24 hours, 72 hours, 1 month: the reporting of cyber incidents under NIS2

This blog post discusses the updated cyber incident reporting obligations introduced by the NIS2 framework on network and information security. NIS2 builds on the previous NIS1 framework and significantly expands these obligations. 

1. The challenges and shortcomings of NIS1 led to NIS2 

The previous directive NIS1 was a major step forward for cybersecurity in Europe. However, the NIS1 directive faced challenges such as varying implementation across member states, limited sectoral coverage and inconsistent enforcement. See this blog for more on NIS1's shortcomings. 

The shortcomings of NIS1 underlined the need for a more harmonised and robust approach to cybersecurity. Therefore, in 2022, the European legislator introduced the NIS2 directive, which follows up on the shortcomings of NIS1. 

The NIS2 Directive was transposed into Belgian law by the Belgian law of 26 April 2024 on the cyber security of network and information systems of general public security interest (the "NIS2 law"), which came into force on 18 October 2024. 

In this blog, we focus on the provisions of the Belgian NIS2 law. 

2. Is your organisation actually covered by NIS2? 

In this blog, we assume that you have already investigated whether your organisation falls within the scope of the NIS2 directive and is therefore considered an "NIS2 entity". The scope of the NIS2 framework is broader and quite complex than under NIS1. 

If you are not sure whether your organisation falls under the scope of NIS2, book a free video call with us. 

3. What is a cyber incident and must every cyber incident be reported under NIS2? 

The Belgian NIS2 law stipulates that only "significant" incidents must be compulsorily reported to the competent cybersecurity authority and possibly to the parties involved. But then we first need to know what a cyber incident is. In general, cyber incidents, whether significant in nature or not, are events that compromise the availability, authenticity, integrity or confidentiality of data or the services of network and information systems. The NIS2 framework also provides a definition for "near misses". These are cyber incidents that were avoided or did not materialise. 

Obvious examples of cyber incidents are hacking, a ransomware attack or a phishing attack. But other events can also lead to a cyber incident. Consider the loss of a device, insider threats or misconfigurations of network or information systems. These events can be accidental or deliberate. They may be caused by an employee, a supplier or other third parties in the supply chain. 

However, not every cyber incident should be reported to the relevant cyber security authority. Only significant cyber incidents should be reported. But when is a cyber incident significant? It is when the cyber incident: 

• causes or is likely to cause serious disruption or financial loss to any NIS2 entity; and/or 

• causes or may cause significant material, personal or immaterial damage to other natural or legal persons. 

It is therefore not necessary to report every single cyber incident, but it is important to evaluate the impact of a cyber incident not only on your own organisation, but also on other and different organisations or individuals. In addition, cyber incident can also be voluntarily reported to the relevant cyber security authority. 

4. So what about reporting near-incidents? 

What the NIS2 framework is less clear about is the reporting of near-incidents (or near misses). The reporting requirement applies to cyber incidents, but does not seem to explicitly apply to near incidents in the same way. Nevertheless, the NIS2 framework provides for the sharing of information between competent cybersecurity authorities across borders, but it seems that cybersecurity authorities will rely on their own investigations or voluntary near-incident reporting to gather this information. 

The ambiguity surrounding the reporting of near incidents is interesting to compare with the reporting of personal data leaks under the General Data Protection Regulation (GDPR) (see also section 8 below). Whereas the NIS2 framework seems to make a clear distinction between cyber incidents that have occurred and cyber incidents that had almost occurred, the GDPR does not make the same distinction for reporting personal data leaks. Under the GDPR, in the event of a personal data leak, the controller must assess the risk to the rights and freedoms of data subjects. If there is a risk, the controller must report the leak to the competent data protection authority. However, if there is any doubt, it is up to the controller to decide whether or not to report the leak. This distinction is less clear than in the NIS2 framework. 

5. Why is there an obligation to report cyber incidents? 

A good reflex is to ask: why does the NIS2 framework envisage a reporting requirement for certain cyber incidents in the first place? 

The legislator's aim is twofold: 

• On the one hand, notification helps to stop the cyber incident as soon as possible. 

Prompt notification can sometimes stop the spread of cyber incidents. A notification also enables NIS2 entities to call for help. 

• On the other hand, we can learn lessons for the future from cyber incidents.

By analysing what happened in a particular cyber incident, we may be able to avoid future cyber incidents. As a result, we can improve the cyber resilience of organisations and sometimes entire sectors. 

6. To whom should significant cyber incidents be reported and what in cross-border cases? 

Significant cyber incidents should always be reported to the national Computer Security Incident Response Team (the "CSIRT") or, where applicable, to the recipients of an NIS2 entity's services when an incident is likely to disrupt those services. 

In Belgium, the CSIRT is the Centre for Cybersecurity Belgium (the "CCB"). The CCB also provides confidentiality guarantees during the reporting procedure. Information about cyber incidents is only shared with people on a need-to-know basis, to prevent further potential leaks. Please note that special rules apply to the financial sector, as in the financial sector, the National Bank of Belgium (the "NBB") or the Financial Services and Markets Authority (the "FSMA") play an important role. 

But cyber incidents are often not limited to the territory of a single member state. So if a cyber incident has cross-border implications, what then? In most cases, there is no need to report a significant incident in all member states. Indeed, the NIS2 framework states that the competent cyber security authority is only the one where the NIS2 entity is located. This rule does have some exceptions, such as for providers of public electronic communication networks and providers of public electronic communication services. These may be required to report a cyber incident in several member states. 

We can illustrate this using a simple example. The reality can be much more complex, but let's take the example of a German company that also provides services in Belgium. When a significant cyber incident occurs, this company does not have a reporting obligation in Belgium, as it is not based there. However, the company will probably have to report the cyber incident to the German cyber security authority and do so under the German NIS2 law. 

7. What is the deadline for reporting a significant incident? 

The NIS2 framework envisages a single notification system in three phases, with the first notification to be done very quickly. This is because one of the intentions of the notification requirement is to stop the further spread of cyber incidents (see above section 5 ). 

We distinguish three phases: the early warning, the incident reporting and the final report. 

Early warning (phase 1) 

Within 24 hours of becoming aware of the cyber incident, an NIS2 entity must send out an early warning. 

The deadline for this early warning is very short and is designed to bring the cyber incident to the attention of the national cybersecurity authority or affected individuals. 

This early warning should only state whether the cyber incident is suspected to be caused by illegal or malicious acts and whether the cyber incident may have a cross-border impact. 

The CCB notes that this early warning should not divert the reporting entity's resources from priority incident management activities. While reporting the cyber incident is obviously important, the NIS2 entity should prioritise the steps needed to contain and stop the cyber incident. 

Incident reporting (phase 2) 

Within 72 hours of becoming aware of the cyber incident, the NIS2 entity must file an incident report. 

The incident report is more comprehensive than the early alert and provides an initial assessment of the cyber incident. This includes an analysis of the severity and impact of the cyber incident, as well as indicators of compromise, if available. 

As for early warning, this incident notification should not divert resources from managing, containing and stopping a cyber incident. Of course, it should also not result in the incident notification not happening (correctly and timely). So the NIS2 entity must organise itself well in advance so that, in the event of a cyber incident, it can work on two paths: both managing, containing and stopping the cyber incident and working towards correct and timely incident notification. 

Final report (phase 3) 

One month after reporting the incident in the second phase, the NIS2 entity must submit a final report. 

The final report is a (more) detailed description of the cyber incident. For example, the final report should summarise the severity and impact of the cyber incident, the type of threat the cyber incident is likely to have caused, and the steps the NIS2 entity has taken or is taking, such as risk mitigation measures. 

Finally, if relevant, this final report should address the cross-border impact of the cyber incident. 

8. What if the cyber incident also involves personal data? 

First of all, it is important to note that the reporting obligation from the NIS2 framework does not replace the obligation to report personal data leaks under the GDPR. 

Thus, when a cyber incident involves a leak of personal data, the organisation should combine the application of the NIS2 framework with the application of the provisions of the GDPR. Consider the example where an employee sends an e-mail containing customer data to the wrong recipient. This could be both an NIS2 incident and a personal data leak under the GDPR. 

If the leak is notifiable even under the GDPR, the organisation must report a personal data leak to an authority other than the cybersecurity authority. This must also be done within the deadline set by the GDPR (read our blog on this). It is therefore important for organisations to take into account different reporting obligations under different legal instruments and also include this in internal incident procedures. 

The importance of these internal incident procedures is also demonstrated by a case in which the Belgian Data Protection Authority did not impose an administrative fine on a company that had correctly and timely reported a personal data leak. This is consistent with the reality that any organisation, no matter how well secured it may be, can always fall victim to a cyber incident. 

However, not every cyber incident is also a personal data leak. For example, in a Distributed Denial of Service attack (DDoS attack), where cybercriminals flood a website server with an overwhelming amount of data traffic causing the website server to crash. This may be a cyber incident, but it may not necessarily be a leakage concerning personal data. After all, the website may be purely informational in nature and does not necessarily host personal data. 

9. What if the reporting requirement is not met? 

The NIS2 law provides for administrative fines for failure to comply with the reporting obligation. These can range from EUR 500 to EUR 125,000 in Belgium. This can be doubled in case of repetition. 

Apart from the potential administrative fine, directors can also be held personally liable and, for some organisations, a cyber incident can lead to reputational damage of such magnitude that the organisation's survival may even be jeopardised. 

10. There may also be contractual consequences in a cyber incident! 

In this blog post, we discussed the reporting requirement under the NIS2 law. While cyber incident reporting is crucial, it is only one piece of the puzzle. Cyber incident also often lead to contractual consequences. 

These include: 

• possible contractual (liquidated damages) clauses, 

• possible contractual reporting obligations, 

• discussions on liability or its limitations, 

• discussions on security obligations, 

• discussions on breach of confidentiality obligations, 

• discussions on force majeure and 

• a general dent in trust between the contracting parties. 

These contractual consequences can be far-reaching. It is therefore advisable for organisations to identify these possible consequences in advance. 

11. Conclusion: NIS2 implementation is not a mere IT project 

The reality is that cyber incidents happen all the time. Some organisations or sectors are more sensitive to cyber incidents than others, but sooner or later, every organisation, no matter how well secured, will have to deal with a small or large cyber incident. In that case, the organisation must be prepared to act quickly and decisively. The deadlines for reporting cyber incidents are very short, so it is essential to be prepared and know what needs to be reported to whom. 

Unfortunately, we still too often see organisations viewing NIS2 implementation as a mere IT project. But as this blog highlights, a legal understanding of preparing for and managing the consequences of a cyber incident is also crucial to comply with the NIS2 framework. 

Timelex's lawyers also speak the language of your IT department and can thus work together seamlessly to avoid your organisation overlooking the legal aspects of NIS2 implementation. Would you like more information on this? Then book a free video call with us!