Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
NIS2 Incident Reporting Requirements and related ISO 27001 Best Practices

Incident reporting in NIS2 directive requires organizations to informing relevant national authorities and recipients of services about any major disruptions to the security of their network and information systems.

Incident reporting requirements are designed to ensure transparency and accountability in the event of a security breach. The directive requires that (significant) incidents are reported without undue delay and that the reports include sufficient information to e.g. allow the authorities to determine the cross-border impact of the incident.

What are 'incidents' in information security?

Generally spoken, instances of breaches in information security, often referred to as incidents, are rising in number and intensity. Unfortunately, a lot of these instances stay unnoticed. Incidents can be triggered by factors like:

  • Malicious software (viruses, worms, ransomware)
  • Unauthorized access (hacking, password cracking)
  • Data breaches (unauthorized alteration or access to data)
  • External infiltration (attacks by third parties)
  • Human error (accidental disclosure of sensitive information)
  • Insider threats (employees or insiders intentionally compromising security)
  • Lack of security awareness or training
  • Vulnerabilities in software or systems
  • Poorly configured or inadequate security measures
  • Physical security breaches (theft or loss of devices containing sensitive data)

Regardless of the level of security measures in place, there is always a risk of experiencing an information security event. To mitigate this risk, it is crucial to employ various tools and strategies, including reporting, to identify potential threats before they can cause harm.

What's a 'significant incident' according to NIS2?

A significant incident...

  • causes or has the potential to cause severe disruption to services or financial loss for the entity involved
  • or affects or has the potential to affect other individuals or entities by causing substantial material or non-material damage

Under the NIS2 Directive, a significant incident is typically defined as an event that has a substantial impact on the continuity of essential services. This could include events that lead to a disruption of services, a breach of security measures, or a compromise of sensitive data. For instance, a cyber attack that results in the loss of customer data would be considered a significant incident.

Another example of a significant incident could be a hardware failure that leads to a prolonged outage of essential services. This could include a server crash that prevents a company from processing transactions, or a network failure that leaves a hospital unable to access patient records. In both cases, the incident would have a substantial impact on the continuity of essential services.

Under NIS2, organizations are also required to report any incidents that could potentially have a significant impact on the continuity of services. This could include a near miss where a cyber attack was successfully thwarted, or a minor hardware failure that was quickly resolved but could have led to a more serious outage if not addressed promptly.

Additionally, the NIS2 Directive also considers the number of users affected by an incident when determining its significance. For example, a data breach that affects a small number of users may not be considered significant, but a similar incident that affects a large number of users would likely be deemed significant.

The potential economic and societal impact of an incident is also taken into account under NIS2. For instance, a cyber attack on a financial institution that leads to a significant loss of funds could be considered a significant incident due to its potential impact on the economy.

How 'significant incidents' need to be reported?

Entities are required to report significant incidents to the Computer Security Incident Response Team (CSIRT) or the competent authority within specific time frames:

The timeline of incident reporting requirements set by the NIS2 directive.

You are required to provide an early warning within the first day of an incident. This alert should specify whether the incident appears to be born out of illicit or hostile actions and if it could potentially affect multiple borders.

Make sure to submit an incident notice within three days of the occurrence. This notice must contain an update on the information given in the early warning and an initial judgment on the incident's severity and potential repercussions. Also, make sure to incorporate any known indicators of compromise. During this time, if asked for, continue to provide intermediate reports for status updates.

A subsequent final report needs to be handed in no more than a month following the incident notice. It should convey an in-depth explanation of the incident, its impact and severity, the possible threat, or root cause. It should also detail the actions taken to mitigate the effects and, if applicable, the incident's potential transnational implications.

In situations where the incident continues at the time the final report is due, entities should deliver an up-to-date report, followed by a conclusive report within one month after the incident’s resolution.

ISO 27001's best practices can help your incident management

It is important to note that the NIS2 directive encourages the adoption of best practices in incident management, as outlined in standards such as ISO 27001. This standard provides a framework for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.

NIS2 requires organizations to report significant incidents affecting their digital services. However, it does not provide a detailed methodology for identifying, assessing, and managing these incidents.

ISO 27001 on the other hand provides specific controls for incident management and reporting. These include establishing an incident response plan, defining responsibilities, and providing training to staff. These requirements align closely with the NIS2 directive's emphasis on incident reporting. By implementing ISO 27001, organizations can ensure they meet the NIS2 requirements and demonstrate their commitment to information security.

Having a clearly responsible incident management team (5.25)

The responsible team is expected to have a clear understanding of the organization's information security objectives and requirements. They should be able to identify potential risks and vulnerabilities, and develop strategies to mitigate these risks. This includes implementing security measures, monitoring their effectiveness, and making necessary adjustments to improve security.

Furthermore, the responsible team is also expected to communicate effectively with other stakeholders within the organization. This includes raising awareness about information security, providing training and guidance to employees, and reporting on the status of information security to senior management.

In addition to that, the responsible team should have the authority to enforce the organization's information security policies and procedures. This includes taking corrective action when breaches occur, and ensuring that lessons are learned from these incidents to prevent future occurrences.

The team should also be involved in the continuous improvement of the organization's information security management system. This involves regularly reviewing and updating the system to ensure it remains effective and aligned with the organization's objectives and the evolving threat landscape.

Preparing for an incident response (5.26)

The control emphasizes the importance of developing and implementing an incident response plan. This plan should detail the roles and responsibilities of all involved parties, the procedures to be followed in the event of an incident, and the communication protocols to be used. It should also outline how to identify and assess incidents, as well as how to prioritize response activities based on the severity of the incident.

Training is another key aspect of "Preparing for an incident response". Staff members should be trained on the incident response plan and their specific roles within it. This training should be updated regularly to ensure that it remains relevant and effective. The control also recommends conducting regular tests and drills to evaluate the effectiveness of the plan and identify areas for improvement.

Documentation is also crucial in the step of preparing for an incident response. All incidents, responses, and following actions should be documented and reviewed. This not only provides a record for future reference, but also allows for a post-incident review to identify what worked well and what could be improved. This continual learning and improvement is a key aspect of ISO 27001.

Last but not least, in this step relationships with relevant external parties should be taken into consideration. This may include law enforcement, regulatory bodies, and third-party service providers. Having these relationships in place before an incident occurs can help to expedite the response and recovery process.

Documenting incidents and learn from them (5.27)

Documenting incidents involves recording all relevant details about the incident, such as its nature, the impact it had on the organization, the steps taken to manage it, and the individuals involved. This documentation serves as a historical record and a source of valuable data for future reference.

Learning from incidents is the next step after documenting them. This involves analyzing the incident documentation to identify patterns, root causes, and areas for improvement. The aim is to gain insights that can help prevent similar incidents in the future.

Moreover, the lessons learned from incidents should be used to update the organization's risk assessment and risk treatment plan. This ensures that the organization's information security management system (ISMS) remains effective and up-to-date.

Finally, the ISO 27001 control 5.27 also requires organizations to communicate the outcomes of incident reviews to relevant stakeholders. This can include employees, management, and even external parties like customers or regulators. The goal is to promote transparency and foster a culture of continuous improvement in information security.

Having a process for employees to report incidents (6.8)

A key part of this control is the process of establishing a procedure for reporting. This means creating a clear and easy-to-follow process that employees can use to report incidents. This could involve using a dedicated reporting tool or system, or it could be as simple as a designated email address or tool. The key is that the process should be easily accessible and understood by all employees.

The second key aspect of this control is about ensuring that all employees are aware of the reporting process and understand their responsibilities. This can be achieved through regular training and awareness programs or simply by spreading guidelines for your employees.

Once an incident is reported, it should be assessed and responded to promptly. The best possible option in this case would be if the responsible person is getting notified right away, for instance via a tool, through which the incident has been reported. The treatment then involves categorizing the incident based on its severity and potential impact, determining the appropriate response, and implementing that response.

The incident should also be documented and analyzed to identify any patterns or trends, and to improve the organization's overall security posture. In order to encourage your employees to further report incidents in the future, you should provide some feedback about the outcome of the reported incident to the employee, who has been involved.

Technically gather incident data and alert (8.15, 8.16)

ISO 27001 control 8.15  focuses on the systematic and technical gathering of data. The objective of this control is to ensure that the organization has the ability to collect, retain, and analyze information that could serve as evidence in the event of a security incident. This includes data such as system logs, user activity records, and network traffic data. The control emphasizes the need for a well-defined procedure for evidence collection, which should be in line with legal requirements to ensure admissibility in court.

Furthermore, it underlines the importance of ensuring that the personnel involved in the data collection process are adequately trained. This is to ensure that they understand the importance of maintaining the integrity of the data collected, and are aware of the correct procedures for handling and storing this data. The control also recommends the use of automated tools for data collection where possible, to minimize the risk of human error.

ISO 27001 control 8.16 deals with the process of identifying, managing, and analyzing security incidents. The objective of this control is to ensure that the organization has a robust system in place for detecting and responding to security incidents in a timely and effective manner.

It further emphasizes the need for an incident management procedure that includes clear guidelines for incident reporting, assessment, and response. This procedure should be communicated to all employees and relevant stakeholders. The control also recommends the use of automated alert systems to facilitate the early detection of security incidents. These systems should be configured to generate alerts based on predefined criteria, such as unusual user activity or attempts to access restricted areas of the network.

Both control 8.15 and 8.16 highlight the importance of a proactive approach to information security. By systematically collecting data and setting up effective alert systems, organizations can detect and respond to security incidents before they escalate, minimizing the potential damage and disruption.


In conclusion, the NIS2's incident reporting requirements can be effectively interpreted and implemented through the lens of ISO27001 best practices. This approach not only ensures compliance with NIS2 but also promotes a robust and resilient cyber security framework within the organization.

ISO27001, with its comprehensive and detailed guidelines, provides a clear roadmap for incident reporting, encompassing aspects like incident identification, response, management, and recovery. By adopting these practices, organizations can meet the NIS2 requirements while also enhancing their overall cyber security posture.

In the end, ISO 27001 is a globally recognized standard, and achieving certification can provide reassurance to stakeholders that an organization takes information security seriously. This can be particularly important in the context of NIS2, where failure to report incidents or inadequate security measures can lead to significant penalties.

Finally, it is important to remember that while ISO27001 provides a solid foundation for incident reporting, it should be complemented with other best practices tailored to the specific needs and context of the organization. In essence, the successful implementation of NIS2's incident reporting requirements is a balance between adherence to standards and customization to individual organizational needs.


Share article