Appearance
Incident reporting and communications
NIS2 incident obligations require both governance readiness and execution evidence. Modulos splits these duties between OFF-15 and MFF-15.
Organization-level reporting governance (OFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
ORF-350 | Significant incident determination governance | Art. 23(3) |
ORF-351 | Recipient incident and threat communication | Art. 23(1)-(2) |
ORF-352 | 24-hour early warning procedure | Art. 23(4)(a) |
ORF-353 | 72-hour incident notification procedure | Art. 23(4)(b) |
ORF-354 | Intermediate, final, and progress reporting procedure | Art. 23(4)(c)-(e) |
ORF-358 | Information-sharing arrangement notification duty | Art. 29(4) |
ORF-359 | Voluntary notification governance | Art. 30(1)-(2) |
ORF-360 | Supervisory cooperation and enforcement response | Arts. 32, 33 |
AI-service reporting execution (MFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
MRF-286 | Significant incident detection and impact assessment | Art. 23(3) |
MRF-287 | Recipient notification and threat communication workflow | Art. 23(1)-(2) |
MRF-288 | 24-hour early warning workflow | Art. 23(4)(a) |
MRF-289 | 72-hour incident notification workflow | Art. 23(4)(b) |
MRF-290 | Intermediate, final, and progress reporting workflow | Art. 23(4)(c)-(e) |
MRF-291 | Implementing-regulation significant-incident criteria execution | Arts. 23(3), 23(11); Reg. 2024/2690 |
MRF-292 | Trust service 24-hour notification workflow | Art. 23(4)(b), second subparagraph |
Staged reporting timeline in execution terms
| Stage | Typical trigger in workflow | NIS2 timing reference |
|---|---|---|
| Early warning | Initial classification suggests significant incident and includes suspected malicious or unlawful-act and cross-border indicators | 24 hours |
| Incident notification | Confirmed materiality and initial impact details | 72 hours |
| Intermediate/final/progress reports | Ongoing investigation and closure package | Art. 23(4)(c)-(e) sequence, including one-month final report |
Special applicability points
ORF-353remains a broad reporting requirement. Trust-service providers then apply the additional 24-hour derogation path described in the requirement text.MRF-292is the AI-service execution requirement for that trust-service-provider special case.MRF-291is only relevant where the supported entity type is covered by Implementing Regulation2024/2690.ORF-358andORF-359are not universal duties; they are relevant when the organization participates in information-sharing arrangements or operates a voluntary-notification path.
Where to run this in Modulos
Project → Requirementsfor obligation status trackingProject → Controlsfor reporting workflow execution and reviewProject → Evidencefor authority notices, timelines, and communication records
Related pages
NIS2 overview
Framework structure and OFF-15/MFF-15 split
Cybersecurity measures
Article 20 and 21 governance and implementation obligations
Scope and applicability
Manual applicability handling, scope decisions, and NIS2 Scope tags
Operationalizing in Modulos
Practical rollout sequence for NIS2 execution
Disclaimer
This page is for general informational purposes and does not constitute legal advice.