NIS2 Incident Reporting: What to Do When a Cyber Event Occurs

The NIS2 Directive places a strong emphasis on timely and effective incident reporting, a critical component for enhancing overall cybersecurity resilience across the European Union. For Irish Small and Medium-sized Enterprises (SMEs) falling within its scope, understanding the specific requirements and having a clear plan for what to do when a cyber event occurs is paramount. Failure to comply with NIS2 incident reporting obligations can lead to significant penalties and reputational damage. This article outlines the key steps Irish SMEs must take when faced with a cyber incident under NIS2.

Understanding NIS2 Incident Reporting Requirements

NIS2 mandates a multi-stage incident reporting process designed to ensure that relevant authorities are informed promptly and comprehensively. The directive distinguishes between a "significant incident" – one that causes or is capable of causing severe operational disruption or financial loss, or affects other natural or legal persons – and other cyber events [1].

Key Reporting Timelines:

1. Early Warning (within 24 hours): Entities must submit an early warning to the relevant Computer Security Incident Response Team (CSIRT) or competent authority (e.g., the National Cyber Security Centre in Ireland) within 24 hours of becoming aware of a significant incident. This initial notification should indicate whether the incident is suspected of being caused by unlawful or malicious acts and, if applicable, whether it has a potential cross-border impact.
2. Incident Notification (within 72 hours): A more detailed incident notification must be submitted within 72 hours of becoming aware of the significant incident. This notification should update the information provided in the early warning and include an initial assessment of the incident, its severity and impact, and any compromise indicators.
3. Final Report (within one month): A final report must be submitted no later than one month after the submission of the detailed incident notification. This report should include a detailed description of the incident, its root cause, the mitigation measures applied, and the cross-border impact, if any. It should also detail the impact on the services provided and the measures taken to prevent similar incidents in the future.

What Constitutes a "Significant Incident"?

NIS2 defines a significant incident as one that:

• Has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned.
• Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage [1].

It is crucial for Irish SMEs to establish clear internal criteria for identifying such incidents to ensure timely reporting.

Step-by-Step Guide: What to Do When a Cyber Event Occurs

Having a pre-defined incident response plan is critical. Here’s a step-by-step guide for Irish SMEs to follow:

Step 1: Detection and Initial Assessment

• Identify the Incident: Be vigilant for any signs of a cyber event, such as unusual system behavior, unauthorized access alerts, or reports from users.
• Initial Triage: Quickly assess the nature and potential scope of the incident. Is it a data breach? A ransomware attack? A service disruption?
• Activate Incident Response Team: Assemble your designated incident response team (internal or external, such as your vCISO).

Step 2: Containment

• Isolate Affected Systems: Take immediate steps to contain the incident and prevent further spread. This might involve disconnecting affected systems from the network.
• Preserve Evidence: Ensure that logs, system images, and other relevant data are preserved for forensic analysis.

Step 3: Early Warning (within 24 hours)

• Notify Authorities: If the incident is deemed "significant," submit an early warning to the National Cyber Security Centre (NCSC) in Ireland within 24 hours of becoming aware. This can be a brief notification, but it must be made [2].
• Internal Communication: Inform relevant internal stakeholders (management, legal, communications) about the incident.

Step 4: Eradication and Recovery

• Remove Threat: Eliminate the cause of the incident (e.g., remove malware, patch vulnerabilities).
• Restore Systems: Restore affected systems and data from secure backups. Verify the integrity of restored data.
• Monitor: Continuously monitor systems to ensure the threat has been fully eradicated and no new vulnerabilities have emerged.

Step 5: Detailed Incident Notification (within 72 hours)

• Update Authorities: Provide a more detailed notification to the NCSC within 72 hours, including an initial assessment of the incident, its severity, impact, and any compromise indicators. Outline the mitigation measures taken so far.
• GDPR Considerations: If personal data is involved, remember that GDPR also has a 72-hour breach notification requirement to the Data Protection Commission (DPC) [3]. Coordinate these notifications.

Step 6: Post-Incident Review and Final Report (within one month)

• lessons learned: Conduct a thorough post-incident analysis to understand the root cause, identify areas for improvement in your security posture, and update your incident response plan.
• Submit Final Report: Provide the NCSC with a comprehensive final report within one month, detailing the incident, its impact, the measures taken, and recommendations for preventing future occurrences.
• Implement Improvements: Act on the lessons learned to strengthen your defenses and reduce the likelihood of similar incidents.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

The Role of a vCISO in Incident Reporting

A Virtual CISO (vCISO) can be an invaluable asset for Irish SMEs in navigating NIS2 incident reporting. They can:

• Develop and Test Plans: Help create and regularly test a robust incident response plan that aligns with NIS2 requirements.
• Provide Expert Guidance: Offer immediate, expert guidance during an active incident, helping your team make critical decisions under pressure.
• Coordinate Reporting: Assist in preparing and submitting timely and accurate notifications to the NCSC and DPC, ensuring all regulatory obligations are met.
• Post-Incident Analysis: Lead the post-incident review process to identify root causes and implement effective preventative measures.

Conclusion

NIS2 incident reporting is a critical obligation for many Irish SMEs, demanding a proactive and well-prepared approach. By understanding the timelines, defining "significant incidents," and having a clear step-by-step plan, businesses can effectively manage cyber events and meet their regulatory duties. Engaging with expert cybersecurity support, such as a vCISO, can significantly enhance your incident response capabilities and ensure compliance, safeguarding your business from the severe consequences of cyber threats.

References:

[1] European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555 [2] National Cyber Security Centre Ireland. (n.d.). NIS2 Directive. https://www.ncsc.gov.ie/nis2-directive/ [3] European Parliament and Council. (2016). Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

Take the Next Step

If your NIS2 compliance obligations is something you're thinking about, the best starting point is a structured conversation.

Book a free 20-minute call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no scare tactics, just clear advice on what to do next.

Book Your Free 20-Minute Call →