Dejan KosuticThe NIS 2 Directive only specifies reporting obligations in Article 23, but this article is quite lengthy and quite demanding. So, which incidents do you need to report, to whom do you need to report them, and how do you need to do so?
- An early warning
- An incident notification
- An intermediate report
- A final report
- A progress report
What is a significant incident according to NIS2?
According to NIS 2, an incident “means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.”
NIS 2 requires only significant incidents to be reported – it defines a significant incident as “any incident that has a significant impact on the provision” of the services that essential and important entities provide, if:
- “a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
- (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.”
Recital (101) in the preamble of NIS 2 says “Indicators such as the extent to which the functioning of the service is affected, the duration of an incident or the number of affected recipients of services could play an important role in identifying whether the operational disruption of the service is severe.”
Other than this, no guideline has been published on what a “severe financial loss” would mean, or what “considerable material or non-material damage” would be.
Both essential and important entities need to report significant incidents, while there are no requirements to report other types of incidents.
To whom are incidents reported?
NIS 2 requires essential and important entities to notify the following parties of significant incidents:
- The computer security incident response team (CSIRT) or a competent authority (these authorities are designated by Member States to be responsible for cybersecurity and for the supervisory tasks)
- Recipients of services from essential or important entities that are potentially affected by the significant incident
How are significant incidents reported?
Article 23 requires companies to report significant incidents in the following ways:
| NIS2 requirement | Relevant NIS2 article | When to report | What to report | Suggested document name |
| A notification (for the recipients of services that are potentially affected by a significant cyber threat) | Article 23, paragraph 2 | Without undue delay | Any measures or remedies that those recipients are able to take in response to that threat; also inform those recipients of the significant cyber threat itself | Significant Incident Notification for Recipients of Services |
| An early warning (for CSIRT or competent authority) | Article 23, paragraph 4, point (a) | Without undue delay and, in any event, within 24 hours of becoming aware of the significant incident | Indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact | Significant Incident Early Warning |
| An incident notification (for CSIRT or competent authority) | Article 23, paragraph 4, point (b) | Without undue delay and, in any event, within 72 hours of becoming aware of the significant incident | Indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise | Significant Incident Notification for CSIRT/competent authority |
| An intermediate report (for CSIRT or competent authority) | Article 23, paragraph 4, point (c) | Upon the request of a CSIRT or the competent authority | Relevant status updates |
Significant Incident Intermediate Report |
| A final report (for CSIRT or competent authority) | Article 23, paragraph 4, point (d) | Not later than one month after the submission of the incident notification | (i) A detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the incident |
Significant Incident Final Report |
| A progress report (for CSIRT or competent authority) | Article 23, paragraph 4, point (e) | In the event of an ongoing incident | (not specified) | Significant Incident Progress Report |
Hope for the best; prepare for the worst
Once you implement all cybersecurity measures required by NIS2, you will significantly lower the chances of an incident, especially for significant incidents.
But there is no perfect cybersecurity — in spite of all your efforts, such an incident might happen. This is why you have to be prepared not only to respond to it, but also to report it properly.
For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.