Incident Reporting (NIS2)

NIS2 requires essential and important entities to report significant cybersecurity incidents to the authorities. Reporting follows a three-step system: early warning within 24 hours, full report within 72 hours and a final report no later than one month after the incident.

Back to Dictionary

What is incident reporting under NIS2?

One of the cornerstones of the NIS2 Directive is the obligation to report significant cybersecurity incidents to the national authorities. The purpose is to give authorities a clear picture of the threat landscape, enable rapid coordination and alert other potentially affected parties.

The reporting obligation applies to both essential and important entities under NIS2, although authorities may choose to handle reports from the two categories differently.

Reporting deadlines

NIS2 Article 23 establishes a three-step system for reporting:

Early warning – within 24 hours: You must, without undue delay and no later than 24 hours after becoming aware of the incident, submit an early warning. The warning must indicate whether the incident is suspected to have been caused by unlawful or malicious acts.
Incident notification – within 72 hours: Within 72 hours you must submit a more detailed report that updates the early warning and includes a preliminary assessment of the incident's severity and consequences.
Final report – within one month: No later than one month after the incident notification you must submit a final report with a detailed description, root cause analysis and the remedial measures taken.

The 24-hour rule runs from your awareness of the incident: not from the time the incident occurred. Ensure that your incident response plan includes clear internal escalation processes so the reporting obligation is not overlooked.

What is a significant incident?

Not all cybersecurity incidents trigger the reporting obligation. The incident must be "significant" to require reporting. NIS2 defines an incident as significant if it:

Has caused or is capable of causing severe operational disruption to the service
Has caused or is capable of causing significant financial loss to the organisation
Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

ENISA and the national authorities have developed guidance and thresholds to help organisations determine when an incident is significant.

Who do you report to?

You report to your national competent authority or your national CSIRT. In Denmark, the Centre for Cyber Security (CFCS) is the primary recipient of NIS2 reports for most sectors.

Certain sectors have sector-specific supervisory authorities, such as the Danish Financial Supervisory Authority (Finanstilsynet) for the financial sector and the Danish Energy Agency (Energistyrelsen) for the energy sector. These authorities coordinate with CFCS.

Frequently Asked Questions about Incident Reporting (NIS2)

When must you report an incident under NIS2?

You must submit an early warning within 24 hours of becoming aware of the incident. Then a detailed notification within 72 hours and a final report no later than one month after the incident notification.

What is a significant incident under NIS2?

An incident is significant if it causes or can cause severe operational disruption to the service, significant financial loss to the organisation, or considerable material or non-material damage to other persons.

Who do you report to under NIS2 in Denmark?

In Denmark, NIS2 incidents are reported to the Centre for Cyber Security (CFCS), which serves as Denmark's national CSIRT under NIS2. Certain sectors also have sector-specific authorities.

Does the 24-hour deadline start when the incident occurs?

No. The 24-hour deadline runs from the moment you become aware of the incident, not from when it actually occurred. This makes robust internal detection and escalation processes essential.

What happens if you fail to report an incident under NIS2?

Failure to report within the prescribed deadlines can result in enforcement action by the national competent authority, including administrative fines. NIS2 gives authorities significant enforcement powers to ensure compliance with reporting obligations.