Incident (NIS2)
Section 31 BSIG — notifiable security incident
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
An incident under NIS2 is, in accordance with Section 31 BSIG, an event that actually impairs the security of network and information systems. For 'significant' incidents, the 24/72/30 notification obligation applies.
What is an Incident under NIS2?
Significance thresholds (Section 32(2) BSIG):
- Serious impact on the provision of services
- Material impact on other persons
- Reputational damage / financial loss exceeding EUR 100,000
Practical example
Ransomware encrypts servers. Incident: yes. Significant: yes (service outage exceeding 1 hour). 24-hour initial notification to the BSI is mandatory.
Frequently asked questions
What does 'significant' mean?
BSI guidance of 02/2026: service outage exceeding 30 minutes, data loss exceeding 1,000 records, or loss exceeding EUR 100,000.
Notification deadline?
24-hour initial notification, 72-hour update, 30-day final report.
Fine for failure to notify?
Section 60 BSIG, up to EUR 10 million / 2%.