NIS 2 Directive Article 23 – Reporting Obligations

Mar 6, 2025by Kira Hk

Introduction

The NIS 2 Directive, specifically Article 23, outlines the reporting obligations for essential and important entities in the European Union in the event of significant cyber incidents impacting their services. This directive highlights the importance of prompt notification to relevant authorities to mitigate such incidents' potential impact.

NIS 2 Directive Article 23 – Reporting Obligations

Notification Process For Significant Incidents

Member States are responsible for ensuring that essential entities promptly notify their Computer Security Incident Response Team (CSIRT) or competent authority when significant incidents that impact their services occur. Additionally, these entities must inform service recipients if their services are affected. It is crucial that reports on these incidents include information on any relevant cross-border impact.

No Increase In Liability For Notification

It is important to note that the directive emphasizes that notifying the competent authority of significant incidents does not increase the entity's liability. This provision aims to encourage transparency and timely reporting without the fear of facing additional consequences.

Communication of Cyber Threats and Mitigation Measures

Entities are required to communicate significant cyber threats and mitigation measures to affected recipients. Significant incidents result in severe operational disruption or financial loss or impact others with material or non-material damage. This proactive communication helps manage the incident's impact effectively.

Reporting Requirements

Entities have clear reporting requirements to adhere to when it comes to significant cyber incidents:

  • Early Warning: Entities must provide an early warning indicating potential unlawful acts or cross-border impact within 24 hours of becoming aware of the incident.

  • Incident Notification: Within 72 hours of the incident, an initial assessment, severity, impact, and indicators of compromise must be submitted.

  • Intermediate Updates: Entities must provide intermediate updates upon request from the competent authority.

  • Final Report: A detailed final report must be submitted within one month, outlining the incident, threat type, mitigation measures, and cross-border impact.

Specific Requirements for Trust Service Providers

Trust service providers have a more stringent notification timeline, requiring them to notify within 24 hours for significant incidents. In response to such notifications, the CSIRT or competent authority must provide feedback and guidance within 24 hours to assist in handling the incident effectively.

Cross-Border Incidents and Information Sharing

In the case of incidents affecting multiple Member States, the CSIRT or competent authority must promptly inform other Member States and the European Union Agency for Cybersecurity (ENISA), ensuring the confidentiality of sensitive information. Public awareness may also be necessary to manage such incidents with cross-border implications effectively.

Reporting to ENISA and Cooperation Group

Single points of contact are mandated to submit quarterly summary reports to ENISA, which then informs the Cooperation Group and CSIRTs network biannually. This structured reporting mechanism ensures that relevant authorities are informed and can collaborate effectively to address cybersecurity incidents.

Conclusion

NIS 2 Directive Article 23 sets out clear guidelines for reporting obligations in the event of significant cyber incidents. Timely notification, effective communication, and collaboration among entities and authorities are essential in mitigating the impact of such incidents and ensuring a swift and coordinated response to cybersecurity threats in the European Union.