Help center

Incidents

An incident is an event that actually happened — not just a potential risk. Logging them lets you understand, correct, prove, and under NIS2, notify the authorities within the legal deadlines.

Risk vs Incident

Risk

"What might happen." Probability × impact, treated with controls.

Incident

"What did happen." Specific date, real consequences, post-mortem.

An incident often reveals a risk you under-rated — or a control that wasn't working. The post-incident review is precious: link the incident to the relevant risks and review them.

Severity levels

Low

Minor, contained impact. No data touched. E.g. DDoS attempt blocked by Cloudflare, EDR false positive.

Medium

Contained but visible impact. Brief outage, degradation. E.g. limited GDPR mis-send, multi-hour ERP outage.

High

Significant impact. Possible regulator notification. E.g. M365 account compromise, ex-employee access not revoked.

Critical

Major compromise. Mandatory CCB (NIS2) or DPA (GDPR) notification. E.g. ransomware, massive data leak, stolen unencrypted laptop.

NIS2 / GDPR deadlines to know

24h

Early CCB warning

For significant NIS2 incidents: initial alert to the competent authority within 24h of awareness. Minimal format (who, what, type).

72h

Detailed notification

Full initial assessment: scope, impact, measures taken. Same for GDPR: 72h to notify the DPA if personal data was breached.

1 mo.

Final report

Full description, root cause, corrective measures, lessons learned.

Important: NIS2YOU does not automatically transmit to authorities — that's a human, legal responsibility that cannot be delegated to a tool. NIS2YOU helps you track and document your incident to prepare the notification on time.

Who to notify, by country

Competent authorities differ from country to country. Here are the contact points for NIS2YOU's target markets.

Country	NIS2 incident (24h / 72h / 1 month)	GDPR data breach (72h)	Incident assistance
🇧🇪 Belgium	CCB via Safeonweb@work	DPA	CERT.be
🇫🇷 France	ANSSI MonEspaceNIS2	CNIL	CERT-FR · cybermalveillance
🇱🇺 Luxembourg	ILR + HCPN	CNPD	CIRCL
🇳🇱 Netherlands	NCSC-NL CSIRT-DSP for digital service providers	AP	DTC

If your customers are in multiple EU countries, the general GDPR rule is to notify the regulator of the country where your main establishment is located (one-stop-shop). For NIS2, you notify the authority of the country where you are registered as an essential / important entity.

Best practices

Declare first, investigate later. Don't waste time understanding everything before logging — you can always update.
Log near-misses too. They reveal failing controls before things actually break.
Link each incident to the risks it materialised — useful for the post-mortem.
Distinguish root cause (what enabled the incident) from symptom (what was observed). Root cause informs which controls to add.