Significant Incident
EU NIS2 Article 23 — reportable serious incident
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Significant Incident is the EU term (NIS2 Article 23), implemented in Germany as 'erheblicher Vorfall' (Section 32 BSIG). Thresholds: serious service impairment, material/immaterial damage, impact on third parties.
What is a Significant Incident?
Significance criteria (BSI 02/2026):
- Service outage >30 min
- Data loss >1,000 records
- Damage >EUR 100,000
- Impact on third parties (customers, suppliers)
Practical example
Ransomware with a 6-hour service outage: significant incident. 24-hour initial notification. 72-hour update with damage assessment. 30-day final report.
Frequently asked questions
Fine for failure to report?
Section 60 BSIG: up to EUR 10 million / 2%. Additional reputational damage.
EU coordination?
For sectoral incidents, ENISA coordinates at EU level.