Art.23.2 NIS2

NIS2 Art.23.2: Service Recipient Notification

What This Control Requires

Where appropriate, essential and important entities shall communicate, without undue delay, to the recipients of their services that are potentially affected by a significant cyber threat, any measures or remedies that those recipients can take in response to that threat. Where appropriate, the entities shall also inform those recipients of the significant cyber threat itself.

In Plain Language

Notifying regulators is only half the picture. When a significant incident or cyber threat could affect your customers, you need to tell them too - quickly enough that they can actually do something about it.

The notification should be actionable: what measures or remedies can recipients take to protect themselves, and where appropriate, what is the threat they are facing? The level of detail you share needs to balance transparency with the risk of giving attackers useful information.

Modern digital services are deeply interconnected. When your service is compromised, the impact cascades to every customer depending on it. Timely, clear communication lets them activate contingency plans, implement protective measures, and make informed decisions about how they use your service during and after the incident.

How to Implement

Write a customer notification policy covering when notification is required (based on NIS2 significance criteria and potential impact on service recipients), who authorises and issues notifications, which channels to use (email, portal announcements, status pages, direct calls for critical clients), content standards, and legal review requirements.

Prepare notification templates for the most likely scenarios: service disruption (expected duration, workarounds), data compromise (affected data types, recommended actions like password changes), ongoing threat (protective measures customers should take), and general security advisories.

Build a customer communication workflow into your incident response process. Define checkpoints for assessing whether notification is needed, drafting the message, getting approvals from management, legal, and communications, and distributing through the right channels.

Set up a status page or equivalent real-time channel that customers can check for updates. This reduces the overhead of individual notifications during service disruptions and gives customers a transparent, always-accessible source of truth.

Strike the right balance between transparency and operational security. Share enough for customers to take meaningful action, but do not disclose details that could help attackers or compromise an ongoing investigation. Work with legal counsel and your CSIRT to calibrate disclosure levels.

Document every customer notification - the rationale for what you included, timing, and channels used. This demonstrates compliance and feeds into your post-incident analysis of communication effectiveness.

After each notification, gather feedback on clarity, timeliness, and usefulness. Use that feedback to refine the process for next time.

Evidence Your Auditor Will Request

Customer notification policy and procedures
Notification templates for different incident scenarios
Records of actual customer notifications with timestamps and content
Status page or equivalent real-time communication channel
Post-notification feedback and improvement records

Common Mistakes

Customer notifications are delayed while legal and PR teams debate language
Notifications are too vague to be actionable; customers cannot determine what to do
No pre-established communication channel; notifications rely on ad-hoc emails
Small or medium business customers are overlooked while only large clients are notified
Notifications focus on minimising reputational damage rather than helping customers protect themselves

Related Controls Across Frameworks

Framework	Control ID	Relationship
GDPR	Art.34	Related
ISO 27001	A.5.24	Related

Frequently Asked Questions

Must we notify all customers or only those directly affected?

Notify the recipients whose services are potentially affected. If the incident could impact everyone, go broad. If only a specific segment is affected, targeted notification may be enough. When in doubt, lean towards wider communication - it is far better to over-communicate than to leave affected customers in the dark.

How does this relate to GDPR breach notification?

They are separate obligations that may both be triggered by the same incident. GDPR requires notification to supervisory authorities within 72 hours and to data subjects when there is a high risk to their rights and freedoms. NIS2 service recipient notification covers a broader set of scenarios beyond just personal data breaches. Make sure your notification process addresses both frameworks where they overlap.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment