The NIS Cooperation Group — comprising EU member states, the European Commission, and the EU Agency for Cybersecurity (ENISA) — has adopted common templates for cybersecurity incident reporting under the NIS2 Directive. The templates were agreed at the group's 39th plenary meeting in Cyprus on 26 May 2026 and are designed to provide a single, uniform format for reporting significant incidents across all member states.
The practical problem the templates address is fragmentation. Under NIS2, essential and important entities must report significant incidents through a tiered timeline — an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. Until now, the format and fields for those reports have varied between national authorities, creating a disproportionate burden for organisations operating across multiple member states, which have had to map the same incident onto different national structures. By harmonising the reporting fields, the common templates aim to make compliance simpler and more consistent, and to ease the position of entities reporting the same incident in several jurisdictions.
The templates are not yet binding. As a next step, the European Commission intends to adopt them through an implementing act, which would make them mandatory for all member states. Once that step is complete, organisations within the scope of NIS2 will have a predictable, standardised structure to work from when an incident occurs — removing one source of friction from an already time-pressured process. The Commission has framed the measure as part of a broader simplification agenda, and it aligns with the proposed single entry point for incident reporting under the Digital Omnibus initiative, which would allow a single notification to satisfy obligations across the GDPR, NIS2, DORA, and other frameworks.
For compliance teams, the immediate value is in preparation. Even before the implementing act is adopted, organisations can review their incident response procedures against the structure of the common templates, ensuring that the information the templates require — the nature of the incident, its cross-border impact, the categories of affected systems and data — is captured and retrievable at speed. The 24-hour early warning window leaves little room to assemble information that has not been mapped in advance.
Acompli perspective: Harmonised templates reduce the friction of reporting, but they do not reduce the underlying obligation to detect, assess, and report incidents on a tight timeline. The organisations that will benefit most are those whose internal procedures already capture the information the templates require. A risk management framework that maps reporting obligations to incident types, supported by records of processing that identify which systems process personal data and accurate third-party risk records for supplier-originated incidents, is what turns a standardised template into a fast, defensible submission. Where an incident triggers both NIS2 and GDPR duties, the coherence of those underlying records is what keeps concurrent reports consistent.