In brief: Approximately 29,500 EU companies must centrally report cyber incidents under NIS2 and must align their reporting processes accordingly.
The EU’s NIS2 Directive obligates approximately 29,500 companies to report cybersecurity incidents. These companies must henceforth centrally document security breaches and attacks and report them to authorities.
As of the current status, approximately 29,500 companies in the EU fall under the reporting obligation of the NIS2 Directive (Network and Information Security). This regulation requires operators of critical infrastructure and certain companies in the digital economy to structured documentation and reporting of cybersecurity incidents to national authorities.
For compliance officers, this means in concrete terms: every relevant incident must be recorded and reported in a timely manner. The requirements apply to sectors such as energy, transport, water, health, financial sector as well as providers of digital services and their critical services. The Directive also defines thresholds below which reporting can be omitted – but these are narrowly defined and must be evaluated for each incident individually.
Companies should therefore review their reporting processes, establish clear escalation chains and align internal documentation systems with compliance with EU requirements. An overview of whether your own company is affected can be created via sector-specific categorizations and size specifications.
Source: news.google.com · Published May 29, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.3.