The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s latest effort to bolster cybersecurity across its member states, with a particular focus on enhancing the resilience and cybersecurity of essential and important entities. This directive, which came into effect on January 17, 2023, updates the original NIS (Network and Information Security) Directive and introduces several key changes, particularly in the area of incident reporting.

For organizations operating within the sectors affected by the NIS2 Directive, understanding the requirements for reporting cybersecurity incidents is crucial. In this article, we will break down what the directive entails, who it applies to, and the incident reporting obligations introduced under NIS2.

NIS2 Directive Overview

The NIS2 Directive lays out several key measures aimed at enhancing cybersecurity across both public and private sectors in the EU. The primary goals of the directive are to:

• Ensure a high level of cybersecurity resilience among essential and important entities.
• Foster collaboration between EU member states to address cross-border cybersecurity incidents.
• Introduce harmonized requirements for risk management and incident reporting for organizations operating in critical sectors like healthcare, energy, finance, transport, and digital infrastructure.

The directive applies to entities classified as essential or important, which include a broad range of sectors and services that are critical to society and the economy. These organizations are required to implement robust risk management processes and are subject to stringent incident reporting requirements.

According to NIS2, an "incident" refers to any event that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or the services offered by, or accessible via, network and information systems. This broad definition underscores the seriousness of any cybersecurity lapse, whether actual or attempted.

Scope of Incident Reporting Obligations

NIS2 has expanded its reach compared to its predecessor. It now applies to both essential and important entities, with the key sectors including healthcare, energy, transport, banking, digital infrastructure, and public administration. The new scope ensures that a wider range of businesses and services are covered, reducing the risk of systemic vulnerabilities in critical sectors.

Under NIS2, incident reporting is not just mandatory for large-scale incidents; near misses and vulnerabilities that could have compromised critical operations must also be reported, even if they did not cause immediate damage.

When Must an Incident Be Reported?

One of the most significant changes introduced by the NIS2 Directive is the requirement for real-time or near real-time reporting of incidents. This is a marked departure from the original NIS Directive, which required only significant incidents to be reported. NIS2 introduces a tiered approach to reporting:

1. Initial Notification: Entities must provide an initial notification within 24 hours of becoming aware of the incident. This preliminary notification must provide enough information to indicate whether the incident may impact the delivery of essential or important services.
2. Further Update: A more detailed report is expected within 72 hours, outlining the incident’s nature, the impact it has had, and the mitigation measures put in place.
3. Final Report: Once the incident has been fully resolved, a final report must be submitted within one month, detailing the root cause of the incident and the long-term measures adopted to prevent a recurrence.

The reasoning behind these tight deadlines is to ensure that member states and the relevant authorities can respond promptly to potential threats, reducing the risk of widespread harm or systemic failure.

Criteria for Reporting Incidents

Not all incidents need to be reported under NIS2. The directive specifies that only significant incidents are subject to mandatory reporting. A significant incident is one that meets one or more of the following criteria:

• Large-scale disruption to the provision of essential or important services: This refers to incidents that significantly affect critical services like healthcare, transportation, or energy.
• • For example, a ransomware attack on a hospital network could disrupt vital medical services, leading to delays in patient care. 
• Impact on public safety or security: Cyber incidents can jeopardize the safety of citizens if they target infrastructure critical for maintaining public order or safety. 
• • For example, a cyberattack on a city's water treatment facility could contaminate water supplies, endangering the health of millions.
    
• Severe financial or societal consequences: Incidents that lead to major financial losses or destabilize social functions can fall under this criterion. 
• • For example, a breach at a financial institution resulting in the loss of millions of customer records could undermine public trust and cause severe economic impacts.
    
• Cross-border implications: Incidents with the potential to affect multiple EU countries or international partners qualify here. 
• • For example, a disruption in digital infrastructure services, like cloud platforms or DNS services, that supports clients across various EU nations could cause widespread impacts

How Should Incidents Be Reported?

Entities affected by the NIS2 Directive are required to report cybersecurity incidents promptly to their national Computer Security Incident Response Team (CSIRT) or other designated national authorities. These reports must ensure that incidents are handled effectively and in a timely manner, mitigating the risks of potential widespread harm or service disruptions. 

• CSIRTs: In most cases, national CSIRTs (such as CIRCL in Luxembourg) are the primary bodies responsible for receiving, analyzing, and responding to cybersecurity incidents. They work closely with other CSIRTs across the EU through the CSIRT Network, ensuring a coordinated response to cross-border incidents.
• Competent National Authorities: For certain sectors or specialized cases, incidents may also be reported to national regulatory or supervisory authorities (such as the ILR in Luxembourg). These bodies are tasked with overseeing compliance and ensuring that entities are meeting their cybersecurity obligations.

Information Required in Incident Reports

• Details of the Incident: A description of the incident’s nature, including how it was discovered, and whether it is ongoing.
• Impact Assessment: Initial evaluation of the incident’s impact on the entity’s services, and any cascading effects on other sectors or regions.
• Mitigation Measures: Immediate actions taken to contain the incident and mitigate damage, as well as any preliminary recovery efforts.
• Cross-Border Implications: Whether the incident affects other countries within the EU or could cause disruptions to transnational services.

Steps for Organizations to Take

Organizations subject to the NIS2 Directive must take proactive steps to ensure they comply with the new incident reporting requirements. Here are some key actions to consider:

• Implement robust incident detection and response processes: Ensure that your organization has a comprehensive system in place for detecting, responding to, and reporting incidents in real-time.
• Establish clear communication channels: Make sure that there are streamlined channels for reporting incidents internally and externally to the relevant authorities.
• Training and awareness: Train staff on their roles and responsibilities in the event of an incident, and make sure that all employees understand the importance of timely incident reporting.
• Regular audits and reviews: Conduct regular audits of your incident response processes to ensure they are compliant with the NIS2 Directive and make improvements as necessary.
• Engage with your supply chain: Given the directive’s emphasis on supply chain security, organizations must work closely with their suppliers and service providers to ensure they are also adhering to the required cybersecurity standards.

Non-compliance penalties

Failure to comply with the reporting obligations under NIS2 can result in severe penalties. The directive gives member states the authority to impose financial penalties on entities that fail to report significant incidents within the required timeframe. Additionally, organizations that do not implement the required risk management measures may also be subject to enforcement actions, including fines or restrictions on their operations.

It’s important for entities subject to NIS2 to understand that non-compliance could not only result in financial penalties but also damage to their reputation. Given the increased focus on cybersecurity and data protection across the EU, any failure to adequately respond to or report an incident could result in loss of trust from customers, partners, and the public.

• Fines for Essential Entities:
  • Essential entities, which include sectors like healthcare, energy, and digital infrastructure, are subject to the most severe penalties. If these entities fail to implement the required cybersecurity measures or do not report incidents on time, they can face fines of up to €10 million or 2% of their global annual turnover, whichever is higher​. This high threshold emphasizes the critical nature of these sectors in maintaining societal stability and security.
• Fines for Important Entities:
  • For important entities (which include sectors like postal services, food supply chains, and certain public administration functions), penalties are slightly lower but still significant. These organizations can be fined up to €7 million or 1.4% of their global annual turnover for non-compliance​. Although these entities may have a lesser immediate societal impact compared to essential entities, their roles are still crucial to the functioning of the economy and public services.

Incident reporting with Brainframe

Brainframe can play a pivotal role in helping organizations comply with the NIS2 Directive’s incident reporting requirements. It provides a comprehensive tool that simplifies and streamlines the reporting process, ensuring that critical information is captured and communicated efficiently.

Here’s how Brainframe can facilitate incident reporting:

• Pre-built Incident Templates: Brainframe offers incident report templates that contain all the required fields needed to comply with NIS2 reporting guidelines. These templates are designed to ensure that essential details like the nature of the incident, affected services, impact assessment, and mitigation steps are captured clearly. By using these templates, organizations can:
  • Avoid the risk of omitting key information required by national authorities or CSIRTs.
  • Save time during a crisis by filling out a standardized form rather than creating an incident report from scratch.
  • Ensure compliance with the reporting deadlines outlined in the directive (e.g., the 24-hour notification and 72-hour follow-up).
• External Collaboration and Notifications: Brainframe allows users to create incident reports from templates, customize them according to your needs, and send them to external agents such as the CSIRT​ or the national competent authority. This feature ensures:
  • Coordination with supply chain partners: Organizations can quickly notify affected third parties or service providers if a cybersecurity incident impacts their operations or shared services. This helps maintain compliance with the NIS2 directive’s emphasis on supply chain security and prevents the incident from spreading.
  • Cross-border communication: If an incident has cross-border implications, your ISMS ensures that relevant entities in other EU countries can be notified promptly, facilitating a coordinated response.
  • Automated escalation: Notifications can be automated to ensure that the right personnel, both internal and external, are kept informed throughout the incident’s lifecycle.

Conclusion

The NIS2 Directive marks a significant step forward in the EU’s efforts to strengthen cybersecurity across critical sectors. The new incident reporting obligations introduced under the directive ensure that organizations are better prepared to respond to cyber threats in a timely and effective manner.

For entities operating in essential or important sectors, the key takeaway is that cybersecurity is now a shared responsibility. By adhering to the incident reporting requirements and implementing robust risk management measures, organizations can not only avoid penalties but also contribute to a safer and more secure digital landscape across Europe.

In the coming years, the EU is likely to continue expanding its cybersecurity framework, and organizations that take the necessary steps to comply with NIS2 will be better positioned to meet future regulatory challenges head-on.