NIS2, DORA, and GDPR each want an incident report. Send the same one.
EU compliance keeps adding deadlines, not bureaucracy budget. NIS2 went live in October 2024. DORA went live January 2025. GDPR has been there since 2018. Each requires incident reporting on different timelines and to different bodies.
Most SMEs are juggling three half-built reporting flows. The first one that triggers tends to be the rushed one.
The pattern I run with clients:
- Build one incident log. Single source. Every data incident gets recorded here within the hour.
- Make it structured. Fields for: incident time, detection time, systems affected, data categories involved, scope of users impacted, severity classification, initial cause hypothesis.
- The same log feeds all three regs. NIS2 wants the 24-hour early warning. DORA wants the 4-hour notification (for financial entities). GDPR wants the 72-hour breach notification when personal data is involved.
- Route the same structured log through three different report templates. Templates are 20 lines of code each.
The thing nobody plans for: NIS2’s 24-hour early warning has to go out before you fully understand the incident. The first version is incomplete by design. You file an update within 72 hours.
If your team is set up to file only when “we have all the facts,” you’ll miss the deadline every time. Build for fast partial reports, then update.
The compliance load is real but the engineering work is small. One log + three templates + clear ownership of who hits “send.”
Is your data incident log structured enough to file three reports from?