What happened
The NIS2 Cooperation Group — comprising EU Member States, the European Commission, and ENISA — adopted common templates for cyber incident reporting at its 39th Plenary meeting in Cyprus, announced May 26, 2026. The templates provide a unified format for NIS2 incident notifications across all Member States. The European Commission plans to adopt the templates through an implementing act, making them mandatory, and they will integrate with the proposed single-entry point for reporting under the Digital Omnibus package.
Why it matters
AI companies and AI-dependent critical infrastructure operators are covered entities under NIS2, and their incident response plans (IRPs) must now account for these harmonised fields. When the implementing act makes templates mandatory, any IRP that doesn't map to the new format will be non-compliant. This directly affects AI incident response plans that address model misbehaviour, training data breaches, inference API outages, and supply chain compromises.
Action needed
Legal and security teams operating in the EU should download the agreed template structure from the European Commission's Digital Strategy pages and conduct a gap assessment against current IRP documentation, escalation workflows, and notification timelines to identify fields that need to be added before the implementing act takes effect.