Skip to main content
NIS2Certify
Back to overview

NIS2 Incident Reporting Templates Are Now Official: What Changes for Your Clients

By NIS2Certify
nis2incident-reportingarticle-23compliancemspsenisa
NIS2 Incident Reporting Templates Are Now Official: What Changes for Your Clients

NIS2 Incident Reporting Templates Are Now Official: What Changes for Your Clients

On May 26, 2026, the NIS2 Cooperation Group met in Cyprus for its 39th Plenary and agreed on something that's been missing since the directive took effect: common templates for incident reporting. Every EU member state. One format. For the first time.

This matters more than it sounds. Before this decision, Article 23 required companies to report significant incidents within 24 hours, 72 hours, and one month — but how to report depended on which national authority your client fell under. A Dutch manufacturer and a German logistics provider could follow wildly different reporting processes for the same type of incident. That inconsistency is now being addressed.

The Cooperation Group — made up of representatives from all EU member states, the European Commission, and ENISA — adopted these templates as a first step. The Commission will follow up with an implementing act to make them mandatory across all 27 member states.

What the Templates Actually Standardise

The core function of the new templates is harmonisation of reporting fields. Instead of each national CSIRT defining its own intake form, organisations will fill in the same structured data points regardless of where they're registered.

Expect the templates to cover: incident classification, affected systems and services, estimated number of users impacted, timeline of events, initial containment actions taken, and whether third-party suppliers are involved. This is not a simplified questionnaire — it's a structured format designed to give authorities what they need to assess severity quickly.

For your clients, this means the 24-hour early warning isn't just a quick phone call or email anymore. It needs to include specific structured fields from day one. If your client doesn't have an incident response process tied to those fields, they'll be scrambling to backfill data under pressure.

NIS2 Incident Reporting Timeline
24h
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
72h
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
1mo
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

Why the "Single Entry Point" Announcement Matters

The template adoption didn't happen in isolation. The Cooperation Group explicitly aligned these templates with a broader initiative: the Digital Omnibus, a proposed EU framework that would create a single entry point for reporting incidents across multiple regulations — NIS2, DORA, the Critical Entities Resilience Directive (CER), and others.

Right now, a financial services firm that's both a NIS2 "essential entity" and subject to DORA may have to report the same incident twice, to two different authorities, in two different formats. The Digital Omnibus aims to fix that.

For MSPs and IT consultants serving regulated industries — banking, insurance, fintech, healthcare — this convergence is significant. Your incident response playbooks and client communication workflows should already be built with multi-regulation overlap in mind. If they aren't, start there.

The implementing act will be critical to watch. Once it's published in the Official Journal, member state authorities will be required to accept these templates. Until then, your clients still operate under whatever national process their authority has established.

Article 23: A Quick Refresher on the Deadlines

The new templates slot into an existing Article 23 reporting structure. That structure hasn't changed. What changes is what you need to have ready at each stage.

24-hour early warning: Notification to your national CSIRT or competent authority that a significant incident has occurred. "Significant" means the incident causes or could cause severe operational disruption or financial loss, or affects other persons by causing considerable material or non-material damage.

72-hour incident notification: A more detailed report including initial assessment of the incident — severity, indicators of compromise, and any cross-border impact. With common templates now adopted, this report will need to match the structured format once the implementing act is in force.

One-month final report: Full account of the incident including root cause analysis, response actions, and measures taken or planned to prevent recurrence.

The most common failure point for organisations is the jump from 24h to 72h. The early warning often goes out with minimal detail. Then 72 hours arrives and there's no documentation, no structured data, and the incident is still ongoing. Your job as a consultant is to build the process before an incident happens — not during.

NIS2 Incident Reporting Timeline
24h
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
72h
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
1mo
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

What MSPs and IT Consultants Need to Do Now

1. Map your clients' notification chains

Every client that qualifies as an essential or important entity needs a documented incident notification chain: who triggers the report, who drafts it, who submits it, and to which authority. This sounds basic. Most organisations don't have it written down.

2. Pre-build the template fields into your IR process

Even though the implementing act isn't published yet, the template fields can be anticipated from standard CSIRT intake requirements. Build a draft incident report template now using the expected structured fields. When the official templates are published, you'll need to make minor adjustments — not rebuild from scratch.

3. Clarify your contractual obligations

If you provide managed SOC, incident response, or security monitoring for a NIS2-covered client, check your contract. Are you contractually responsible for submitting incident notifications on their behalf? If so, your SLA timelines need to account for the 24-hour early warning — including nights and weekends.

Many MSP contracts were written before NIS2 was fully enforced. Now that enforcement is live in several member states and the regulatory framework is tightening, those contracts need updating.

4. Build reporting readiness into your gap assessments

A client can have strong technical controls and still fail a regulatory review because their incident reporting process doesn't meet Article 23 requirements. Incident response readiness should be a standalone section in any NIS2 gap analysis you run.

Use the NIS2Certify quick scan to get a baseline on where your clients stand across all Article 21 measures — including incident handling — before their first regulatory contact.

Article 21 — 10 NIS2 Cybersecurity Measures
Article 21
10 Cybersecurity Measures
Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
People & Assets
7Cyber hygiene & training
9HR security & access control

The Bigger Picture: Enforcement Is Here

The template adoption didn't happen in a vacuum. It's part of a broader tightening of NIS2 enforcement across the EU in 2026.

Germany's BSI began active enforcement in Q1 2026. Belgium opened its formal conformity assessment window on April 18, 2026 — the first member state to set a hard audit deadline. Italy's ACN categorised entities and set a June 2026 submission deadline. The Netherlands published the Cybersecurity Act and is now running its first review cycles.

France is still finalising its transposition, but ANSSI published the ReCyF (Référentiel Cyber France) v2.5 in March 2026 — a 152-measure framework aligned with NIS2 that French entities are expected to follow even before the law is formally enacted.

What this means: your clients can no longer treat NIS2 as a future problem. Authorities are active, audits are starting, and incident reporting processes will be scrutinised in the first wave of assessments.

For every client you haven't yet assessed: the time to close that gap is now, not after their first incident.

What to Watch Next

Two things to track closely:

The implementing act timeline: The European Commission hasn't published a draft implementing act yet. When it appears in the Official Journal, the clock starts for mandatory adoption. Watch the EUR-Lex feed for anything referencing Article 23 of NIS2.

The Digital Omnibus progress: The proposal for a single incident reporting entry point is still a proposal. But if it moves forward, it will significantly reshape how multi-regulated entities handle reporting. Financial sector MSPs in particular should monitor this closely — it will affect how DORA and NIS2 overlap in practice. See also our post on NIS2 vs DORA for the current state of that overlap.

The Bottom Line

The EU just made incident reporting simpler on paper. In practice, it raises the bar: structured templates mean authorities can now compare and scrutinise reports across member states, and inconsistent or incomplete submissions will stand out.

If your clients don't have a documented, practiced incident reporting process, they're exposed. Not just to fines — but to the kind of regulatory scrutiny that follows poor incident handling.

Start with the process. Get the documentation in place. Then make sure your clients' NIS2 compliance posture reflects it.

→ Run a structured NIS2 readiness assessment for your clients at nis2certify.org/quick-scan.

    NIS2 Incident Reporting Templates Are Now Official: What Changes for Your Clients — NIS2Certify