NIS2 Reporting Obligations for Companies: Deadlines and Practical Implementation

What is the NIS2 reporting obligation?

The NIS2 reporting obligation is regulated in §32 NIS2UmsuCG and obliges essential and important entities to report significant security incidents to the Federal Office for Information Security (BSI) . The obligation applies to companies

• with 50 or more employees
• or an annual turnover of 10 million euros,
• operating in one of the 18 regulated sectors.

Affected companies should take reporting obligations and deadlines particularly seriously: The BSI has repeatedly stated that it will impose fines on companies that fail to comply with their reporting obligations. Organizations not only risk financial losses as a result, but also come under the BSI's scrutiny. They can then ill afford any further missteps.

Is your company affected by the NIS-2 reporting obligation?

If you are still at the beginning with NIS2, start with our NIS2 Quick Check. Within just a few minutes, you will see where your company stands and what needs to be done.

Zum kostenlosen NIS2-Check

When does an incident become reportable under NIS2?

Not every security incident triggers the reporting obligation. What constitutes a “significant security incident” is defined by §32 NIS2UmsuCG based on three criteria:

Serious operational disruption

🚧 Services are unavailable or only partially available

👉 Example: Ransomware encrypts production systems, operations cease for 48 hours.

Financial losses

💸 Significant economic damage to the organization.  

👉 Example: CEO fraud involving a transfer of 500,000 Euros.

Damage to third parties

🤕 Tangible or intangible damage to natural or legal persons

👉 Example: Data leak involving 50,000 customer records.

Important to know: An incident doesn't necessarily need to have caused damage yet. It's enough that a significant potential for damage exists. A DDoS attack that takes down the webshop for two hours is not automatically reportable. A ransomware attackthat encrypts production systems, almost always is. When in doubt, the BSI recommends: Report rather than wait.

When an incident occurs: The three-stage reporting process and the NIS2 reporting deadlines  

The NIS2 reporting obligation begins the moment you or your team become aware of a security incident and not only when the analysis is complete. The initial report therefore doesn't have to be perfect , but rather should primarily be submitted on time .  

The following overview shows when and what information the BSI requests from an attacked company.

Here's how reporting via the BSI portal works in practice

NIS2 incidents are reported online via the central BSI Reporting and Information Portal (MIP). Important to know:  

• Is your company already registered? then submit the report directly through your portal access.
• Is your company not yet registered? Then incidents must be reported via an online form within the MIP.

When submitting a NIS2 report, companies should note the following points:

• Confirmation and Availability: The BSI confirms receipt of every report within 24 hours and, if necessary, contacts the designated contact person with queries or recommendations for action. Therefore, the contact person should be reachable even outside business hours in the hours following the initial report.
• Cancellations are not possible: Reports cannot be withdrawn. However, incorrect information can be corrected in a subsequent report. Especially for early warnings, the rule is: an incorrect report is better than no report at all.
• Documentation in the ISMS: Do you already have an Information Security Management System (ISMS) established? Then the reporting channels should be part of your incident management documentation. This ensures clarity and traceability.

Who is authorized to submit the NIS2 report to the BSI?

Generally, any employee of your company can report incidents. You can also engage external service providers for reporting. However, please note that the responsibility remains with your company.

How companies efficiently comply with NIS2 reporting deadlines and obligations

To ensure you don't stumble at the initial report in the event of an incident, thorough preparation is indispensable. This way, you won't lose time in an emergency and can focus on resolving the damage and answering affected parties' questions. The following measures will help you prepare:

• Prepare a reporting template: Create a pre-filled form with all mandatory BSI fields. In an emergency, you only need to fill in the variable information. This saves valuable time that you can instead use for incident response.
• Develop a decision-making guide: Not every incident is reportable. Create an easy-to-understand overview that clarifies when incidents must be reported to the BSI, by what deadline, and whether data protection authorities or international authorities also need to be informed.
• Clearly assign responsibilities: Early on, define who is authorized to report, who coordinates decisions with management, and who has access to the BSI reporting portal. Also, designate backups for each position.

Example: What to do in the first hour after an incident is detected

Hackers attack an industrial company with ransomware and encrypt its production systems. IT reports the incident at 2:30 PM. From this point, the company has 24 hours to submit an early warning to the BSI.

In an emergency, the process after an incident is detected is as follows:  

• Convene the pre-defined incident response team

• Inform management with the facts

• Check if personal data is affected

• Fill out the template and send it to the BSI

How to prepare your company for NIS2 reporting

The NIS2 reporting obligation is not a bureaucratic act that you can improvise in an emergency. 24 hours is too short.

• Establish a well-documented incident response process with clear escalation levels.  

• Create a pre-filled reporting template with all mandatory BSI fields.  

• Designate primary individuals responsible for submitting reports and deputies as backup.  

• Coordinate your processes for NIS2 and GDPR reporting.  

• Conduct at least one tabletop exercise per year.  

• Train employees who need to identify and report incidents.

What are the consequences of violating the NIS2 reporting obligation?

Anyone who fails to meet the reporting obligation, risks significant fines.  

• For highly critical entities, the upper limit is 10 million euros or 2 percent of the global annual turnover.  

• For important entities, it is 7 million euros or 1.4 percent of the global annual turnover.

The BSI can proactively audit highly critical entities, whether the reporting processes are functioning. For important entities, supervision is reactive, meaning it acts only when there are specific indications of failures.

In addition to fines, a missed reporting process has operational consequences: The BSI cannot issue a warning to other entities, and the incident remains undetected longer in the sector. Your company loses credibility with customers and partners.

How Proliance supports you in complying with NIS2 reporting obligations

Implementing the NIS2 reporting obligation is complex. The coordination of information security and data protection, in particular, requires a holistic approach.

Proliance therefore offers holistic consulting on NIS2 requirements and reporting obligations, so you can design your processes to ensure that in an emergency, all involved parties know what to do. We also help you properly document processes and reports and train your team, preventing data protection incidents, IT security vulnerabilities, and missed reporting deadlines from occurring in the first place.  

Conclusion: Be well-prepared to avoid missing any NIS2 reporting deadlines

The NIS2 reporting obligation requires regulated companies to react quickly in the event of a security incident. To ensure you don't miss any deadlines from the initial report to the final one, we advise you on how to implement the NIS2 requirements in your company implement conscientiously and on time can.