NIS2 Notifications - Howto?

Initiatives for
- Initiatives for
  
  As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
- Safeonweb
  - Home
  - School
- Safeonweb@work
- Image
Services
- Services
  
  The CCB’s mission include being the national CISRT, the certifying authority for cybersecurity services & products, the national coordination for Research & Development in the field of cybersecurity, the coordination instance between EU funding & national actors.
- Image
Regulation
About us
Contact

The NIS2 law

The NIS2 law stipulates that essential and important entities must notify the national CSIRT (the CCB) of any significant incident affecting the provision of their services in the (sub-)sectors listed in the annexes of the law, including, where appropriate, information that makes it possible to determine whether the incident in question has a cross-border impact.

In order to fulfil this obligation, one must understand what is meant by "incident" and by "significant".

A "significant" incident is any incident which affects networks and information systems supporting a NIS2 service (see annex I or II of the NIS2 law) and has caused or is likely to cause at least one of the following situations (see the NIS2 Notification Guide for more details and examples of those situations):

severe operational disruption of a NIS2 service;
financial losses for the concerned entity;
considerable material, physical or moral damage to other natural or legal persons.

Commission Implementing Regulation of 17 October 2024 (2024/2690) also clarifies when an incident should be considered as a significant incident (see the summary in annex 3 of the NIS2 Notification Guide) for certain entities providing digital services.

What to report?

Significant incidents

Early warning report (initial notification) at the latest within 24h:

Information on suspected malicious/unlawful nature of the incident
Potential cross border impact
Request assistance, if necessary

Incident report (complete notification) at the latest within 72h (or 24h for trust service providers):

Update of information provided within 24 hours
Initial assessment of the incident (severity, impact, indicators of compromise)

Intermediate report (if required)

Final report at the latest within one month after the notification report:

Detailed description of the incident
Root cause or type of threat that likely triggered the incident
Actions taken

See the NIS2 Notification Guide for more information.