preloader

· digital-security gdpr nis2 dora compliance europe regulation

The EU Wants One Portal for Every Cyber Incident Report. Here Is What Changes Under GDPR, NIS2, and DORA

Source: Bird & Bird

Anyone who has actually run an incident response process under overlapping EU regimes knows the current problem well. A single ICT incident at a bank can simultaneously trigger a DORA initial notification to the national competent authority within four hours, a NIS2 early warning to the national CSIRT within 24 hours, and a GDPR personal data breach notification to the data protection authority within 72 hours, each using a different template, a different portal, and a different legal test for what counts as reportable. The Digital Omnibus package now working through the EU legislative process aims to collapse that into one submission.

How the single entry point is meant to work

The proposal introduces a new Article 23a into the NIS2 Directive, establishing a single entry point (SEP) with ENISA, the EU’s cybersecurity agency, playing a central operational role. An organisation experiencing an incident would submit one report, and the system would route it to whichever authorities actually need it, under NIS2, GDPR, DORA, eIDAS, and the Critical Entities Resilience (CER) Directive, rather than requiring separate submissions to each.

Alongside the routing mechanism, the GDPR side of the equation changes too. Personal data breach notifications would move onto the single entry point, with the reportability threshold aligned more closely to “high risk” and the notification deadline extended from the current 72 hours to 96 hours. For any organisation that has ever scrambled a legal and security team through a weekend to hit the 72-hour GDPR clock, that extra day is a meaningful, if modest, relief.

This is “report once, share many,” not “report less”

It is worth being precise about what actually simplifies here. The single entry point reduces the number of places you submit a report and the duplication of drafting the same facts into four different formats. It does not reduce your substantive reporting obligations, the underlying tests for what counts as a NIS2 significant incident, a DORA major ICT incident, or a GDPR high-risk breach remain distinct and still all apply. What changes is the administrative burden of the submission process itself, and the reduced risk of inconsistent reporting to different authorities because the drafting happened separately under time pressure.

Timeline: this is a proposal, not yet law

The Digital Omnibus package remains under negotiation between the Council and Parliament, and the incident reporting provisions are part of that ongoing process rather than settled legislation. Once the measures do enter into force, the single entry point requirement under NIS2, eIDAS, DORA, CER, and GDPR is set to apply 18 months later, extendable to 24 months if the European Commission’s own assessment finds the entry point does not yet meet the integrity, reliability, and confidentiality standards required to actually route sensitive incident data safely between authorities.

What to do now, even before this becomes law

Waiting for the final text before acting is the wrong instinct here. If your incident response runbook currently treats GDPR, NIS2, and DORA notification as three separate workstreams with three separate owners, start consolidating the underlying facts-gathering process now, the same incident timeline, scope, and impact assessment feeds all three reports regardless of how many portals you submit them to. Organisations that already have a single internal incident narrative that gets adapted per regulator will have far less to change when the single entry point arrives than those still running three disconnected processes.

If you need help auditing your current multi-regime incident reporting process, or building an incident response runbook that will map cleanly onto the EU’s single entry point when it arrives, contact Excello Digital. We help European organisations turn overlapping compliance obligations into one workable process instead of three.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!