Deferral of NIS2 Cybersecurity Breach Notification: What Companies Must Do

Key data

If your company is required to notify cybersecurity incidents under NIS2 regulations, the Delegated Regulation (EU) 2026/881 changes the rules of the game: it is no longer enough to notify or not notify a cybersecurity breach. There is now a specific procedure to defer that notification, with concrete conditions that you must be able to prove to the competent authority.

This regulation, published on 20 April 2026, complements Regulation (EU) 2024/2847 and closes a gap that many companies had in their incident response protocols: when and how can you delay public communication of an attack without incurring non-compliance?

What does this regulation establish?

Delegated Regulation 2026/881 specifies the circumstances related to cybersecurity in which the disclosure of incident notifications can be deferred. It establishes two main conditions that must be met for the deferral to be valid:

• That immediate disclosure could compromise ongoing investigations related to the incident.
• That immediate disclosure could aggravate the impact of the incident on the organization or third parties.

Additionally, the regulation establishes:

• Objective criteria that companies must meet to justify the deferral.
• Formal procedures to request and justify the deferral to the competent authorities.
• The obligation to adapt internal crisis management protocols to incorporate these new requirements.

This regulation complements the framework of Regulation (EU) 2024/2847, which is the legal basis for cybersecurity incident notification in the EU.

Economic and operational impact

The impact of this regulation is not primarily direct financial, but rather operational and regulatory risk. Affected companies must assume the following costs and consequences:

• Review and update of internal protocols for crisis management and incident response to incorporate the new deferral criteria and procedures.
• Training of teams in cybersecurity, legal, and management on the objective conditions that allow requesting deferral.
• Risk of administrative sanctions in case of non-compliance with the established conditions. The regulation does not detail specific penalty amounts in the available text, but the NIS2 sanctioning framework is one of the most demanding in European regulation.
• Reputational and legal cost if a notification is deferred without meeting the required objective criteria and the competent authority determines it as non-compliance.

For companies that already had NIS2 protocols in place, the main effort will be to update existing procedures, not start from scratch. For those that do not yet have them, this regulation adds urgency to an adaptation that was already mandatory.

Who does it affect?

This regulation directly affects:

• Companies and entities required to notify cybersecurity incidents under NIS2 regulations.
• Critical sectors included in the scope of NIS2: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
• Essential service operators designated by national authorities.
• Incident response teams (CSIRT) and cybersecurity officers (CISO) of affected organizations.
• Legal advisors and cybersecurity consultants assisting these organizations in regulatory compliance.

Practical example

A digital infrastructure company subject to NIS2 suffers a cybersecurity attack on Monday morning. Its security team detects that the attacker is still active in the systems and that publishing the notification could alert them and make their identification and capture more difficult, aggravating the impact of the incident.

Under Regulation 2026/881, this company can request deferral of public notification, but must:

1. Prove to the competent authority that the objective criteria established in the regulation are met (ongoing investigation or risk of aggravating the impact).
2. Follow the formal request procedure provided for in the regulation.
3. Have this procedure already documented in its internal crisis management protocol, which must have been adapted previously.

If the company cannot prove those conditions or does not follow the correct procedure, the deferral will not be valid and may face administrative sanctions.

What should companies do now?

1. Identify if your company is within the NIS2 scope: Verify if your organization is an essential service operator or an important entity according to the NIS2 Directive and its national transposition.
2. Review internal crisis management protocols: Incorporate the new objective criteria and deferral request procedures established by Regulation 2026/881.
3. Document deferral criteria: Prepare internal templates and checklists that allow you to prove to the competent authority that the conditions for deferring a notification are met.
4. Train the teams involved: CISO, legal team, management, and anyone involved in incident response must know when and how to request deferral.
5. Review agreements with suppliers and third parties: If you outsource incident management, ensure that your suppliers also know and apply these new procedures.
6. Check the entry into force date: The exact date has not been specified in the available publication. Monitor the official source on EUR-Lex to confirm the application deadline and not be late in adapting.