NIS2 Reporting Obligations

The following is a personal summary and translation of the reporting obligations in article 23 of NIS2 - Directive (EU) 2022/2555.

Significant Events

• Event has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
• Event has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Warnings and notifications

Type	Time	Content
Warning	24h	Whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
Notification	72h	Update the incident and indicate an assessment, including the severity and impact, and indication of compromise if available.

Upon first warning - if possible, CSIRT must provide a response including initial feedback, and further guidance if requested by the entity.

Reporting

Upon the request of a CSIRT or a competent authority, entitied must deliver intermediate reports with status updates, as well as a final report within one month of the incident notification.

If the incident is still ongoing at the time of delivering the final report, the entity must also provide a progress report.

The final report must contain the following:

• A detailed description of the incident, including its severity and impact.
• The type of threat or root cause that is likely to have triggered the incident.
• Applied and ongoing mitigation measures.
• Where applicable, the cross-border impact of the incident.

References

• NIS2 - Reporting Obligations Directive (EU) 2022/2555

Similar posts

• Information Governance
• Enterprise governance and risk management
• NIS2 Cybersecurity Policies
• Study Notes: CCSK Identity, Entitlement, and Access Management
• Study Notes: CISSP Security Concepts