Digital Omnibus package: Single EU harmonised incident reporting regime across cyber and data protection regime

A key compliance burden that will be addressed as part of the Digital Omnibus Package is incident/breach reporting.  Today, companies need to comply with multiple EU laws which impose overlapping and sometimes inconsistent cybersecurity-related incident reporting obligations on organisations across many sectors, including NIS2, CER, GDPR, DORA, the Cyber Resilience Act, eIDAS, aviation and electricity rules, and other sector-specific regulations as well as telecoms. These instruments require entities to notify various authorities (CSIRTs, supervisory authorities, sector regulators) about incidents, vulnerabilities, or breaches, often with similar but not identical information requirements, timelines, and templates. As a result, organisations must navigate parallel, duplicative reporting channels, creating administrative burden and fragmentation.

The upcoming Digital Omnibus and the revision of the Cybersecurity Act aim to streamline this landscape by introducing a single reporting interface named Single-Entry Point or SEP and enabling more consistent, EU-wide reporting.

This reform is to be welcomed and promises to simplify the incident response process reducing the compliance cost and administrative burden on companies. By creating a Single-Entry Point for incident reporting and removing overlapping obligations the new system will provide a clearer and more streamlined compliance process. The “report once, share many” approach, along with harmonised templates and longer reporting timelines under updated GDPR rules, should lower costs for business while still ensuring strong oversight and effective incident response across the EU.

Amending key legislation

A new Article 23a NIS2 will establish the single-entry point and the European Union Agency for Cybersecurity’s (ENISA) role, and set interoperability, access, and compatibility requirements (e.g., with European Business Wallets), enabling re-use of a single notification to satisfy multiple legal obligations.

The consolidated reporting is intended to cover the incident reporting schemes under the NIS2 Directive, GDPR personal data breach notifications, DORA major ICT incident reports and voluntary significant cyber threat notifications for the financial sector, eIDAS notifications, and CER Directive incidents, with plans to onboard additional sectoral regimes such as electricity and aviation via their implementing acts. NIS2 entities must notify significant incidents via the single-entry point, and based on the proposal the severe incident reports under the CRA can also satisfy NIS2 reporting where they contain the required information.

Concerning personal data, GDPR breach notifications shift to the single-entry point with the threshold aligned to "high risk" and the deadline extended to 96 hours, with a transitional clause until the entry point is established. The European Data Protection Board (EDPB) would be tasked to develop breach notification templates with guidance that could be accepted by the Commission in the form of implementing acts. Helpfully, the ePrivacy Directive's security/notification provisions will be  repealed, avoiding duplication with NIS2 and GDPR, so a single regime applies to providers for security of processing and breach notification.

A parallel revision of the Cybersecurity Act will update ENISA's mandate and further simplify cybersecurity compliance.

Unfortunately, the European Commission’s proposal does not deal with personal data breach reporting obligations of processors. They currently remain obliged to report all personal data breaches (irrespective of their risk level) to their controllers (see Article 33(2) of the GDPR); a change here would be welcome. Accordingly, the existing framework with sector-specific and national requirements for the reporting of so-called ‘significant’ incidents remains in place.  Further alignment would have the potential to reduce the administrative burden for businesses when identifying reportable incidents.

Technical implementation

ENISA is mandated to develop and operate this secure conduit, building on the Cyber Resilience Act's reporting platform. ENISA must take proportionate technical, operational, and organisational measures to secure the platform and the information it handles, consulting national authorities via existing cooperation networks.

Interoperability with national solutions and use of APIs and machine-readable standards should enable integration with entities' processes and national systems. Furthermore, the single-entry point should give a possibility for entities to retrieve information that they have previously submitted using the single-entry point. In case of technical unavailability, the fulfilment of incident notification obligation must be ensured in alternative ways.

A piloting phase will precede the “go-live”, after which the Commission will publish a notice confirming proper functioning, reliability, integrity, and confidentiality safeguards, or require corrective measures on the SEP. The Commission is also mandated to consult the EU CSIRTs network and national authorities for the preparation of its notice. The Commission may also develop reporting templates in the form of implementing acts.

Expected impact and timeline

The SEP is projected to generate high-cost savings and address underreporting by simplifying the reporting workflow. Use of the SEP under NIS2, eIDAS, DORA, CER, and GDPR will apply 18 months after entry into force of the new measures, extendable to 24 months if the Commission's assessment finds the entry point not yet meeting integrity, reliability, or confidentiality standards.

Further changes to the existing regulatory framework for cybersecurity may be expected pursuant to a stand-alone proposal for revision of the Cybersecurity Act. The proposal is slated for publication on 14 January 2026.

If you’d like to receive our upcoming Cybersecurity Guide (covering NIS2, CRA, DORA, CER, and UK frameworks) upon release, please register your interest here.