Near-Miss Incident
Incident averted — not subject to notification
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
A near-miss incident is an event that could have impaired security but was detected and averted in time. Under NIS2, it is NOT subject to notification, but is valuable for internal lessons learned.
What is a Near-Miss Incident?
Examples:
- Phishing email with a 2% click rate — the IDS blocked all connections
- Brute-force attack on the VPN — prevented by Conditional Access
- Insider attempt at data exfiltration — blocked by DLP
Practical example
An insider attempts to copy 50,000 customer records onto a USB stick. The DLP tool blocks the action and triggers an alert. No data was exfiltrated — a near-miss incident, not a notifiable incident, but internal insider proceedings are initiated.
Frequently asked questions
Should it nonetheless be documented?
Yes, internally. Important for risk learning and audit evidence.
Is there a reporting obligation for statistics?
No under NIS2. ENISA recommendation: a 'Lessons Learned' document.