malicious acts
- Indication of cross-border impact potential
- No detailed analysis required at this stage — this is an early flag, not a full report
Common failure: Waiting for full technical analysis before filing. 24 hours starts when your SOC first categorises this as a potentially significant incident. File the early warning, even with minimal information, and update via the intermediate notification.
Tier 2: 72-hour Intermediate Notification (Art. 23(1)(b))
Deadline: Without undue delay and in any event within 72 hours of becoming aware.
Recipient: Same national CSIRT. If the incident has cross-border impact, the CSIRT may forward to the CSIRT Network (Art. 15) and ENISA.
Required content (Art. 23(4)(a)):
- Updated assessment of the incident, including its severity and impact
- Available indicators of compromise (IoCs) — IP addresses, domain names, file hashes, YARA rules
- Initial root cause hypothesis (attack vector)
- Updated information on cross-border impact
Parallel GDPR obligation: If the incident involves a personal data breach, GDPR Art. 33 requires notification to the supervisory authority (DPA) within 72 hours. These are separate notifications to separate bodies. Your DPA is not your CSIRT. You may need to file both simultaneously.
Tier 3: 1-Month Final Report (Art. 23(1)(c))
Deadline: No later than one month after the incident notification was submitted.
Content requirements (Art. 23(4)(b)) — in full:
- Detailed description of the incident — what happened, step by step
- The type of threat or root cause that likely triggered the incident
- Applied and ongoing mitigation measures
- Where the incident has cross-border impact: information the entity wishes to share with other Member States
In practice, regulators and CSIRTs expect the final report to include a full root cause analysis, MITRE ATT&CK mapping, complete impact assessment (users affected, financial loss, service downtime vs RTO/RPO), evidence of remediation, and your updated security controls. If the incident is ongoing at the 1-month mark, file a progress report and then the final report once resolved.
CSIRT contacts by country
Each EU Member State designates at least one national CSIRT. Key contacts:
- Germany: BSI CERT-Bund — 24/7 hotline +49 228 99 9582-5555; cert@bsi.bund.de
- France: ANSSI — cert-fr@ssi.gouv.fr; cert-fr.eu-cert.fr
- Netherlands: NCSC-NL — cert@ncsc.nl; ncsc.nl/english/current-topics/news
- Estonia/Baltic: CERT.EE — cert@cert.ee; +372 663 0299
- EU-level: ENISA — nis-incidents@enisa.europa.eu; for cross-border/large-scale incidents
- Full directory: ENISA maintains the current CSIRT Network directory at enisa.europa.eu/topics/incident-response/csirt-inventory
Management body obligations (Art. 20)
NIS2 is unusual in making the management body directly responsible for cybersecurity risk management. Art. 20 requires:
- Management bodies must approve the cybersecurity risk management measures
- Management bodies can be held personally liable for infringements
- Management bodies must undergo cybersecurity training to assess risks and manage their impact
Practically: your board needs to know about significant incidents immediately. Not after the CSIRT filing — during it. Incident response plans should include a mandatory board notification step within hours of incident declaration.
Build your NIS2 incident reporting playbook now
Don't discover your gaps during a live incident. Assess your Art. 23 readiness — CSIRT contacts, 24h early warning procedure, IoC package templates, parallel GDPR obligation tracking, management body escalation path, and 1-month final report template — before you need them.
→ Use the free NIS2 Incident Reporting Playbook generator — 42 items across all five incident reporting phases. Generates a complete playbook with notification templates, CSIRT directory, and gap remediation plan. No account required.