Tommy Gjertsen

NIS2 Reporting Obligations

The following is a personal summary and translation of the reporting obligations in article 23 of NIS2 - Directive (EU) 2022/2555.

Significant Events

Warnings and notifications

Type Time Content
Warning 24h Whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
Notification 72h Update the incident and indicate an assessment, including the severity and impact, and indication of compromise if available.

Upon first warning - if possible, CSIRT must provide a response including initial feedback, and further guidance if requested by the entity.

Reporting

Upon the request of a CSIRT or a competent authority, entitied must deliver intermediate reports with status updates, as well as a final report within one month of the incident notification.

If the incident is still ongoing at the time of delivering the final report, the entity must also provide a progress report.

The final report must contain the following:

References

Similar posts