A two-part practical guide for EMEA IT leaders

May 20th, 2026
Kaseya
NIS, Ransomware

The prospect that your business may be targeted maliciously is sadly no longer an edge case but an everyday reality facing any modern business. No matter your size or profile, bad actors will exploit opportunities to take your business hostage for financial gain.

In part one we discussed how NIS2 legislation places a large importance on business continuity and how the right processes and backup tools can help in response to ransomware and other cybersecurity incidents.

However, there is another crucial part of any security response and that’s the need to potentially report the breach to authorities. Here we look at some of those obligations.

While it may be tempting to prioritise resolving the breach, the countdown often begins the moment you realise your systems have been compromised. Timelines can be stringent, so it’s not something that can be worked out during the response. It needs to be embedded as part of your processes with clear expectations on who will carry out the required reporting.

The clock is ticking — it’s time to report the breach

It’s important to remember that in some cases you need to notify the relevant body within 24 hours of discovering an incident, and in some scenarios, as little as four.

Here is key legislation that may affect your organisation.

GDPR/UK GDPR – 72 hours

Who: Any data controller doing business within the EU or UK respectively.

If you find a breach that looks like it will be a risk to individual data, then the relevant authority needs to be notified within 72 hours of you discovering the issue.

That may be an intentional breach of your systems that gave access to customer data, or an accidental issue such as a hard drive being lost that contains data. The key judgement is if individuals may be adversely affected by the consequences.

If you’re in doubt of whether your incident reaches the reporting threshold, it’s best to begin the countdown anyway and err on the side of caution. Be sure to record everything you do as a part of your response, then be sure to make the contact before the 72 hours is up.

NIS2 – 24 hours

Who: NIS2 is EU legislation focused on companies that it deems “critical” or “important,” to minimise disruption to vital sectors and infrastructure. However, you may be indirectly affected if you are a key part of a company’s supply chain that does fall under NIS2 regulation.

For significant data breaches, an initial notification must be made within 24 hours to the member state’s CSIRT (computer security incident response team). A full incident notification needs then be made within 72 hours, and a full report within a month.

If you are a provider in a supply chain to a NIS2 company, you don’t have a requirement to report an incident to the authorities, but you should let your customer know and the timeframe to do so may be specified in your contract.

The UK also has its own NIS regulation, with a report required to the ICO within 72 hours for any incident that has a substantial impact on the provision of a company’s services.

DORA – 4 hours

Who: Any financial organisations doing business within the EU. That includes (but is not limited to) banks, insurers and payment institutions. However, much like NIS2 can extend beyond companies under its remit, DORA also counts critical third-party IT providers as part of its remit.

If a company under DORA legislation detects a breach it has to make an initial report within 24 hours from detection. However, once investigated if it is classed as a major incident then the reporting window shrinks to just four hours (or whatever is left within the 24-hour window).

An intermediate report is then due within 72 hours, and a full report within a month.

Other legislation

There are other regional requirements, with countries such as the UAE and Saudi Arabia each having their own Personal Data Protection Law (PDPL). It highlights the need to understand the legislation in whatever countries you are operating in, and that responses may differ depending on location.

The potential trifecta of reporting

For some companies it may be that you need to report a breach to the GDPR, NIS2 and DORA authorities. Each has a different reporting pathway, and different timescales.

This highlights the very real need to have clear processes, with clear responsibilities outlining who does what and when. The ramifications of not doing so could be costly.  

Remember, the authorities are there to help

While they can impose hefty fines for serious and wide-reaching breaches, it’s important to not see the relevant authorities solely as enforcement bodies. By notifying them quickly, they can help you navigate potential implications and mitigate damage. For countries in the EU, the relevant bodies can also help cross-border coordination.

As the ICO explains for GDPR breaches, “It’s understandable if you’re concerned about what happens next. But we’re here to help you understand what happened and to prevent it happening again.”

It’s all part of incident management

All these reporting requirements form the core of effective incident management. They ensure all team members are on the same page, facilitate rapid decision-making and help track the progress of incident resolution.

If a breach is reported to an authority, then you may be called upon to demonstrate everything you did, step by step, as part of identifying the issue and resolving it. You may also be asked to show evidence of what you did in the months leading up to the incident as well.

As such, you need the right tools in place to document processes and systems — and not only demonstrate that you have the data required, but also how you use it to manage risk within your business. Find out how IT Glue, with its robust documentation capabilities, can help you navigate your response to an incident

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2026 Kaseya State of the MSP Report

Kaseya - 2026 State of the MSP Report - Web Graphic - 1200x800-UPDATED

Get 2026 MSP insights from 1,000 plus providers and learn how to grow revenue, adapt to market pressure, and stay competitive.

Download Now

Explore Categories

From phishing to ransomware: How Kaseya 365 User protects your SaaS apps

SaaS applications, such as Microsoft 365 and Google Workspace, power nearly every aspect of today’s digital operations. However, as businesses

Read blog post

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-service is a business model where cybercriminals develop ransomware and sell or lease it to affiliates. Learn how it works and how to stop it.

Read blog post

Avoid IT Heartbreak This Valentine’s Day With Ransomware Detection

This Valentine’s Day, cybercriminals from across the globe are looking to break your heart. Their goal is to hack into

Read blog post