The 2025 European Commission EU digital omnibus package: The NIS2 Directive

The Digital Omnibus Regulation Proposal introduces targeted amendments to the NIS2 Directive (NIS2). The amendments do not change (i) which entities fall within scope, (ii) the substantive cybersecurity risk-management obligations in Article 21, or (iii) the incident notification obligations in Article 23. Instead, the Proposal focuses on how incident notifications are submitted and routed, how supervisors coordinate, and how the NIS2 notification process interacts with other EU notification regimes, with the stated objective of reducing duplicate reporting while keeping the existing legal thresholds, deadlines and addressees intact. This includes the staged notification model in Article 23(4) and the requirement in Article 23(1) to notify the competent addressee (the CSIRT and/or the competent authority, as applicable under national designation).

Proposals most likely to be adopted and rationale

This section addresses, in turn:

1. The introduction of a single reporting channel for NIS2 incident notifications; and 
2. Consequential coordination of reporting obligations where incidents trigger notification duties under multiple EU instruments.

1. Introduction of a single reporting channel for NIS2 incident notifications

The Digital Omnibus Regulation Proposal amends NIS2 by introducing a single EU reporting portal for incident notifications submitted under Articles 23 and 30. Under the Proposal, essential and important entities (as defined in NIS2) would remain subject to the existing notification triggers, content requirements and statutory timelines in Article 23(4), but notifications would be submitted via a single Union-level portal, which would then forward them to the competent national addressees required by NIS2 (CSIRTs and/or competent authorities).

The Proposal envisages ENISA operating the portal as a technical service provider, including performing an initial format/completeness check. To preserve the confidentiality and security model in NIS2, the portal would need to ensure that ENISA’s role is limited to technical operation and transmission, and that access to the substance of notifications is restricted to the competent national authorities/CSIRTs who are legally entitled to receive it under NIS2 or another applicable instrument and that any onward sharing occurs only where (and to the extent) permitted under NIS2 or the relevant parallel regime.

These amendments are likely to be adopted because they do not modify the following existing provisions:

• The definition of a 'significant incident' under Article 23(3);
• The obligation to notify without undue delay under Article 23(4); or
• The information that must be provided to competent authorities under Article 23 (including the baseline content requirements in Article 23(11), and the existing mandate for implementing acts to specify the format of notifications made under Article 23 and voluntary notifications under Article 30).

Instead, the Proposal changes the route for submission in order to address the operational burden created by parallel national and Union-level notification channels.

2. Coordination of incident reporting across EU legal instruments

The Proposal further provides that, where a single incident triggers notification obligations under multiple EU instruments (including NIS2 and Articles 33 and 34 GDPR), the NIS2 reporting portal may be used as a shared submission route, with onward routing to the legally required addressees under each instrument. This is without prejudice to the obligation to comply with the substantive notification requirements, timing obligations and addressees prescribed under each applicable instrument (and without changing the requirement under Article 23(1) NIS2 that notification is made to the relevant CSIRT and/or competent authority).

This is a routing mechanism only. It should not be read as displacing (i) the GDPR requirement to notify the competent supervisory authority under Article 33 GDPR, or (ii) the NIS2 requirement that notification is made to the relevant CSIRT and/or competent authority under Article 23(1) NIS2. In practice, the legal effect will depend on whether the final text deems submission via the portal to be “submission to” the relevant addressee(s) for each regime.

This aspect of the Proposal is likely to be adopted because it is expressly framed as a procedural coordination mechanism, without amending the scope, content, or legal thresholds of the notification obligations laid down in Articles 23 and 30 of NIS2 or Articles 33 and 34 of GDPR. The Proposal is presented as a means of reducing duplicative submissions while preserving the autonomy and enforceability of each underlying legal regime.

Proposals more likely to be challenged or rejected and rationale

This Section addresses, in turn:

1. Confidentiality and access issues arising from the centralisation of incident notifications; 
2. Legal issues relating to the sequencing of notifications and statutory deadlines under Articles 23 and 30 of the NIS2 Directive; and 
3. Issues of legal certainty arising from the drafting of the Proposal.

1. Confidentiality and access to information contained in incident notifications (Articles 23 and 30 NIS2)

The Proposal’s introduction of a centralised reporting channel for incident notifications submitted pursuant to Articles 23 and 30 of NIS2 is likely to attract scrutiny in relation to the confidential handling and onward disclosure by competent authorities of information contained in those notifications.

In particular, the Proposal does not amend Article 23(6) NIS2, which requires Member States to ensure that competent authorities, CSIRTs and other bodies receiving information under NIS2 handle it in a manner that preserves confidentiality and protects security interests. NIS2 also provides for the ability for an entity to refrain from disclosing information where disclosure may be contrary to essential national security interests, public security or defence; would prejudice investigations; or would be contrary to the commercial interests of the entity.

Against that baseline, Member States are likely to seek clarification, either in the operative provisions or in recitals, as to:

• Which authorities may access information submitted through the centralised reporting channel;
• The circumstances in which that information may be shared onward under the NIS2 framework; and
• The safeguards applicable to information whose disclosure could prejudice security interests or confidential business information.

This element of the Proposal is therefore more likely to be narrowed or supplemented, to ensure that centralised submission does not expand access, change onward-sharing rules, or weaken confidentiality protections that already apply under Article 23 and related provisions across NIS2. In particular, legislators are likely to require express confirmation that ENISA’s role is operational only and does not create an additional 'recipient of the notification for substantive purposes.

2. Sequencing of notifications and statutory deadlines (Articles 23 and 30 NIS2)

The Proposal’s requirement that incident notifications submitted pursuant to Articles 23 and 30 of NIS2 shall be transmitted through a centralised reporting channel raises issues concerning the sequencing of notifications and compliance with statutory deadlines laid down in those provisions. In practice, these issues arise primarily under Article 23, given that Article 30 concerns voluntary notifications and does not itself impose the staged notification deadlines set out in Article 23(4).

Article 23 establishes a staged notification framework, requiring essential and important entities to submit, upon the occurrence of a significant incident (as defined in Article 23(3)) and in sequence:

• An early warning, without undue delay and, in any event, within 24 hours of becoming aware of a significant incident;
• An incident notification within 72 hours;
• An intermediate report, if requested by a CSIRT or competent authority; and
• A final report no later than one month after submission of the incident notification, or if the incident is ongoing, a progress report and a final report within one month of the conclusion of incident handling.

Article 30 NIS2 provides for voluntary notifications (including, in summary, notifications of significant incidents, cyber threats and near misses), and, together with Article 23(11), is expressly within the scope of the implementing-act mandate on the format of notifications.

While the Proposal does not amend the text of Articles 23 or 30, it does not clearly state whether submission via the portal counts as notification to the required national addressee(s) for the purposes of Article 23(1), nor how timestamping and proof of submission will work for Article 23(4) deadline purposes.

• This creates uncertainty as to whether the date and time of submission via the centralised channel are determinative for assessing compliance with the deadlines set out in Article 23;
• How entities are to demonstrate timely notification where transmission through the centralised channel is delayed or unavailable; and
• How responsibility is allocated where an entity submits a notification within the statutory deadline, but the notification is not received by the competent national authority (or CSIRT) within that period.

These issues are likely to be challenged during negotiations because failure to comply with Article 23 notification timelines is subject to enforcement and penalties under national laws adopted pursuant to Chapter VII of NIS2. Member States are therefore likely to seek amendments or clarifications confirming that submission through the centralised reporting channel shall satisfy the notification requirements of Articles 23 and 30 NIS2, provided that the substantive information requirements are met within the applicable time limits, and that the notification shall be treated as delivered to the proper NIS2 addressee (CSIRT and/or competent authority) under Article 23(1). Expect a “deemed receipt” and timestamping rule in the operative text, together with a clear evidential output (receipt/ID) from the portal.

Absent such clarification, this element of the Proposal is likely to be narrowed or supplemented to ensure legal certainty for entities subject to NIS2 notification obligations.

3. Issues of legal certainty arising from the drafting of the Proposal

The drafting of the Proposal gives rise to issues of legal certainty in relation to the operation of the centralised reporting channel for incident notifications submitted pursuant to Articles 23 and 30 of NIS2.

In particular, while the Proposal introduces a requirement to use a centralised reporting channel, it does not specify the legal consequences where that channel is unavailable, malfunctioning, or subject to technical delay. The Proposal does not address whether, in such circumstances, notification directly to the competent national authority and/or CSIRT remains permissible or required in order to comply with Articles 23 and 30 NIS2, or whether a mandatory ‘dual filing’ fallback would apply (portal attempt plus direct national submission), which would undermine the stated objective of reducing duplicative reporting.

This absence of express fallback rules creates uncertainty as to:

• The steps an essential or important entity must take to ensure compliance where submission via the centralised channel is technically impossible or delayed;
• The evidential standard for demonstrating timely notification under Article 23 where the point of failure lies outside the notifying entity’s control; and
• The allocation of liability where a notification is submitted via the centralised channel but is not received or processed by the competent authority within the statutory deadlines.

From an enforcement perspective, these uncertainties are of material importance because Articles 23 and 30 NIS2 impose directly enforceable obligations, and non-compliance may give rise to administrative measures and penalties under national law implementing Chapter VII of NIS2.

In the absence of clarification, the Proposal risks creating divergent national approaches to enforcement, particularly where authorities take differing views on whether attempted submission via the centralised channel is sufficient to discharge the notification obligation, as opposed to a requirement to notify the CSIRT/competent authority directly under Article 23(1) where the central channel fails.

For that reason, this aspect of the Proposal is more likely to be refined during the legislative process through:

• Express confirmation that alternative notification routes remain available and lawful where the centralised reporting channel cannot be used;
• Clarification of the legal effect of submission attempts affected by technical failure or delay (including how compliance is evidenced); and/or
• Guidance at recital level to ensure consistent interpretation and application across Member States. In practice, this is likely to take the form of an express fallback route (direct national notification) and a “no detriment” rule where the portal failure is outside the entity’s control and the entity can evidence timely attempted submission.