Skip to content

Incident reporting and communications

NIS2 incident obligations require both governance readiness and execution evidence. Modulos splits these duties between OFF-15 and MFF-15.

Organization-level reporting governance (OFF-15)

RequirementTopicDirective reference
ORF-289Significant incident and threat communication governanceArt. 23(1)-(2)
ORF-290Significant incident classification procedureArt. 23(3)
ORF-29124-hour early warning procedureArt. 23(4)(a)
ORF-29272-hour incident notification procedureArt. 23(4)(b)
ORF-293Intermediate, final and progress reporting procedureArt. 23(4)(c)-(e)
ORF-298Trust service provider 24-hour incident notification derogationArt. 23(4)(b), second subparagraph
ORF-300Information-sharing participation notification dutyArt. 29(4)
ORF-301Domain registration data governance obligationsArt. 28(1)-(6)
ORF-332Supervisory cooperation and enforcement response governanceArt. 32, 33

AI-system reporting execution (MFF-15)

RequirementTopicDirective reference
MRF-265Significant incident detection and impact assessmentArt. 23(3)
MRF-26624-hour early warning evidence workflowArt. 23(4)(a)
MRF-26772-hour incident notification evidence workflowArt. 23(4)(b)
MRF-268Intermediate, final and progress reporting evidence workflowArt. 23(4)(c)-(e)
MRF-269Recipient notification and threat communication workflowArt. 23(1)-(2)
MRF-271Implementing-regulation significant incident criteria executionArt. 23(3), 23(11)
MRF-272Trust service provider 24-hour incident notification executionArt. 23(4)(b), second subparagraph
MRF-274Domain registration data operations and disclosure executionArt. 28(1)-(6)

Staged reporting timeline in execution terms

StageTypical trigger in workflowNIS2 timing reference
Early warningInitial classification suggests significant incident and includes suspected malicious/unlawful-act and cross-border-impact indicators24 hours
Incident notificationConfirmed materiality and initial impact details72 hours
Intermediate/final/progress reportsOngoing investigation and closure packageArt. 23(4)(c)-(e) sequence, including one-month final report

Where to run this in Modulos

  • Project → Requirements for obligation status tracking
  • Project → Controls for reporting workflow execution and review
  • Project → Evidence for authority notices, timelines, and communication records

Disclaimer

This page is for general informational purposes and does not constitute legal advice.