Incident notification under NIS 2

  • Under the Act of 5 May 2026 on measures to ensure a high level of cybersecurity (hereinafter “NIS 2 Act”), essential and important entities are required to report significant incidents to the competent authority.
  • Are you an essential or important entity under NIS 2 operating in one of the sectors supervised by the Institute? You must report incidents to the Institute within the first 24 hours.

Do you need help resolving an incident? You can contact your CSIRT.

If you have any questions, please do not hesitate to contact us directly at incident_notification(at)ilr(.)lu.

Definition of an incident

  • Incident (Art.2. (5) NIS 2 Act)

‘incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems 

  • Significant incident (Art.14. (3) NIS 2 Act)

An incident shall be considered to be significant if:

1°            it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;

2°            it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Processus de notification d'incident

Etapes de la notification d'incident

  • 01

    Preliminary notification

    • Without undue delay and no later than 24 hours of becoming aware of the significant incident the preliminary notification has to be send.
    • This early warning can also be made when the impact cannot yet be defined, and the incident is potentially not significant.
    • The competent authority or the CSIRT provides feedback, where possible, within 24 hours of receiving the early warning.
  • 02

    Incident notification

    • Within 72 hours of becoming aware of the significant incident , the incident has to be formally notified updating the information provided in the early warning.
    • The competent authority or the CSIRT may request interim information to stay informed.
  • 03

    Final report

    • The final report must be submitted no later than one month after the incident notification

    • If the incident has not been closed after one month, an extension of up to one month may be requested for the submission of the final report, and a progress report must be sent one month after the submission of the formal notification instead of the final report.

Content of notifications

The following questions must be answered in the various notifications relating to a significant incident:

Preliminary notification (within 24h)

Incident notification (within 72h)

The questions set out in the preliminary notification will all be included and may be adapted in the incident notification.

The following questions are added to these:

Final report (within 1 month after notifying the incident)

The questions asked in the preliminary notification and the incident notification will all be included and may be adapted in the Final report

The following questions are added to these:

  • Securing your organisation

    The NISS department ensures that legislation on network and information system security is properly enforced across a range of sectors.

  • NIS 2 Act

    Find out more about the NIS 2 Act.

  • Incident Notification

    Please use SERIMA to report incidents.