Security Incident
An event that compromises or threatens the confidentiality, integrity, or availability of information or information systems.
A security incident is any event that negatively affects — or has the potential to affect — the confidentiality, integrity, or availability of information assets. This includes a wide range of occurrences: ransomware attacks, unauthorized access to systems, data breaches, DDoS attacks, insider threats, and even physical security breaches that expose sensitive information.
Organizations with an ISMS or NIS 2 obligations are required to have a documented incident management process in place. This process covers detection and identification, containment, eradication, recovery, and post-incident review. A clear incident classification scheme helps prioritize response efforts — distinguishing between minor events, significant incidents requiring internal escalation, and major incidents triggering regulatory reporting obligations.
Under NIS 2, "significant" incidents must be reported to the competent national authority within 24 hours of detection (early warning), followed by a more detailed notification within 72 hours. A final incident report is due within one month. What qualifies as "significant" is defined by the directive in terms of impact on service availability, financial harm, and the number of affected users.
Legal Basis
EU Directive 2022/2555 (NIS 2 Art. 23); ISO/IEC 27001:2022 Annex A; GDPR Art. 33–34 (for personal data breaches)
Practical Example
An energy supplier detects unusual outbound network traffic on a Monday morning. The security team activates the incident response procedure: the affected systems are isolated, forensic analysis begins, and the CISO is notified. Within 24 hours, the company submits an early warning to the BSI under NIS 2. After confirming that customer data was exfiltrated, a full incident notification and a parallel GDPR data breach report to the supervisory authority are filed within 72 hours.