Awareness Training - Save 60% on Yearly Plan.
Start Training

Article 30

Voluntary notification of relevant information

1.   Member States shall ensure that, in addition to the notification obligation provided for in Article 23, notifications can be submitted to the CSIRTs or, where applicable, the competent authorities, on a voluntary basis, by:

(a)

essential and important entities with regard to incidents, cyber threats and near misses;

(b)

entities other than those referred to in point (a), regardless of whether they fall within the scope of this Directive, with regard to significant incidents, cyber threats and near misses.

2.   Member States shall process the notifications referred to in paragraph 1 of this Article in accordance with the procedure laid down in Article 23. Member States may prioritise the processing of mandatory notifications over voluntary notifications.

Where necessary, the CSIRTs and, where applicable, the competent authorities shall provide the single points of contact with the information about notifications received pursuant to this Article, while ensuring the confidentiality and appropriate protection of the information provided by the notifying entity. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon the notifying entity to which it would not have been subject had it not submitted the notification.

Frequently Asked Questions

Voluntary reporting under NIS2 means businesses can choose to inform cybersecurity authorities about incidents, potential threats, or events that almost resulted in a security breach, even if they’re not legally required to do so, and this voluntary action doesn’t lead to additional requirements or penalties beyond existing obligations for the organization.
Yes, authorities might prioritize mandatory notifications required by law over voluntary notices; however, both types follow the same general reporting procedures, ensuring confidentiality and data protection, with voluntary notifications treated carefully to not impose extra responsibilities on organizations beyond their willingness to share helpful security-related information.
Under NIS2, voluntary reporting of cybersecurity incidents, threats, or near misses is open to both essential and important entities already covered by the directive, as well as other organizations not explicitly covered, allowing a wider range of groups to proactively contribute information improving the overall cybersecurity readiness and response of authorities.
Confidentiality for voluntary cybersecurity reports under NIS2 is ensured by authorities through strict data protection measures; information shared voluntarily is carefully safeguarded, shared with appropriate points of contact only when needed, and performed without unnecessary disclosures, protecting entities from additional obligations due simply to their notification initiative.

NIS2 Training

Start Training

Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!