What is Significant Incident?

A significant incident under NIS2 is a cybersecurity incident that has caused or is capable of causing severe operational disruption of services or financial loss for the entity, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

What is Significant Incident used for?

Significant Incident a significant incident under NIS2 is a cybersecurity incident that has caused or is capable of causing severe operational disruption of services or financial loss for the entity, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Learn more in the full article above.

How does Significant Incident work?

A significant incident under NIS2 is a cybersecurity incident that has caused or is capable of causing severe operational disruption of services or financial loss for the entity, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Detailed explanation can be found in the article above.

What is a Significant Incident?

Significant Incident Definition

Significant incident is a term defined in the NIS2 Directive (Article 23), referring to a cybersecurity incident that meets at least one of the following criteria:

Has caused or is capable of causing severe operational disruption of services
Has caused or is capable of causing financial loss for the entity concerned
Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Criteria for Significant Incidents under NIS2

The NIS2 Directive introduces specific thresholds, after which an incident is considered significant:

Criterion	Threshold
Affected users	> 100,000 users or > 1% of users in the Member State
Duration	> 24 hours of service unavailability
Geographic scope	Impact on more than one EU Member State
Financial loss	Significant losses (threshold set by Member State)
Personal data	Breach of personal data affecting large numbers of individuals

Incident Reporting Requirements

Essential and important entities under NIS2 are required to report significant incidents within strict timeframes:

Early warning - within 24 hours of becoming aware of the incident
Incident notification - within 72 hours of becoming aware
Final report - within 1 month of incident notification

Difference Between Incident and Significant Incident

Aspect	Incident	Significant Incident
Definition	Any event threatening security	Incident with serious consequences
Reporting obligation	Internal documentation	Report to CSIRT within 24h
Penalties for non-reporting	None	Administrative fines up to €10M
Example	Failed phishing attempt	Ransomware attack paralyzing production

Examples of Significant Incidents

Ransomware attack preventing service delivery for more than 24 hours
Data breach involving personal data of more than 100,000 customers
DDoS attack causing unavailability of critical public services
Supply chain compromise affecting multiple downstream entities

How to Prepare for Significant Incident Reporting

Define criteria - establish internal thresholds for significant incidents
Prepare procedures - develop incident reporting playbooks
Designate responsible persons - determine who reports and to whom
Practice the process - conduct regular tabletop exercises
Automate - implement SOAR tools for automatic notifications

Proper recognition and reporting of significant incidents is a key NIS2 requirement. Organizations must implement processes enabling rapid identification, classification, and reporting of such events to the relevant CSIRT.