NIS 2 Incident Notification Schema

The category under which this notification is submitted. NIS 2 Art. 23(3) mandates reporting only of significant incidents; near-miss and non-significant incident reporting is voluntary under Art. 30 NIS 2.

Initial assessment of incident severity. NIS 2 Art. 23(4)(b) requires the incident notification (72h) to contain an initial assessment of severity and impact. CIR 2024/2690 quantifies significance thresholds for the digital-service-provider categories it covers.

Plain-language summary of what happened. NIS 2 Art. 23(4)(a) requires the early warning to indicate whether the significant incident is suspected of being unlawful or malicious — this field carries that initial narrative.

Verbatim per NIS 2 Art. 23(4)(d): the final report shall contain 'a detailed description of the incident, including its severity and impact'. This field accumulates findings across the reporting cycle.

NIS 2 Art. 23(4)(a) requires the 24-hour early warning to indicate whether the significant incident is suspected of being caused by unlawful or malicious acts.

NIS 2 Art. 23(2): where applicable, the entity shall, without undue delay, communicate to the recipients of its services that are potentially affected by a significant cyber threat any measures or remedies they can take.

Plain-language message to the recipients of the entity's services about the threat and the recommended remedial actions. Required if customerNotificationRequired is true.

Earliest known time the incident occurred. May be 'unknown' if forensic timeline is incomplete.

Time the entity became aware of the significant incident. Starts the 24h / 72h / 1m clocks under NIS 2 Art. 23(4).

Time the incident was contained and remediated. Required for the final report under NIS 2 Art. 23(4)(d).

Verbatim per NIS 2 Art. 23(4)(d)(ii): the final report shall indicate 'the type of threat or root cause that is likely to have triggered the incident'.

Narrative analysis backing the root-cause classification. Where the analysis is incomplete, indicate the best-supported theory and the evidence behind it.

Whether the entity assesses the incident as a targeted attack (specific to the entity or sector) or untargeted (opportunistic / mass campaign).

Which of confidentiality, integrity, availability the incident has impacted. NIS 2 Art. 6(6) defines 'significant incident' partly in terms of these properties.

Verbatim per NIS 2 Art. 23(4)(b): the incident notification (72h) shall indicate 'an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise'. Submit observable artefacts — file hashes, IP addresses, domains, URLs, malware signatures, behavioural patterns — that downstream defenders can use to detect the same threat. Optional rather than required because the directive conditions it on availability; if forensics has not surfaced any IoCs at the time of submission, leave empty.

Technical, organisational, and operational measures already taken to contain the incident. Required for the incident notification (72h) and updated in subsequent reports.

Verbatim per NIS 2 Art. 23(4)(d)(iii): the final report shall describe 'applied and ongoing mitigation measures'.

How the incident was first detected. Used by CSIRTs to identify systemic detection gaps across the sector.

Measures planned to prevent recurrence. Carries the 'lessons learned' loop required by ENISA TIG for the final report.

Estimated count of affected users. CIR 2024/2690 quantifies thresholds for the digital-service-provider categories it covers; for other entities the assessment is qualitative per NIS 2 Art. 6(6) and Art. 23(3).

Narrative of which services (operational, customer-facing, internal) were degraded or unavailable and for how long. NIS 2 Art. 6(6) makes service-disruption a defining criterion of a 'significant incident'.

Estimated direct and indirect financial damage. NIS 2 Art. 6(6) includes financial loss among the criteria that elevate an incident to 'significant'.

Whether the entity assesses that the incident has caused or is likely to cause reputational harm. One of the qualifying criteria for a 'significant incident' under NIS 2 Art. 6(6).

NIS 2 Art. 23(4)(a) requires the early warning to indicate whether the significant incident has a cross-border impact. CSIRTs of other affected Member States are notified via the cooperation mechanism in NIS 2 Art. 15.

List of EU Member States whose entities, users, or services are affected by the incident. Used by the CSIRT to notify peer authorities.

Sectors affected by the incident, mapping to NIS 2 Annex I (sectors of high criticality) and Annex II (other critical sectors). Sectoral CSIRTs may need to be notified.

Name of the natural person submitting the notification on behalf of the entity. Required by all national portals so the CSIRT can follow up.

Email address the CSIRT can use to reach the reporter for follow-up questions, intermediate-report requests, and feedback delivery under NIS 2 Art. 23(5).

Phone number for urgent CSIRT contact, especially during the early-warning window when email may be slow.

The entity's own internal incident reference number. Lets the CSIRT correlate multiple submissions about the same incident.