NIS2 Art.23.9: Voluntary Incident and Threat Notification
What This Control Requires
Any entity, whether or not it falls within the scope of this Directive, may submit notifications on a voluntary basis of significant incidents, cyber threats or near misses to the CSIRT.
In Plain Language
Beyond mandatory reporting, NIS2 actively encourages any organisation - even those outside the directive's formal scope - to voluntarily report incidents, cyber threats, and near misses to their CSIRT. The goal is to strengthen the overall threat intelligence picture across Europe.
Voluntary reporting is a two-way benefit. Your organisation gets access to CSIRT support and guidance even for incidents below the mandatory threshold. The broader community gets earlier warning of emerging threats, better visibility into attack patterns, and data that helps CSIRTs spot trends before they become widespread problems.
Near miss reporting deserves special attention. These are incidents that could have caused serious harm but were caught in time. Analysing near misses reveals attack methodologies and defensive gaps without the cost and chaos of a full-blown incident. Organisations that systematically capture and learn from near misses are demonstrating genuine security maturity.
How to Implement
Create an internal process for identifying incidents, threats, and near misses worth reporting voluntarily. Set criteria that are deliberately broader than the mandatory thresholds: incidents that provide useful threat intelligence, attacks detected and prevented before impact, new techniques or vulnerabilities you have observed, and emerging threats relevant to your sector.
Work voluntary reporting into your incident response workflow. After determining an incident does not meet the mandatory threshold, explicitly ask: would reporting this help the broader community or get us useful CSIRT feedback?
Develop a lightweight voluntary notification template. Keep it simple: event type (incident, threat, or near miss), a brief description, relevant indicators of compromise, and any lessons learned.
Foster a culture where near miss reporting is valued, not punished. Make it clear that flagging a close call is a sign of good detection, not a failure. Recognise teams that contribute to the organisation's threat intelligence through proactive reporting.
Track voluntary reports alongside mandatory ones and look for patterns. A string of near misses in one area often signals a systemic issue that, left unaddressed, will eventually produce a significant incident. Feed this data back into your risk assessments.
Join sector-specific and cross-sector information-sharing communities. ENISA and national CSIRTs often facilitate these, and they are an excellent source of early threat intelligence.
Measure the return on your voluntary reporting: CSIRT feedback received, threats spotted early, improvements made from near miss analysis, and your contributions to sector-wide intelligence.
Evidence Your Auditor Will Request
- Voluntary reporting policy or guidelines
- Voluntary notification template
- Records of voluntary notifications submitted
- Near miss register and analysis records
- Evidence of participation in information sharing communities
Common Mistakes
- Voluntary reporting not considered; organisation only focuses on mandatory obligations
- Near misses are not systematically captured or analysed
- Culture discourages voluntary reporting due to fear of regulatory attention
- No process for evaluating whether non-significant incidents warrant voluntary reporting
- Information sharing is one-directional; organisation consumes but does not contribute intelligence
Related Controls Across Frameworks
Frequently Asked Questions
Can voluntary reporting trigger regulatory scrutiny?
What is the difference between a near miss and a minor incident?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment