Fill in the form to access the operational guide. You will also receive the notification templates by email.
NIS2 and GDPR obligations compared
Exact notification timelines
Checklist of what to communicate and to whom
Printable — optimised A4 format
In the event of a significant cyber incident, parallel notification obligations may exist towards multiple authorities: CSIRT-IT (for NIS2 entities) and the Data Protection Authority (for incidents involving personal data). The two notifications have different timelines and require different content.
TIMELINE — Who to notify and when
| Timeline |
NIS2 Notification → CSIRT-IT |
GDPR Notification → DPA |
| Within 24h |
Early Warning: incident, type, initial impact, measures taken |
Not required (except in urgent cases) |
| Within 72h |
Formal notification with preliminary assessment |
✓ Mandatory notification if personal data is involved |
| Within 30 days |
Final report with full analysis |
Update if requested by the DPA |
NIS2 — What to assess before notifying
Is the organisation an essential or important NIS2 entity?
Has the incident caused or is it likely to cause a significant disruption to the service provided?
Has the incident caused or is it likely to cause significant financial losses?
Has the incident affected or is it likely to affect other organisations or individuals?
If at least one of these criteria is met: the incident IS significant → notification is mandatory
NIS2 EARLY WARNING (within 24h) — What to include
Date and time of incident detection
Type of incident (ransomware, data breach, DDoS, etc.)
Systems and services affected
Preliminary operational impact
Containment measures already taken
Contact details of the CSIRT Contact Point
GDPR NOTIFICATION (within 72h) — What to include
Nature of the breach (type of data, estimated number of data subjects)
Categories of personal data involved (ordinary, special category, criminal)
Contact details of the DPO (if appointed)
Likely consequences of the breach
Measures taken or proposed to address the breach
Risk assessment for the data subjects
If high risk to data subjects → obligation to also notify the data subjects
NIS2 FINAL REPORT (within 30 days) — What to include
Detailed description of the incident (complete timeline)
Type and severity of the incident
Root causes (root cause analysis)
Measures taken and their effectiveness
Cross-border impact (if any)
Lessons learned and preventive measures for the future