The following is a personal summary and translation of the reporting obligations in article 23 of NIS2 - Directive (EU) 2022/2555.
Type | Time | Content |
---|---|---|
Warning | 24h | Whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact. |
Notification | 72h | Update the incident and indicate an assessment, including the severity and impact, and indication of compromise if available. |
Upon first warning - if possible, CSIRT must provide a response including initial feedback, and further guidance if requested by the entity.
Upon the request of a CSIRT or a competent authority, entitied must deliver intermediate reports with status updates, as well as a final report within one month of the incident notification.
If the incident is still ongoing at the time of delivering the final report, the entity must also provide a progress report.
The final report must contain the following: