E-time | the software company
What is a cybersecurity significant incident under NIS 2
The NIS 2 Directive introduces the concept of “significant incidents”, meaning events that have caused, or could potentially cause, a serious disruption to the operational continuity of services or significant financial losses for an organization.
Compared to the GDPR definition of a data breach, which focuses primarily on the violation of confidentiality, integrity, and availability of personal data, the NIS 2 approach is broader and more comprehensive. The regulation also considers incidents that cause significant material or immaterial harm to individuals or legal entities.
Furthermore, the Directive extends its scope to include events that, although they have not yet produced an immediate concrete impact, present a high risk of negative consequences. This means that potentially harmful situations become relevant regardless of whether the effect has already occurred.
Types of security incidents under NIS 2
Guidelines from the Italian National Cybersecurity Agency (ACN) classify reportable significant incidents into four main macro-categories:
- Confidentiality breach: includes cases of data exfiltration to unauthorized external parties.
- Integrity loss: refers to unauthorized modifications of data that may produce relevant external effects.
- Service level violation: occurs, for example, when a cloud service experiences an outage that exceeds contractually agreed thresholds.
- Unauthorized access or privilege abuse: includes cases where no actual data theft occurs, but system security is still compromised.
At the European level, the European Commission further refines these criteria by introducing quantitative and sector-specific thresholds.
Discover Rexpondo, the ticketing platform that supports compliance with NIS 2 requirements.
Incident reporting obligations under NIS 2
In addition to the general obligations of the NIS 2 Directive, the regulation establishes a multi-stage incident reporting process with strict timelines and mandatory communication to competent authorities such as CSIRT Italy and ACN.
- Early warning (within 24 hours): the process begins with a prompt notification to be sent within 24 hours from the moment the organization becomes aware of a significant incident. This initial phase provides a preliminary overview of the event and available information.
- Formal notification (within 72 hours): within 72 hours, a complete incident report must be submitted, updating and expanding the initial data. This stage includes a more accurate assessment of the severity of the event and any identified indicators of compromise.
- Final report (within 1 month): within one month, a final report must be delivered, containing a detailed analysis of the incident. It includes the root causes, the overall impact on the organization, and the corrective and preventive measures implemented to avoid recurrence.
How to manage a cybersecurity incident under NIS 2
To ensure effective incident management and regulatory compliance, organizations must adopt a proactive, metric-based security approach, aligned with measure DE.CM-01. They should first define their normal operational baseline in advance through a Business Impact Analysis (BIA), which allows them to establish expected service levels and corresponding tolerance thresholds.
Based on this, continuous monitoring of networks, systems, and services becomes essential to promptly detect deviations from defined parameters. When these deviations exceed established thresholds and qualify as a significant incident, the organization must immediately activate its incident response plan.
The procedures include impact assessment, implementation of containment and mitigation measures, and timely submission of the mandatory pre-notifications required by applicable regulations.
Rexpondo and incident management
Rexpondo is a ticketing and IT Service Management (ITSM) platform designed to track, organize, and manage support requests and security incidents in a structured way, including those that may compromise IT service continuity.
The system aims to ensure rapid restoration of normal operations, reducing business impact and service downtime.
A key feature of Rexpondo is priority management based on objective impact and urgency criteria. Incident classification can be performed manually by service desk operators or automatically assigned by the system.
Through a structured incident management approach, full event traceability, and support for fast and measurable response processes, Rexpondo helps organizations align with NIS 2 Directive requirements for incident management and reporting.
Discover how to be compliant
with the NIS 2 Directive
with the NIS 2 Directive
