Appearance
Incident reporting and communications
NIS2 incident obligations require both governance readiness and execution evidence. Modulos splits these duties between OFF-15 and MFF-15.
Organization-level reporting governance (OFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
ORF-289 | Significant incident and threat communication governance | Art. 23(1)-(2) |
ORF-290 | Significant incident classification procedure | Art. 23(3) |
ORF-291 | 24-hour early warning procedure | Art. 23(4)(a) |
ORF-292 | 72-hour incident notification procedure | Art. 23(4)(b) |
ORF-293 | Intermediate, final and progress reporting procedure | Art. 23(4)(c)-(e) |
ORF-298 | Trust service provider 24-hour incident notification derogation | Art. 23(4)(b), second subparagraph |
ORF-300 | Information-sharing participation notification duty | Art. 29(4) |
ORF-301 | Domain registration data governance obligations | Art. 28(1)-(6) |
ORF-332 | Supervisory cooperation and enforcement response governance | Art. 32, 33 |
AI-system reporting execution (MFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
MRF-265 | Significant incident detection and impact assessment | Art. 23(3) |
MRF-266 | 24-hour early warning evidence workflow | Art. 23(4)(a) |
MRF-267 | 72-hour incident notification evidence workflow | Art. 23(4)(b) |
MRF-268 | Intermediate, final and progress reporting evidence workflow | Art. 23(4)(c)-(e) |
MRF-269 | Recipient notification and threat communication workflow | Art. 23(1)-(2) |
MRF-271 | Implementing-regulation significant incident criteria execution | Art. 23(3), 23(11) |
MRF-272 | Trust service provider 24-hour incident notification execution | Art. 23(4)(b), second subparagraph |
MRF-274 | Domain registration data operations and disclosure execution | Art. 28(1)-(6) |
Staged reporting timeline in execution terms
| Stage | Typical trigger in workflow | NIS2 timing reference |
|---|---|---|
| Early warning | Initial classification suggests significant incident and includes suspected malicious/unlawful-act and cross-border-impact indicators | 24 hours |
| Incident notification | Confirmed materiality and initial impact details | 72 hours |
| Intermediate/final/progress reports | Ongoing investigation and closure package | Art. 23(4)(c)-(e) sequence, including one-month final report |
Where to run this in Modulos
Project → Requirementsfor obligation status trackingProject → Controlsfor reporting workflow execution and reviewProject → Evidencefor authority notices, timelines, and communication records
Related pages
NIS2 overview
Framework structure and OFF-15/MFF-15 split
Cybersecurity measures
Article 20 and 21 governance and implementation obligations
Operationalizing in Modulos
Practical rollout sequence for NIS2 execution
Disclaimer
This page is for general informational purposes and does not constitute legal advice.