NIS2 Notifications - Howto?

Initiatives for
- Initiatives for
  
  As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
- Safeonweb
  - Home
  - School
- Safeonweb@work
- Image
Services
- Services
  
  The CCB’s mission include being the national CISRT, the certifying authority for cybersecurity services & products, the national coordination for Research & Development in the field of cybersecurity, the coordination instance between EU funding & national actors.
- Image
Regulation
About us
Contact

The NIS2 law

The NIS2 law stipulates that essential and important entities must notify the national CSIRT (the CCB) of any significant incident affecting the provision of their services in the (sub-)sectors listed in the annexes of the law, including, where appropriate, information that makes it possible to determine whether the incident in question has a cross-border impact.

In order to fulfil this obligation, one must understand what is meant by "incident" and by "significant".

The NIS2 law defines "incident" as an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

A "significant" incident is any incident which has a significant impact on the provision of services in the sectors or subsectors listed in the annexes of the NIS2 law, and which

has caused or is likely to cause serious disruption to the operation of any of the services in the sectors or subsectors listed in Annexes I and II or financial loss to the concerned entity; or
has caused, or is likely to cause, significant material, personal or non-material damage to other natural or legal persons.

If the incident in question fits this definition, then the notification shall be made to the national CSIRT (the CCB) in several stages:

Without undue delay and in any event within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning;
Without undue delay and in any event within 72 hours (24 hours for trust service providers) of becoming aware of the significant incident, the entity shall submit an incident notification;
Submit an interim report if requested to do so by the national CSIRT or, where applicable, the sectoral authority;
Submit a final report no later than one month after the submission of the incident notification referred to in point 2;
If the incident is ongoing at the time of the final report, the entity shall submit a progress report and then, within one month after the handling of the incident, a final report.

What to report?

Significant incidents

Initial report (WITHIN 24H)

Malicious intent
Cross border impact

Intermediate report (WITHIN 72H)

Update
Initial assessment
Severity and consequences

Final report (WITHIN 1 MONTH)

Detailled description
Root cause/threat
Actions taken