v2.4.0 | Report Errata
docs security docs security

NIS2 Scope, Dual Reporting & Simplification

NIS2 applies to essential and important entities across sectors including energy, transport, health, digital infrastructure, public administration, and ICT service management. The AI system’s cybersecurity controls should be built on top of the organisation’s NIS2 compliance framework, adding AI-specific threat modelling, AI-specific testing, and AI-specific incident response procedures as extensions. Module 9 references the organisation’s NIS2 risk management measures where they apply and documents the AI-specific extensions.

Dual reporting coordination is required because a single cybersecurity event can trigger both NIS2 and AI Act reporting obligations. NIS2’s 24-hour early warning and Article 73’s 2/10/15-day timelines run in parallel. Content across both reports must be consistent; the shared incident fact sheet and regime-specific annexes provide this consistency.

Article 73(9) provides a simplification: entities subject to NIS2 are limited to reporting fundamental rights infringements under Article 3(49)© through the AI Act; other serious incident categories are reported through NIS2. The Legal and Regulatory Advisor confirms whether the NIS2 transposition in the relevant member state covers the incident categories that Article 73 would otherwise require, and documents the determination. If the entity is not subject to NIS2, this article is documented as not applicable.

Key outputs

  • NIS2 scope determination and framework integration
  • Dual reporting coordination with content consistency
  • Article 73(9) simplification analysis and documentation
  • Module 9 AISDP documentation
On This Page