SkarpSkarp
Get the App

Chapter 7 of 9

Incident Management and Reporting for Essential ICT Operators

Details how essential service and OVI operators, including ICT and digital service providers, must detect, report, and respond to cybersecurity incidents under the law.

10 min readen

1. Why Incident Management Matters for Essential ICT Operators

Essential service operators and Operators of Vital Importance (OVI) sit at the core of national and EU‑level resilience. Since the NIS2 Directive (EU) 2022/2555 entered into force in 2023 and must be fully implemented by EU Member States by October 2024, incident reporting rules have become stricter and more harmonised.

By early 2026 (today), most EU countries have:

  • Transposed NIS2 into national law
  • Designated or updated CSIRTs, national competent authorities, and often a central authority (in your context: ANCI) for cybersecurity incident reporting

For essential and OVI ICT operators, this means:

  • You must detect, classify, and report significant incidents within strict timelines
  • You must coordinate with sectoral CSIRTs and regulators, not just fix the technical problem
  • Your technical incident response plan must embed these legal duties (not be separate from them)

In this 10‑minute module, you will learn how to:

  1. Recognise what counts as a reportable cybersecurity incident
  2. Classify its severity
  3. Follow the mandatory reporting timeline (early warning → incident notification → final report)
  4. Coordinate with ANCI, CSIRTs, and sectoral regulators
  5. Integrate all of this into your technical incident response playbooks.

2. Key Definitions: Incident, Significant Incident, and Operators

To follow the law, you must first use the same language as the law.

2.1 Cybersecurity incident

Under NIS2‑based laws, a cybersecurity incident is typically:

> Any event compromising the availability, authenticity, integrity, or confidentiality of data or services offered by network and information systems.

Examples:

  • Ransomware taking down a hospital’s patient system (availability)
  • Manipulation of sensor data in an energy grid (integrity)
  • Data breach exposing citizens’ IDs (confidentiality)

2.2 Significant incident (reportable incident)

Not every incident is reportable. A significant incident usually meets one or more of these criteria (based on NIS2 Article 23 and national transposition):

  • Number of users affected or service area is large
  • Duration is long enough to disrupt normal operations
  • Geographical spread is substantial
  • Serious impact on economic/ societal activities, public safety, or national security
  • Cross‑border impact (affects more than one Member State)

2.3 Who are we talking about?

  • Essential entities: operators in critical sectors (e.g., energy, transport, health, banking, digital infrastructure, public administration) designated under NIS2‑based national law.
  • Operators of Vital Importance (OVI): a national category (often overlapping with or stricter than NIS2 "essential entities") with extra obligations due to their key role for national security or the economy.
  • Digital/ICT service providers: cloud providers, data centres, DNS services, IXPs, and other digital infrastructure that are themselves designated as essential or OVI.

In the rest of this module, we’ll assume ANCI is your national competent authority and that CSIRTs (general and sectoral) are your main technical coordination partners.

3. Classify These Incidents

Decide whether each scenario is likely reportable (significant) or probably not reportable, based on the criteria you just learned. There is no single perfect answer, but focus on scale, duration, and impact.

  1. Scenario A

A DDoS attack slows your public information website for 15 minutes. Users can still access services, just slightly slower.

  • Your classification:
  1. Scenario B

A misconfiguration exposes 200,000 customer records (including national ID numbers) on the internet for 24 hours before being detected.

  • Your classification:
  1. Scenario C

An internal file server (used only by a small admin team) is encrypted by ransomware. You restore it from backup in 2 hours. No evidence of data exfiltration.

  • Your classification:
  1. Scenario D

A cloud‑based platform supporting multiple hospitals in two Member States goes down for 8 hours due to a cyber attack. Appointments and surgeries are postponed.

  • Your classification:

Reflect:

  • Which scenarios clearly rise to significant level (and why)?
  • Where would you need more data (e.g., exact number of users, cross‑border impact) before deciding?

You can jot down your reasoning as if you were preparing a short note to your CISO about whether to notify ANCI.

4. Mandatory Reporting Timeline & Channels (NIS2 Model)

NIS2 created a three‑stage reporting model that Member States have largely adopted or closely mirrored. Check your national law, but the typical structure for essential/OVI ICT operators is:

4.1 Early Warning (Initial Notification)

  • Deadline: usually 24 hours from becoming aware of a significant incident.
  • Recipients:
  • ANCI (national competent authority)
  • Often national or sectoral CSIRT (either directly or via ANCI)
  • Content (high‑level):
  • Basic description of the incident (type of attack, affected services)
  • Whether it appears intentional or malicious
  • Any cross‑border impact or suspected
  • Initial assessment of impact and urgency

4.2 Incident Notification (Detailed Report)

  • Deadline: typically within 72 hours of becoming aware.
  • Content (more detailed):
  • Confirmed scope: systems, services, users affected
  • Technical details known so far (attack vector, malware used, etc.)
  • Mitigation and containment steps already taken
  • Initial assessment of root cause
  • Whether law enforcement has been involved

4.3 Final Report (Post‑Incident Report)

  • Deadline: varies by country (often 1 month after resolution or after the 72‑hour report). Check your national rules.
  • Content:
  • Root cause analysis
  • Full impact assessment (including economic and societal)
  • Detailed timeline of events and response
  • Long‑term remediation and lessons learned
  • Measures taken to prevent recurrence

4.4 Channels

Common channels include:

  • Secure national reporting portals (often operated by ANCI or the national CSIRT)
  • Encrypted email to a designated incident reporting address
  • In some countries, 24/7 hotline for urgent incidents

Key point: Your internal incident response plan must explicitly state:

  • Who submits each report
  • How (which portal/email/phone)
  • What information must be collected by technical teams in time to meet the 24h / 72h deadlines.

5. Quick Check: Reporting Timeline

Test your understanding of the typical NIS2‑based reporting sequence.

A hospital’s electronic health record system (an essential service) is hit by ransomware. The service is disrupted for several hours and may affect patients in two Member States. Under a typical NIS2‑based regime, what is the **first formal step** the hospital must take once it recognises this is a significant incident?

  1. Submit a final report with full root cause analysis to ANCI within one month
  2. Send an early warning / initial notification to ANCI (and relevant CSIRTs) within about 24 hours
  3. Wait until the system is fully restored, then send a single consolidated report within 72 hours
Show Answer

Answer: B) Send an early warning / initial notification to ANCI (and relevant CSIRTs) within about 24 hours

The first step is an **early warning / initial notification** within about **24 hours** of becoming aware of a significant incident. The 72‑hour notification and final report come later, with more detail.

6. Integrating Legal Duties into the Technical Incident Response Cycle

A mature ICT incident response process should align with both technical best practice (e.g., NIST, ISO/IEC 27035) and legal reporting duties (NIS2‑based national law).

A practical way is to overlay legal checkpoints on your usual incident response phases:

Phase 1 – Detection & Triage

  • Technical tasks: monitoring alerts, initial investigation, confirming whether it’s a real incident.
  • Legal overlay:
  • Quickly assess: Could this be significant? (impact, duration, users, cross‑border)
  • Start a legal/ regulatory impact checklist (e.g., NIS2, GDPR, sectoral rules).

Phase 2 – Classification & Escalation

  • Technical tasks: assign severity (e.g., SEV1/2/3), identify affected systems.
  • Legal overlay:
  • If potentially significant, immediately notify the internal incident manager / CISO and compliance/legal.
  • Trigger the 24‑hour early‑warning clock.

Phase 3 – Containment & Mitigation

  • Technical tasks: isolate affected systems, block malicious IPs, switch to backups.
  • Legal overlay:
  • Document actions and timestamps (needed for the 72‑hour and final reports).
  • Coordinate with CSIRTs if they provide technical guidance (e.g., IOCs, recommended countermeasures).

Phase 4 – Communication & Reporting

  • Technical tasks: keep stakeholders updated, maintain status dashboards.
  • Legal overlay:
  • Submit early warning and 72‑hour notification to ANCI/CSIRT.
  • If personal data is involved, coordinate with data protection officer for GDPR notifications.

Phase 5 – Recovery & Lessons Learned

  • Technical tasks: restore services, validate systems, close incident.
  • Legal overlay:
  • Prepare and submit the final report (root cause, impact, preventive measures).
  • Update policies, controls, and playbooks to reflect lessons learned.

Key takeaway: Legal reporting is not an afterthought; it is built into each phase of your technical response.

7. Example: Embedding Reporting in an Incident Runbook (Pseudocode)

Below is a pseudocode / workflow sketch showing how an ICT operator might embed NIS2‑style reporting into an automated incident management process. This is not meant to be run directly, but to illustrate where legal checks sit in the flow.

8. Coordination with CSIRTs and Other Authorities: A Walkthrough

Imagine you are the incident manager at a cloud provider designated as an OVI.

Scenario

At 03:00, your monitoring detects suspicious lateral movement in your data centre network. By 04:00, you confirm:

  • Attackers accessed control systems for virtual machines
  • Several customer environments (including a major hospital and a payment processor) may be affected
  • Indicators suggest a targeted, sophisticated attack with possible cross‑border impact

Step‑by‑step coordination

  1. Internal escalation (by 04:15)
  • Classify as SEV1 / critical.
  • Notify CISO, SOC lead, legal, DPO, and CEO.
  1. Early warning to ANCI & national CSIRT (by ~05:00)
  • Use the secure portal to submit:
  • Description: suspected compromise of hypervisor management plane
  • Affected sectors: health, financial services
  • Potential cross‑border impact: some customers in two Member States
  • Initial mitigation: segmented affected clusters, blocked suspicious accounts
  1. Sectoral coordination
  • ANCI forwards details to sectoral CSIRTs (e.g., health, finance) or instructs you to inform them directly.
  • Sectoral CSIRTs may:
  • Share additional IOCs and recommended firewall rules
  • Coordinate with other affected entities using the same cloud provider
  1. 72‑hour notification
  • By this time, you know:
  • Exact number of affected tenants
  • Whether data exfiltration occurred
  • Which regions and Member States are impacted
  • You submit a detailed incident notification including:
  • Updated technical indicators
  • Forensic snapshots and logs (or summary thereof)
  • Planned long‑term mitigation (e.g., hypervisor hardening, new access controls)
  1. Final report (after resolution)
  • You coordinate with ANCI, sectoral CSIRTs, and possibly law enforcement to:
  • Share a full attack narrative
  • Publish sanitised advisories to other cloud customers
  • Update your obligations under contracts and SLAs

This example shows technical, legal, and sectoral coordination happening in parallel, not sequentially.

9. Applying the Rules: Who Do You Notify?

Use this question to connect incident facts to the correct escalation path.

You run an essential digital infrastructure service (DNS resolver) designated under your country’s NIS2 law. A configuration error plus a DDoS attack causes a 6‑hour outage affecting millions of users in your country and noticeable impact in a neighbouring Member State. Which **combination** of notifications is most appropriate?

  1. Notify only affected customers; this is an internal technical issue, not for authorities
  2. Notify ANCI and the national CSIRT (and, if instructed or required, relevant sectoral CSIRTs); also inform major affected customers
  3. Notify only the data protection authority, because user data might have been at risk
Show Answer

Answer: B) Notify ANCI and the national CSIRT (and, if instructed or required, relevant sectoral CSIRTs); also inform major affected customers

This is a **significant incident** for an essential digital infrastructure operator with **cross‑border impact**. You must notify **ANCI** and the **national CSIRT**, and likely coordinate with **sectoral CSIRTs** as directed. Customer and possibly data‑protection notifications may also be relevant, but they do not replace NIS2‑style reporting.

10. Review Key Terms and Concepts

Use these flashcards to reinforce the core ideas from this module.

Cybersecurity incident
Any event that compromises the availability, authenticity, integrity, or confidentiality of data or services provided by network and information systems.
Significant incident
An incident with substantial impact (e.g., many users, long duration, critical services, or cross‑border effects) that triggers **mandatory reporting** under NIS2‑based laws.
Early warning (initial notification)
A short‑form report, typically due within **24 hours** of becoming aware of a significant incident, providing high‑level information to ANCI and CSIRTs.
72‑hour notification
A more detailed incident report submitted within about **72 hours**, including scope, impact, and initial technical details.
Final report
A comprehensive post‑incident report (often within about a month) covering root cause, full impact, timeline, and long‑term mitigation measures.
CSIRT
Computer Security Incident Response Team – a specialised team (national or sectoral) that assists with incident handling, information sharing, and coordinated response.
OVI (Operator of Vital Importance)
A nationally designated operator whose services are crucial for national security or the economy and therefore subject to **stricter cybersecurity obligations** than standard essential entities.
Integrating legal duties into IR
Designing incident response processes so that **legal reporting checkpoints** (24h, 72h, final report) are embedded into technical detection, containment, and recovery workflows.

Key Terms

ANCI
In this module’s context, the national competent authority responsible for overseeing cybersecurity obligations and receiving incident notifications from essential and OVI operators.
CSIRT
Computer Security Incident Response Team, an organisation (national or sectoral) that provides support and coordination for preventing, detecting, and responding to cybersecurity incidents.
Final report
The comprehensive post‑incident document submitted after resolution, summarising root cause, impact, response, and long‑term corrective measures.
Early warning
The first, high‑level notification sent to authorities shortly after detecting a significant incident, intended to alert them quickly even before full details are known.
NIS2 Directive
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, which updated and replaced the original NIS Directive and is the main EU framework for incident reporting by essential and important entities.
Sectoral CSIRT
A CSIRT dedicated to a specific sector (e.g., health, finance, energy), working closely with entities in that sector and coordinating with the national CSIRT and competent authorities.
Essential entity
An organisation operating in a critical sector (such as energy, transport, health, banking, digital infrastructure, or public administration) that is designated under NIS2‑based national law and subject to stringent cybersecurity and incident reporting duties.
Significant incident
A cybersecurity incident that meets legal thresholds for mandatory reporting, typically based on impact on users, duration, geographic spread, criticality of services, and cross‑border effects.
Cross‑border impact
When an incident in one Member State affects services, users, or infrastructure in at least one other Member State, increasing its significance and coordination requirements.
Incident notification
The more complete report (often at about 72 hours) that provides detailed information about a significant incident, including impact, technical characteristics, and mitigation steps.
Incident response (IR)
The set of processes and activities used by an organisation to detect, analyse, contain, eradicate, and recover from cybersecurity incidents.
Operator of Vital Importance (OVI)
A national category for entities whose disruption would have a very serious impact on national security or the economy; they face enhanced cybersecurity and reporting obligations, often aligned with or stricter than NIS2 requirements.