Skip to main content
Informationssicherheit / NIS2

NIS2 Reporting Obligation

The obligation of affected entities to report significant security incidents to the competent authority within 24 hours of detection.

The NIS 2 Directive introduces a tiered mandatory reporting regime for significant security incidents. Essential and important entities must notify the competent national authority — in Germany, the Federal Office for Information Security (BSI) — as soon as they become aware of a significant incident. The obligation follows a three-stage timeline: an early warning within 24 hours, a full incident notification within 72 hours, and a final comprehensive report within one month.

An incident qualifies as "significant" under NIS 2 when it causes or is capable of causing severe operational disruption to the affected service, substantial financial loss, or impact on other natural or legal persons. The national authority may also be required to inform counterparts in other affected member states if the incident has cross-border implications.

The reporting obligation under NIS 2 operates independently of GDPR reporting obligations. Where an incident also involves a personal data breach, the organization must file separate notifications under GDPR (to the data protection authority within 72 hours) and under NIS 2. Organizations should therefore integrate both reporting workflows into their incident management procedures to avoid missing any deadlines.

Legal Basis

Art. 23 EU Directive 2022/2555 (NIS 2); NIS2UmsuCG (Germany); GDPR Art. 33 (parallel obligation for personal data breaches)

Practical Example

A telecommunications provider detects a cyberattack that disrupts voice services for approximately 50,000 customers. The security team classifies the incident as significant. Within 24 hours, an early warning is submitted to the BSI via the official reporting portal. A detailed incident notification follows within 72 hours, describing the attack vector, affected systems, and initial containment measures. One month later, a final report is submitted documenting the root cause, full impact, and remediation actions taken.

FAQ

Failure to meet NIS 2 reporting obligations can result in significant fines: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities (whichever is higher). Senior managers can also face personal liability.
In Germany, significant incidents must be reported to the Federal Office for Information Security (BSI). The BSI provides an official reporting portal (MELDIS) for submitting early warnings and incident notifications. Sector-specific regulators (e.g., BNetzA for energy and telecoms) may also need to be notified.
No. The two obligations exist in parallel. If a security incident also involves personal data, separate notifications must be filed: an early warning to the BSI under NIS 2 within 24 hours, and a data breach notification to the data protection authority under GDPR Article 33 within 72 hours. Both workflows should be integrated into the incident response process.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

NIS 2 Directive Security Incident Data Breach NIS2 Applicability Assessment Business Continuity Management (BCM)
Back to Glossary