Blog

Incident management in the light of NIS2 – requirements, procedures, responsibility

January 19 2026

The NIS2 Directive is an important step toward harmonizing the approach to cybersecurity across the European Union. The new regulations clearly define how organizations should prepare for incidents, how to manage them, and who is responsible for this. Check what NIS2 means in practice and how to realistically prepare for it.

What will you find in the article? The most frequently asked questions about NIS2 and incident management

Below we have gathered the most frequently asked questions regarding the NIS2 Directive and the practical aspects of managing security incidents.

1. Which entities are covered by the NIS2 Directive?

NIS2 covers essential and important entities, mainly medium and large organizations operating in sectors critical to the functioning of the state and the economy.

2. What information should an incident report contain?

An incident report should include, among other things, a description of the event, its causes, effects, severity, as well as corrective and preventive actions taken.

3. What is the difference between a security incident and an IT failure?

A security incident concerns a breach of confidentiality, integrity or availability of systems, while an IT failure does not always meet the criteria of an incident within the meaning of NIS2.

4. What are the deadlines and requirements for incident reporting under NIS2?

NIS2 introduces an obligation to submit an early warning within 24 hours, a full report within 72 hours, and a final report after the incident has been resolved.

NIS2 – current status and key deadlines

It is worth starting with specifics, so what is the NIS2 Directive and who does it apply to? It is an EU regulation establishing a common framework for the protection of information systems and data in sectors critical to the functioning of the state and the economy. It is an extension of the 2016 regulations and a response to the growing number and complexity of cyberattacks. In Poland, the implementation of NIS2 is taking place through amendments to regulations governing the national cybersecurity system, which expand the scope of obligations for organizations covered by the regulation.

The new requirements cover both public institutions and private entities operating, among others, in areas such as energy, banking, healthcare or digital infrastructure. NIS2 places particular emphasis on risk management, incident reporting and having an up-to-date business continuity plan that allows the organization to maintain operations even in the event of a serious disruption.

NIS2

Scope of application of NIS2 – who is covered by the new regulations?

The new regulations significantly expand the range of organizations obliged to ensure compliance with NIS2. The Directive introduces a division into essential and important entities, mainly covering medium and large companies whose activities are of significant importance for the stability of the state, the economy and information security.

Essential entities:

  • energy;
  • transport;
  • banking and financial market infrastructure;
  • healthcare;
  • drinking water supply and distribution;
  • wastewater;
  • digital infrastructure;
  • ICT service management;
  • space.

Important entities:

  • postal services;
  • waste management;
  • digital service providers;
  • scientific research.

NIS2 places strong emphasis on risk management across the entire supply chain. Organizations must assess the level of IT security of their suppliers and subcontractors, including areas such as endpoint security, vulnerability management, penetration testing and incident response. In practice, this means that even companies not formally covered by NIS2 may be required to meet its requirements as elements of the supply chain.

In this context, tools such as OXARI CMDB support the identification of technological dependencies and the assessment of risks associated with infrastructure and external services.

NIS2 requirements for incident management

The NIS2 Directive specifies requirements for incident management, emphasizing a clear distinction between cybersecurity incidents and typical IT failures. An incident within the meaning of NIS2 is an event that actually affects the security of networks and information or the continuity of services, and not every technical outage or application error. Proper classification of events and consistent reporting processes in line with the national cybersecurity system are of key importance.

An incident is considered serious if it causes a significant deterioration in the quality of services, their disruption, financial losses or harm to users or other entities. The thresholds for this classification are defined in separate implementing regulations, so organizations must have clearly defined procedures for assessing risk and impact of events as part of cybersecurity risk management.

NIS2 introduces a staged model of incident reporting to the competent CSIRT (Computer Security Incident Response Team):

  • up to 24 hours – early warning, including information about the occurrence of the incident, time of detection, potential unlawful nature and possible cross-border impact. At this stage, it is also possible to request technical support;
  • up to 72 hours – full incident report, containing a description of causes, severity, impact on services and applied preventive and corrective measures;
  • upon request of CSIRT – status report updating the handling of the incident and actions taken;
  • up to one month after the incident is resolved – final report documenting root causes, applied risk mitigation measures and possible cross-border effects.

Meeting these assumptions requires not only implementing appropriate procedures, but also tools supporting the registration, analysis and reporting of events. In practice, organizations increasingly use ITSM systems with Pink Elephant certification, which organize incident handling, provide a full audit trail of actions and effectively support compliance with NIS2 in the daily work of IT and security teams.

Incident reporting and handling procedure and the role of management

The NIS2 Directive organizes the way incidents are reported and handled, clearly separating responsibilities between technical teams, designated units and top management. The procedure is intended to ensure consistency of operational, formal and managerial actions – especially in situations with significant impact on IT security and service continuity.

What does the incident reporting procedure look like?

If the incident concerns information security and constitutes a breach of personal data protection, the organization is also obliged to report it to the President of the Personal Data Protection Office (UODO). The following should be specified:

  • notifications and reports submitted via the ICT system of the Ministry of Digital Affairs;
  • in emergency situations, the method of reporting is determined by the competent CSIRT in an official communication;
  • in public entities, notifications are carried out by units designated under the National Cybersecurity System Act (KSC), which may impose internal reporting deadlines.

Informing recipients and the public

In the case of serious threats:

  • the organization may be obliged to inform service recipients;
  • CSIRT or the competent authority may independently inform the public if the collective interest requires it.

Role of management and top executives

NIS2 significantly strengthens the responsibility of management for cybersecurity risk management. Key responsibilities of management include:

  • approving and supervising security measures;
  • ensuring compliance of actions with regulations and internal policies;
  • participation in cybersecurity training;
  • organizing regular training for employees;
  • responsibility for failure to fulfill obligations.

Violations may result in financial penalties, certification restrictions or – in extreme cases – a ban on performing managerial functions (excluding public entities). In practice, NIS2 forces incidents to be treated as an integral part of the business continuity plan. This means that operational technology security, response procedures and managerial decisions must be coherent and prepared in advance, not only at the moment of crisis.

Consequences of violations and sanctions under NIS2

The NIS2 Directive clearly states that responsibility for incident management and cybersecurity lies directly with the top management of essential and important entities. This responsibility cannot be delegated or excluded – even if tasks are operationally carried out by IT teams. In practice, this means the need for real supervision over security policy, risk assessment and implementation of an effective business continuity plan.

In the case of collective bodies, failure to designate a responsible person means that consequences apply to all members of the management board, emphasizing the strategic nature of cybersecurity in the organization.

Systemic approach to NIS2 implementation

Implementing NIS2 requires moving away from ad hoc actions toward a coherent, process-based cybersecurity management model. Of key importance is linking incident management with full visibility of assets and ongoing monitoring of digital infrastructure. An asset register based on CMDB and OXARI Asset Management makes it possible to clearly determine which systems and services are affected by an incident, what dependencies exist between elements of the IT environment, and what the real impact of the event on business continuity may be.

The systemic approach includes in particular:

  • identification of the entity and roles responsible for cybersecurity and communication with CSIRT;
  • implementation of a coherent cybersecurity risk management model covering assets, users and suppliers;
  • central repository of data on assets, vulnerabilities and incidents;
  • continuous monitoring of the IT environment and rapid detection of anomalies;
  • formal procedures for incident response, reporting and documentation;
  • maintenance of business continuity plans and resilience of critical services;
  • periodic audits and testing of the effectiveness of implemented mechanisms.

Understood in this way, cybersecurity ceases to be a one-time project and becomes a permanent, measurable process supporting compliance with NIS2 and real organizational resilience.

OXARI support in meeting NIS2 requirements

Meeting NIS2 standards requires not only knowledge of regulations, but above all efficient tools supporting daily operational activities. OXARI enables centralized management of incidents, assets and dependencies in IT infrastructure, facilitating risk assessment, reporting to CSIRT and maintaining service continuity. A systemic approach, compliance with ITSM best practices and flexibility during tool implementation mean that thanks to OXARI, organizations gain real control over cybersecurity.

If you want to prepare your organization for NIS2 in an orderly and practical way – contact the OXARI team and let’s talk about a possible implementation scenario.

Oxari
Infonet Projekt SA
Bystrzańska Street 94,
43-300 Bielsko-Biała, Poland
+48 33 497 84 54
[email protected]
Infonet Projekt SA
Bakalarska Street 34,
02-212 Warsaw, Poland
+48 22 841 00 88
[email protected]
Copyright © 2025 Infonet Projekt SA
Discover a new standard of ITSM systems