Art.23.8 NIS2

NIS2 Art.23.8: Cross-Border Incident Notification

What This Control Requires

Where the significant incident concerns two or more Member States, the CSIRT, the competent authority or the single point of contact shall, without undue delay, inform the other affected Member States' single points of contact and ENISA about the significant incident.

In Plain Language

Cyber attacks do not stop at national borders, and NIS2 reflects that reality. When a significant incident affects services or entities in more than one EU Member State, authorities must coordinate across borders - and your organisation is the one that needs to flag the cross-border dimension in the first place.

While CSIRTs handle the actual cross-border coordination, you need to assess and indicate in your notifications whether the incident could have impact beyond your home jurisdiction. That means understanding where your services reach, which customers sit in other Member States, and how cascading effects might travel through your supply chain.

Getting this right matters. An attack on your infrastructure in one country can easily disrupt services relied upon across the EU. Flagging the cross-border element early enables a coordinated response and limits the blast radius.

How to Implement

Start by mapping the cross-border footprint of your operations. Identify which services reach customers in other Member States, where your data processing spans jurisdictions, which infrastructure dependencies (cloud providers, CDNs, data centres) sit abroad, and where your supply chain crosses borders.

Build cross-border impact assessment into your incident evaluation process. For every significant incident, specifically consider whether affected services have users in other Member States, whether the incident could propagate through interconnected systems to other jurisdictions, and whether the attack pattern suggests a coordinated campaign across multiple countries.

Make sure your early warning and notification templates include clear fields for cross-border impact: which Member States are potentially affected, what the nature of the impact is, and which services or sectors are involved in each jurisdiction.

If you operate under NIS2 obligations in multiple Member States, understand your reporting requirements in each one. The cooperation mechanisms should prevent you from having to report the same incident multiple times, but you need to know your primary reporting obligations.

Establish contacts with CSIRTs in every Member State where you have significant operations. Knowing the regulatory landscape in advance saves valuable time during a real incident.

Coordinate your customer communications across jurisdictions. Consider local language requirements, differing regulatory expectations, and time zones when notifying affected parties in multiple countries.

Include cross-border scenarios in your incident response exercises. If your team has never practised identifying and communicating cross-border impact, they will struggle to do it under the pressure of a real event.

Evidence Your Auditor Will Request

Mapping of cross-border service provision and infrastructure dependencies
Cross-border impact assessment criteria in incident evaluation procedures
Early warning templates with cross-border impact fields
Contact details for CSIRTs in all relevant Member States
Exercise records including cross-border incident scenarios

Common Mistakes

Cross-border impact not assessed during incident evaluation; focus is solely on domestic impact
No mapping of services and infrastructure across Member States
Notification to domestic CSIRT does not flag cross-border dimension
Customer notifications not adapted for different Member State requirements
Cross-border scenarios not included in incident response exercises

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.5	Related
GDPR	Art.33	Related

Frequently Asked Questions

Do we need to report to multiple CSIRTs if the incident has cross-border impact?

Usually, no. You report to your primary CSIRT or competent authority, and they handle the cross-border coordination through the NIS2 cooperation framework. However, if you have separate NIS2 obligations in multiple Member States, you may need to report to each relevant authority. Check with your national competent authority to clarify your specific situation.

How do we determine if an incident has cross-border impact?

Ask yourself a few questions: does the incident affect services used by customers in other Member States? Does compromised infrastructure span multiple jurisdictions? Could the attack propagate through supply chains to entities in other countries? Does it look like part of a coordinated campaign? If the answer to any of these is yes - or even maybe - flag the potential cross-border impact in your notification.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment