NIS2 and GDPR Reporting Templates: Harmonising Content, Not Process in EU Incident Reporting

Viewpoints
July 9, 2026
6 minutes

New NIS2 and GDPR reporting templates promise to standardise the information organisations must provide to regulators following cyber incidents and personal data breaches. However, the EU incident reporting process has not changed: organisations must still navigate multiple notifications, national portals and procedural requirements when responding to cross-border incidents. While the reporting templates represent an important step towards greater consistency in EU incident reporting, further procedural reforms are required to reduce the administrative burden on organisations.

On 26 May 2026, the NIS2 Cooperation Group – comprising EU Member States, the European Commission and the European Union Agency for Cybersecurity (“ENISA”) – agreed common templates for reporting significant cyber incidents under the Network and Information Security Directive (“NIS2”) (the “NIS2 Templates”). Shortly afterwards, on 10 June 2026, the European Data Protection Board (“EDPB”) adopted a common template for personal data breach notifications under the General Data Protection Regulation (“GDPR”), which is open for public consultation until 5 August 2026 (the “GDPR Template”).

The NIS2 Templates and the GDPR Template (together, the “Templates”) represent an important step towards greater consistency in EU incident reporting. However, their impact should not be overstated. While the Templates harmonise the information contained in incident reports, organisations responding to cross-border incidents may still be required to make multiple notifications under different legal regimes, to different national competent authorities, using separate national portals and according to different reporting deadlines. 

The Problem: One Incident, Multiple Reporting Obligations

A cloud provider operating across several EU Member States suffers a ransomware attack disrupting services and compromising customer data. The incident is significant and triggers reporting obligations under both the GDPR and NIS2:

  • Under the GDPR, notification to the relevant data protection authorities (“DPAs”) must be made without undue delay and, where feasible, within 72 hours. The one-stop-shop (“OSS”) mechanism allows a company with a main establishment in the EU to file a single notification with its lead supervisory authority. However, an international organisation without a main establishment in the EU is required to notify each relevant national DPA separately, using each authority’s own reporting form and portal. Where notification is required in Germany, this can mean separate submissions to the supervisory authorities of up to sixteen federal states.
  • There is no equivalent to the GDPR’s OSS mechanism under NIS2. The company must submit an early warning within 24 hours, an incident notification within 72 hours and a final report within one month, to each relevant NIS2 national competent authority (“NCA”), using each authority’s own reporting process.

In practice, complying with these notification requirements requires incident response teams to spend valuable time re-entering the same information into multiple forms, logging into multiple national portals and navigating different procedural requirements. The problem is not the obligation to report data incidents; it is the fragmented and duplicative reporting process itself.

The Templates: Harmonising Content, Not Process

The NIS2 Templates

The European Commission plans to adopt the NIS2 Templates through an implementing act, making them mandatory for all Member States. This would allow organisations to prepare a single set of responses that can be adapted and reused across NCAs. However, two important uncertainties remain.

  • The level of detail required by the NIS2 Templates is not yet known. It remains to be seen whether they will simply standardise existing requirements or introduce additional information requests that could increase the burden on organisations during an incident.
  • The submission process for the NIS2 Templates is yet to be determined. The NIS2 Templates could significantly reduce administrative effort if supported by interoperable systems, but separate national portals and duplicate submissions could leave much of the existing administrative burden unchanged.

The GDPR Template

The practical impact of the GDPR Template is narrower than that of the NIS2 Templates for three reasons:

  • Adoption of the GDPR Template is voluntary. There are no plans for an implementing act requiring all Member States to adopt the GDPR Template. Its effectiveness will therefore depend on consistent uptake by national DPAs. If some DPAs adopt the GDPR Template while others retain existing forms, the content requirements for personal data breach notifications will continue to vary across Member States.
  • The GDPR Template offers limited benefit for organisations that can rely on the OSS. Where organisations already submit a single personal data breach notification to their lead supervisory authority, the main benefit of a harmonised template is limited.
  • The GDPR Template may increase reporting complexity. The GDPR Template requires a greater level of detail than the minimum breach reporting requirements under Article 33 of the GDPR. While this may assist regulators in assessing risks, it also increases the information organisations must gather within the 72-hour notification period. There is a risk that the GDPR Template becomes closer to a regulatory questionnaire than a notification form.

Overall, the GDPR Template is likely to provide the greatest benefit to organisations without an EU main establishment that must notify multiple DPAs. If adopted consistently across Europe, it could allow those organisations to prepare a single notification that can be reused across authorities. However, because adoption remains voluntary, that outcome cannot be guaranteed.

As with the NIS2 Templates, the GDPR Template harmonises the information requested rather than the process for submitting notifications. Organisations may still need to access multiple national portals and make separate submissions.

Harmonising Content, Not Process

The Templates should, to varying degrees, replace divergent national forms with standardised reporting formats, allowing organisations to prepare a single set of responses that can be adapted and reused across multiple notifications.

However, the Templates do not eliminate the multiple portals, logins and submissions that consume valuable time during the immediate response phase of a cyber incident. The NIS2 Templates represent a greater step towards consistency because their implementation will be mandatory across Member States. However, the administrative burden will ultimately depend not only on standardising the information requested, but also on simplifying the process through which organisations submit it.

Next Steps: Harmonising Content and Process

Ask any organisation that has suffered a breach what an ideal reporting system would look like and the answer will be the same: complete one notification form for each reporting regime, log into a single portal, select the relevant authorities and press submit. 

This is the objective of the proposed “single-entry point” (“SEP”) system included within the European Commission’s Digital Omnibus package. The SEP would be developed and maintained by ENISA and would provide a secure interface through which organisations could fulfil reporting obligations under the GDPR, NIS2, and other sector-specific legislation, including the Digital Operational Resilience Act and the Critical Entities Resilience Directive. 

Ultimately, the Templates and the SEP are complementary rather than competing reforms, since authorities cannot receive the same notification through a common portal unless they first agree on what information that notification should contain. As such, the Templates are a foundation, and the SEP has the potential to address the remaining procedural burden.

What Organisations Should Do Now

The Templates are welcome developments that should make incident reporting more predictable and, particularly under NIS2, substantially more consistent across Member States. However, while they harmonise reporting content, they do not harmonise reporting process.

Accordingly, organisations should:

  • Monitor the outcome of the EDPB's consultation on the GDPR Template and the European Commission's implementing act for the NIS2 Templates.
  • Review incident response procedures to ensure that information gathered during investigations can support multiple reporting regimes.
  • Map the competent authorities, reporting portals and procedural requirements that may apply to cross-border incidents.
  • Structure incident information in a consistent, reusable format capable of supporting notifications under multiple legal regimes.
  • Prepare for further convergence if the SEP is implemented.

Subscribe to Ropes & Gray Viewpoints by topic here.