BLOG

Understanding Incident Reporting Under the NIS2 Directive: Key Insights for Managed Service Providers and Managed Security Service Providers

Incident reporting is a crucial component of maintaining cybersecurity and operational resilience across the European Union. As outlined in Article 23 of the NIS2 Directive entities falling under its scope are required to report “significant incidents” to the CSIRT (Computer Security Incident Response Team or the relevant competent authority without undue delay. In Ireland, the NCSC encompasses the National/Governmental Computer Security Incident Response Team (CSIRT-IE) and will act as the main contact point for incident reporting under the NIS2 Directive, serving as the National Competent Authority.

 
Defining a ‘Significant Incident’

For organizations in the sectors of ICT Service Management, Digital Infrastructure, and Digital Providers, including Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), understanding what qualifies as a “significant incident” is crucial for compliance with the NIS2 Directive. This key legislative framework within the European Union offers a broad definition of an “incident” under Article 6(6). According to this article, an incident is defined as “any event that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the services offered by, or accessible via, network and information systems.”

Article 23(3) further clarifies that an incident is considered significant if it: (a) has caused, or is capable of causing, severe operational disruption of services or financial loss for the entity concerned; or (b) has affected, or is capable of affecting, other natural or legal persons by causing considerable material or non-material damage.

While the NIS2 Directive sets out general criteria, it does not provide a specific definition of what constitutes a “significant” incident. This gap is addressed by the implementing regulation, officially published on 17 October 2024, which details criteria to help organizations assess whether an incident warrants mandatory reporting. The implementing regulation lays down rules for applying technical and methodological requirements for cybersecurity risk management measures and specific cases where an incident is considered significant. Covering sectors such as ICT Service Management (Business-to-Business), Digital Infrastructure, and Digital Providers, the regulation came into effect on October 18, 2024.

 
Criteria for a Significant Incident under the Proposed Implementing Regulation

According to Article 3 of the draft implementing regulation, an incident is considered significant if it meets one or more of the following conditions:

  1. Financial Loss: The incident has caused or is capable of causing financial losses exceeding EUR 500,000 or 5% of the entity’s annual turnover, whichever is lower.
  2. Exfiltration of Trade Secrets: The unauthorized access and potential exfiltration of trade secrets as defined in EU Directive 2016/943.
  3. Impact on Human Life and Health: The incident results in or could result in the death of a person or considerable damage to a person’s health.
  4. Unauthorized Access: A successful and potentially malicious unauthorized access to network and information systems.
  5. Recurring Incidents: Even if individual incidents are not significant, they are considered significant when they recur at least twice within six months and share the same apparent root cause.
  6. Sector-Specific Criteria: The regulation also includes additional specific criteria for different sub-sectors, such as MSPs and MSSPs, which must also be considered when determining the significance of an incident (see Table 1).

 

Table 1. Sector-Specific Criteria for a Significant Incident under the Implementing Regulation for Managed Service Providers and Managed Security Service Providers

Sector

Criteria for Significant Incident

Managed Service Providers and Managed Security Service Providers

  • Managed service completely unavailable for >30 minutes.
  • The availability of the managed service is limited for >5% or 1 million users for >1 hour.
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% users or 1 million users.
 
Exclusions and Special Considerations

Scheduled interruptions and planned maintenance-related service downtimes are not considered significant incidents. This distinction separates routine service interruptions from genuine security or operational failures that require reporting.

 
Who Needs to Be Notified?

Entities affected by significant incidents based on the criteria above are required to notify their CSIRT or relevant competent authority. They must also inform service recipients about significant cyber threats that could impact them and suggest any appropriate response measures (Article 23(1)).

 
How to Report a Significant Incident

All relevant entities must submit the following reports to the CSIRT or competent authority:

  1. An early warning within 24 hours of becoming aware of the significant incident, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
  2. An incident notification within 72 hours of becoming aware of the significant incident, updating information provided in the early warning and including, indicate an initial assessment including its severity and impact, and the indicators of compromise.
  3. An intermediate report if requested by the CSIRT, providing relevant status updates.
  4. A final report no later than one month after the submission of the incident notification, detailing the incident, its severity, impact, the likely threat or root cause, mitigation measures applied or ongoing, and the cross-border impact of the incident where applicable,

 

In the event of an ongoing incident, entities must provide a progress report at the time of the submission of the final report and a final report within one month of handling the incident.

 
How Centripetal Supports Compliance with Incident Reporting Requirements

Centripetal helps organizations reduce the frequency of incidents and the need for extensive reporting through our CleanINTERNET® solution. By offering a robust network security solution and proactive monitoring, we address Recitals 12 and 18 of the implementing regulation. Our solution not only enhances threat detection, including defense against network-based attacks like DDoS, but also supports incident reporting. In the event of an incident, Centripetal aids in comprehensive reporting by supplying detailed logs, data, and expert analyses of your organization’s network traffic.

 
Advanced Threat Detection and Reporting

CleanINTERNET® employs deep packet inspection and behavioral analysis to detect and investigate complex threats at the perimeter of your entities network. It delivers a thorough overview of inbound and outbound threats and supplies the detailed logs and data needed for accurate incident reporting.

 
Augmented Human Analysis

Our Security Operations team, supported by our AI Analyst, delivers in-depth reports on security alerts, combining human expertise with advanced technology for thorough incident evaluation. CleanINTERNET® enhances the analysis and contextual understanding of security events, including whether alerts were blocked or monitored, relevant threat intelligence, and a timeline of activity.

 
Key Benefits of CleanINTERNET®
  • Proactive Threat Detection: CleanINTERNET® provides real-time, automated protection using over 100 billion indicators of compromise, ensuring that threats are identified and blocked before they can enter your network, thus minimizing the need for reactive incident reporting. 
  • Actionable Threat Intelligence: The solution integrates the largest collection of high-confidence threat intelligence, updated every 15 minutes. This continuous feed of actionable intelligence helps organizations stay ahead of potential incidents and provides crucial details for accurate and timely reporting.
  • Real-Time Enforcement: CleanINTERNET® utilizes the fastest packet filtering technology, with latency of less than 50 microseconds, to dynamically block threats. This real-time enforcement reduces the number of incidents requiring reports by preventing malicious activities from reaching your network.

 

Centripetal not only secures your network, minimizes incidents, and optimizes IT resource management but also enhances the incident reporting process. By supplying the necessary logs, data, and expert insights, we help organizations prepare comprehensive reports for CSIRT or competent authorities. This approach streamlines your path to NIS2 compliance, reduces operational burdens, and allows your organization to focus on core objectives.

To learn more about CleanINTERNET®, click here.

SIGN UP TO OUR NEWSLETTER

Experience how CleanINTERNET® can proactively protect your organization.