The NIS Cooperation Group adopted common templates for cyber incident reporting on 26 May 2026, during its 39th plenary meeting in Cyprus. The European Commission plans to adopt these templates through an implementing act, making them mandatory for all member states.
For organisations in scope of the NIS2 Directive (Directive (EU) 2022/2555), the practical takeaway is clear: the incident reporting process you build today will soon need to follow a Europe-wide standard format.
What the templates solve
Until now, each member state could require its own reporting format. A company operating across multiple EU countries had to fill out different forms with different fields for the same incident. The unified templates eliminate this friction by establishing a common data structure across the entire union.
The templates cover all reporting phases defined in NIS2 Article 23:
- Early warning (24 hours) — indication of whether the incident involves unlawful or malicious acts and whether it could have cross-border implications.
- Incident notification (72 hours) — updated assessment covering severity, impact, and available indicators of compromise.
- Intermediate report (on request) — status updates when requested by the CSIRT or competent authority during incident handling.
- Final report (30 days) — detailed description of the incident, probable root cause, mitigation measures applied, and cross-border impact.
Context for Slovakia
In Slovakia, incident reporting is governed by NBU Decree 226/2025, effective since 1 September 2025. It defines severity criteria (affected users, outage duration, confidentiality impact) and reporting requirements towards SK-CERT. The new European templates do not replace this decree — they complement it with a standardised format that simplifies cross-border communication.
Organisations registered in JISKB since March 2025 face a 24-month deadline for their first external audit. Most essential entities will be audited by March 2027. Auditors will assess incident reporting readiness — including the ability to meet deadlines and populate the required fields.
Connection to the Digital Omnibus
The templates are part of broader simplification efforts under the Digital Omnibus package. The Commission is developing a single-entry point for incident reporting, where an organisation submits one report and the system distributes it to the relevant authorities. The goal is reducing administrative burden without compromising response speed.
How to prepare
While the implementing act does not yet have a fixed effective date, organisations should not wait. Incident reporting is one of the areas that audits under Decree 227/2025 evaluate. We recommend:
- Map your internal process from detection to reporting — who decides on severity, who fills out the report, who communicates with SK-CERT.
- Adopt a reporting template that covers Article 23 fields (severity, impact, indicators of compromise, mitigation measures, cross-border dimension).
- Test the process with a tabletop exercise — a simulated incident under 24/72-hour time pressure reveals weaknesses faster than a paper review.
- Ensure your ITSM tool (ticketing system) can export data in a structure compatible with the future mandatory format.
When the implementing act takes effect, organisations with an established process will only need a technical format adjustment — not a ground-up rebuild.