Compliance Blog

What Counts as a Major Incident Under NIS2 and When Must I Report It?

NIS2 (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) replaced the original NIS Directive and required EU member states to transpose it into national law by 17 October 2024. For entities in scope, Article 23 establishes three-tier incident reporting obligations triggered by "significant incidents."

This post covers: what a significant incident is, the three reporting timelines, who you report to, and how NIS2 reporting overlaps with GDPR breach notification.

Note: ComplianceCheckup does not currently have a dedicated NIS2 checklist. For GDPR breach notification requirements that may overlap with NIS2 incidents, see the GDPR compliance checklist.

Who does NIS2 apply to?

NIS2 applies to medium and large entities in essential and important sectors. "Medium" means 50 or more employees or annual turnover exceeding 10 million euros. "Large" means 250 or more employees or annual turnover exceeding 50 million euros. Small entities are generally out of scope unless they are in specific critical categories.

Essential entities (Annex I): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Important entities (Annex II): postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (medical devices, computers, electrical equipment, machinery, vehicles), digital providers (online marketplaces, search engines, social networks), and research organisations.

Member states may designate additional entities as essential or important. If you operate in any of these sectors and meet the size thresholds, NIS2 likely applies to you. Consult your national transposition law for the precise scope.

What is a significant incident?

NIS2 Article 23(3) defines a significant incident as one that: has caused or is capable of causing severe operational disruption to services or financial loss to the entity; or has caused or is capable of causing considerable material or non-material damage to other natural or legal persons.

The European Union Agency for Cybersecurity (ENISA) and the European Commission have issued or are developing implementing acts with sector-specific criteria for what constitutes a significant incident. These use quantitative thresholds: for example, a service outage affecting more than a defined number of users, or a financial loss exceeding a defined euro threshold. These thresholds vary by sector and entity type.

The general principle is that not every cybersecurity event is a significant incident. A phishing email caught by spam filters is not. A ransomware attack that encrypts production systems is. A DDoS attack that causes a two-minute service interruption may or may not cross the threshold depending on the sector. An attack that results in unauthorised access to customer data is almost certainly significant.

The burden of assessment is on the entity. If you are uncertain whether an incident crosses the threshold, you should err on the side of reporting. A false positive report does not carry penalties; a failure to report a qualifying incident does.

The three-tier reporting timeline

Article 23(4) establishes the three reporting steps. All timelines run from when the entity "becomes aware" of the incident.

Step 1: Early warning — within 24 hours

Within 24 hours of becoming aware, the entity must send an early warning to the CSIRT (Computer Security Incident Response Team) or competent authority. The early warning must indicate whether the incident is suspected to be the result of unlawful or malicious acts, and whether it is likely to have a cross-border impact. The early warning does not require full analysis. It is a notification that an incident has occurred, not a completed investigation.

Step 2: Incident notification — within 72 hours

Within 72 hours, the entity must update its early warning with a full incident notification. This must include: an assessment of the incident's severity and impact; the technical indicators of compromise where available; and the cause of the incident if known. The 72-hour clock mirrors the GDPR breach notification timeline deliberately. Both clocks run from "becoming aware," and if the incident involves personal data, both notifications may be required simultaneously.

Step 3: Final report — within one month

Within one month of the incident notification, the entity must submit a final report. For ongoing incidents at the time of the final report deadline, the final report deadline is extended to one month after the incident is handled. The final report must include a detailed description of the incident, the threat type or root cause, the measures taken and ongoing mitigation, and where the incident had cross-border impact, the cross-border impact. Member states may also require an intermediate report between the 72-hour notification and the final report.

Who you report to

NIS2 reports go to the national competent authority or CSIRT designated under each member state's transposition law. Each EU member state designates these bodies. In most member states, the competent authority is either the national cybersecurity agency (such as ANSSI in France, BSI in Germany, NCSC-NL in the Netherlands) or a sector-specific regulator.

The competent authority may also forward information to ENISA and other member state authorities under the cross-border coordination provisions of the Directive. You report to your local authority; cross-border coordination is the authority's responsibility, not yours.

Overlap with GDPR breach notification

GDPR Article 33 requires notification of a personal data breach to the supervisory data protection authority within 72 hours of becoming aware. If an incident involves personal data, both clocks run simultaneously from the moment of awareness:

• NIS2 24-hour early warning to the NIS2 competent authority/CSIRT
• NIS2 72-hour incident notification to the NIS2 competent authority/CSIRT
• GDPR 72-hour breach notification to the data protection supervisory authority

The NIS2 competent authority and the GDPR supervisory authority are often different bodies. The NIS2 report and the GDPR report may need to go to different organisations. Check your member state's transposition law for the designated authorities in your sector.

GDPR Article 34 separately requires notification to affected data subjects "without undue delay" where the breach is likely to result in a high risk to their rights and freedoms. This obligation runs in parallel with the authority notification and is not covered by NIS2.

Two concrete examples

Example 1 (essential entity, healthcare): A hospital operating as an essential entity discovers at 9am on Tuesday that ransomware has encrypted its patient management systems and exfiltration of patient records may have occurred. The 24-hour early warning to the national CSIRT is due by 9am Wednesday. The 72-hour incident notification is due by 9am Friday. A GDPR personal data breach notification to the data protection authority is also due by 9am Friday (72 hours from becoming aware). The 30-day final report and any GDPR data subject notifications run in parallel.

Example 2 (important entity, digital provider): An online marketplace discovers at 3pm on Monday that a DDoS attack caused a four-hour outage affecting 150,000 users and no data exfiltration occurred. Whether this is a significant incident depends on the sector-specific thresholds in the implementing acts. If the outage crosses the threshold (likely for a marketplace of this size), the early warning is due by 3pm Tuesday, the incident notification by 3pm Thursday, and the final report by 3pm in one month. Because no personal data was involved, GDPR Article 33 is not triggered.

FAQ

Who must report incidents under NIS2?

NIS2 applies to medium and large entities in essential sectors (Annex I: energy, transport, banking, health, digital infrastructure, etc.) and important sectors (Annex II: postal, chemicals, food, manufacturing, digital providers). Member states may extend the scope to additional entities.

What is the difference between an essential entity and an important entity under NIS2?

Essential entities face stricter ex ante supervision while important entities are subject to ex post supervision. The incident reporting obligations under Article 23 apply to both categories with the same timelines.

Does NIS2 overlap with GDPR breach notification?

Yes, when an incident involves personal data. GDPR requires notification to the supervisory authority within 72 hours. NIS2 requires an early warning within 24 hours and an incident notification within 72 hours. Both clocks run simultaneously from the moment of awareness, and reports go to different authorities.