In a nutshell: The NIS2 law mandates reporting of cybersecurity incidents within 24 hours and imposes high fines for enforcement.
The NIS2 law provides for a reporting obligation for significant security incidents within 24 hours and threatens fines of up to €10 million. The regulation implements the EU directive for companies in critical sectors.
The NIS2 law (Directive on Network and Information Security) requires operators of critical infrastructure and certain companies to report significant cybersecurity incidents promptly, no later than within 24 hours, to the competent authorities. This deadline applies to the initial report following the discovery of an incident.
Violations of the reporting obligation and other requirements of the NIS2 law can be penalized with administrative fines of up to €10 million, depending on the severity and extent of the breach. The law provides for graduated penalties and takes into account compliance efforts and the extent of damage.
For compliance officers, this means that incident reporting processes must be established with clear escalation chains, defined responsibilities, and documented time tracking. Organizations must review their incident response capabilities and ensure that the 24-hour deadline is reliably met.
Source: news.google.com · Published 1 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.2.