NIS2 Has Teeth: How the New Directive Changes AI Data Handling
NIS2 forces a 24-hour CSIRT warning when an employee leaks data into ChatGPT. Here is who is in scope, what counts as a significant incident, and what evidence you must produce.
The 30-second NIS2 primer
NIS2 (Directive (EU) 2022/2555) replaced the original NIS Directive and applies to two tiers of organisations across 18 sectors: essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing of medical devices and electronics, digital providers, research). Member States had until 17 October 2024 to transpose it into national law. Several missed that deadline. Germany finally adopted NIS2UmsuCG in early 2025. France transposed via the LPM and the loi de résilience. Spain transposed through Real Decreto-ley before the deadline. Italy got there with D.Lgs. 138/2024. Belgium, Poland, the Netherlands and Ireland were among the laggards. The Commission opened infringement proceedings in November 2024.
The point: even if your national transposition is messy, the Directive itself is binding from October 2024 and supervisory authorities are now writing enforcement playbooks. AI-driven data leaks sit squarely inside the new reporting obligations, and most security teams have not modelled them yet.
Who is actually in scope
Two thresholds matter. The size-cap rule: any organisation with more than 50 employees or above €10M annual turnover that operates in a covered sector is in scope by default. That sweeps in a lot of mid-market firms that thought NIS only applied to operators of essential services. The sector-mandatory rule: certain digital providers are in scope regardless of size. That means every DNS service provider, TLD registry, cloud provider, data centre operator, content delivery network, managed service provider and managed security service provider, no matter how small, falls under NIS2. A 12-person MSP in Lyon is in scope. A boutique cybersecurity consultancy in Munich is in scope.
If you operate AI tooling for a covered customer under a managed-services contract, you inherit reporting obligations for incidents on that perimeter. This catches a lot of AI integrators by surprise.
The reporting timeline that catches everyone off guard
NIS2 introduces a three-stage clock for any significant incident. Miss any stage and you are exposed.
| Deadline | What you owe | To whom |
|---|---|---|
| 24 hours | Early warning: incident detected, suspected cause (malicious or not), cross-border impact | National CSIRT or competent authority |
| 72 hours | Incident notification: severity assessment, impact, indicators of compromise, remediation status | Same authority |
| 1 month | Final report: detailed description, type of threat, mitigation applied, ongoing measures | Same authority |
The 24-hour clock starts from the moment the organisation becomes aware of the incident, not the moment it occurred. That distinction matters enormously when the incident is an employee pasting a client list into ChatGPT at 23:14 on a Friday. If your DLP picks it up Monday morning at 09:00, your 24-hour clock starts at 09:00. If you do not have a DLP and you find out via a customer complaint three weeks later, expect uncomfortable questions about your detection maturity.
What counts as a significant incident for AI data handling
The Directive defines a significant incident by impact, not by mechanism. An incident is significant if it has caused or is capable of causing severe operational disruption, financial loss, or material non-material damage to other persons. For AI data leaks, three patterns reliably cross that threshold:
- Personal data of more than 100 people leaving organisational control, whether that is a customer CSV pasted into Claude or a support transcript fed into a third-party summariser. This also triggers the GDPR 72-hour notification under Article 33 in parallel.
- Confidential business data with operational or financial impact — pricing models, M&A documents, source code for production systems, board minutes — leaving the perimeter via any AI tool, sanctioned or not.
- Credentials that enable further breach — API keys, JWTs, database connection strings, private keys, OAuth tokens — exfiltrated into an LLM prompt where the provider's logs are now outside your reach.
A real-world example: a finance team member pastes 500 customer records into ChatGPT to ask it to reformat a report. That is a significant incident under NIS2, a personal data breach under GDPR, and very likely a contractual breach with the affected customers. Three regimes, one paste.
The clock does not care that you were trying to be helpful. Intent is irrelevant to the 24-hour obligation. If your detection fired at 14:00, your CSIRT early warning is due by 14:00 the next day.
The evidence regulators will ask for
CSIRTs are converging on a standard evidence pack for AI-related incidents. Expect to be asked for:
- Timestamp of the prompt and of detection, with timezone.
- User identity and authentication context (SSO session, device, geolocation).
- Destination tool — was it ChatGPT, Claude, Gemini, Copilot, Perplexity, Mistral, DeepSeek, or an unsanctioned shadow tool?
- Redacted preview of the leaked content — usually first 200 characters with PII masked, enough to characterise the data type.
- Data classification — credit_card, IBAN, api_key, password, JWT, source_code, etc.
- Action taken — blocked, anonymised, monitored only.
- Scope assessment — how many records, which data subjects, which third-party processor now holds the data.
- Remediation — credentials rotated, customers notified, processor contacted for deletion.
Zeuslock's incident log was designed against this exact list. Every event in the Operator Console at app.zeuslock.ai captures these fields by default and exports as a single CSV that maps one-to-one onto the CSIRT template. When regulators ask for evidence at the 72-hour mark, you should not be writing it from scratch.
Who files the report and how the flow runs
NIS2 does not name a single role, but practice is consolidating around a triad: the CISO owns the technical report, the DPO handles the parallel GDPR notification when personal data is involved, and the legal counsel reviews liability exposure before submission. Behind the scenes, the report goes to the national CSIRT.
- France: ANSSI runs the CSIRT (CERT-FR) and the loi de résilience names ANSSI as the supervisory authority. Reporting goes through the MonServiceSécurisé portal.
- Germany: BSI receives notifications, with the Meldeportal under the IT-Sicherheitsgesetz framework now extended for NIS2UmsuCG.
- Spain: INCIBE-CERT handles non-critical sectors, CCN-CERT handles public sector, and the national CSIRT routes through the Centro Criptológico Nacional.
- Netherlands, Belgium, Italy: each has a national CSIRT — NCSC-NL, CCB CERT.be, CSIRT Italia respectively.
- The UK is out of scope post-Brexit but operates a parallel regime under NIS Regulations 2018, supervised by NCSC and the ICO.
If the incident has cross-border impact — a French organisation leaks data of German residents into a US-hosted LLM — the lead CSIRT informs counterpart authorities through the EU-CyCLONe network. You report once, to your lead CSIRT, but expect questions from others.
Sanctions and personal liability
The headline numbers are easy to find but worth restating because they have moved upward sharply:
| Entity type | Maximum fine |
|---|---|
| Essential entities | €10M or 2% of global annual turnover, whichever is higher |
| Important entities | €7M or 1.4% of global annual turnover, whichever is higher |
The bigger change is Article 32. For the first time at EU level, NIS2 explicitly puts personal liability on management bodies. Directors and senior managers can be held personally responsible for failures to implement cybersecurity risk management measures. Member States can suspend executives from management functions and impose individual fines. This is why your board is suddenly asking about AI data leakage at every quarterly review. They are not being paranoid. They are reading the Directive.
What to do this quarter
If you do nothing else, do these three things before the next quarter closes.
- Inventory your AI surface. List every AI tool in use across the organisation, sanctioned and shadow. ChatGPT, Claude, Gemini, Copilot, Cursor, Aider, Claude Code, Copilot CLI, DeepSeek, internal RAG pipelines, MCP-connected agents. A browser extension like Zeuslock plus a desktop agent plus the Zeuslock CLI for developer terminals will surface roughly 95% of it in two weeks of telemetry. Anything you cannot see, you cannot report on.
- Build an incident pipeline that fires within 24 hours. Detection → triage → CSIRT notification needs to be a single workflow with a named owner and a backup. Webhook your DLP into Slack and PagerDuty with HMAC verification, route significant incidents to a dedicated channel, and pre-fill the CSIRT template from your incident log. Practise the path end-to-end. If your first dry run takes 36 hours, you have a 24-hour problem.
- Tabletop an AI prompt leak. Once a quarter, run a scenario where a sales engineer pastes a 2,000-row customer table into Gemini at 22:30 on a Friday. Legal, DPO, CISO and a comms lead at the table. Draft the CSIRT early warning. Draft the GDPR Article 33 notification. Draft the customer notice. Time the whole thing. The first time you do this in anger should not be when it actually happens.
NIS2 will not be enforced gently. The first wave of penalties is already landing in Germany and the Netherlands for non-notification of incidents under the predecessor regime. Treat the 24-hour clock as real, design your AI data handling around it, and keep an evidence pack that you would be comfortable handing to a regulator at 09:00 the morning after.
Protect your data from AI leaks
Try Zeuslock free — DLP for ChatGPT, Claude, Gemini and more.
Book a demo →