The legal framework defines the obligations, but it does not guarantee the capacity to meet them. That capacity depends on technical, organizational and regulatory factors that combine differently in each organization and sector. The following sections first analyze the causes of delay, then its consequences, and illustrate both with two concrete case studies.
3.1. Causes of Reporting Delay
3.1.1. Internal and External Factors
The most direct technical cause of delay is the distance between the artefacts produced during forensic investigation and the legal reporting requirements. Analysts work with system logs, network traffic captures and code execution traces, but authorities need to know who was affected, what data was compromised and what the impact on data subjects is. Translating this technical information into legally structured language is a manual and time-consuming process. Arrus et al. (2026) propose a system that automates this process, combining malware analysis with a report-generation module based on large language models, and demonstrate that it significantly reduces the time required to prepare a compliant notification. Rao (2024) complements this diagnosis by showing that most existing automated attack investigation systems fail in the most critical objective: reducing the workload of analysts, who often operate with alert volumes far exceeding the available triage capacity.
Organizational barriers are equally decisive. Mentzelou et al. (2025) apply the DEMATEL methodology to European organizations and conclude that organizational factors are the most influential barriers: lack of awareness at top management level, scarcity of qualified resources and the absence of formal incident response processes. These conditions precede and condition the technical barriers. Garrone (2025) focuses specifically on small and medium-sized enterprises, which NIS2 now covers above certain size thresholds, and documents how their structural constraints make it difficult to meet 24- and 72-hour deadlines without prior investment in response capacity.
Table 2 presents the complete taxonomy of the factors identified in the literature.
On the regulatory side, the ambiguity of the NIS2 notification criteria adds difficulty. Seeba et al. (2025) show that determining whether an incident exceeds the thresholds that make notification mandatory requires combining technical and legal skills that rarely coexist in the same team. For organizations operating in multiple jurisdictions, the challenge is even greater: Rodrigues et al. (2024) and Avanzi et al. (2025) document how the fragmentation of international regimes increases the likelihood of error and delay, particularly when an incident affects systems distributed across several countries.
Figure 2.
Taxonomy of the main causes of delay in reporting cybersecurity incidents, organized in three categories: technical, organizational and regulatory.
Figure 2.
Taxonomy of the main causes of delay in reporting cybersecurity incidents, organized in three categories: technical, organizational and regulatory.
3.1.2. Detection as a Precondition for Reporting
Before reporting, one must know. This simple statement conceals a serious problem: a significant share of serious incidents is never detected internally by the affected organizations. The legal 72-hour deadline counts from the moment the organization becomes aware of the incident, which introduces a relevant ambiguity. If detection is late, or does not occur at all, the deadline never starts to run and the incident is not reported. Ali & Hicks (2025) confirm this reality in the British data: of the 89 highly significant incidents captured by the NCSC in 2024, more than two thirds were not reported under the NIS, in many cases because the affected organizations simply did not detect them.
The T-Mobile case exemplifies the problem. In the 2021 incident, the alert reached the company through external publications before any internal detection, which indicates that the existing monitoring systems were insufficient to identify the ongoing intrusion (Cui & Song, 2025). Investing in early detection capabilities, including zero-trust architectures and continuous monitoring, is not only a matter of operational security: it is a necessary condition for the legal reporting deadline to even begin to run. The sharing of threat information, through platforms such as MISP and the NIS2 CSIRTs network, can accelerate this detection, especially in cases of attack campaigns that affect multiple entities simultaneously.
3.2. Consequences of Reporting Delay
The consequences of delay are multiple and operate in distinct dimensions. The most immediate is exposure to penalties: the GDPR provides for fines of up to 20 million euros or 4% of global turnover for breaches of notification obligations; NIS2 adds its own penalties for the entities covered; and the new British regime establishes fines of up to 17 million pounds (Shelby, 2025). But the financial consequences are not limited to regulatory penalties. Civil liability towards affected data subjects is a growing avenue in the European space, and litigation costs may exceed the fines themselves (Zuiderveen Borgesius et al., 2023). At the same time, delay directly aggravates the harm to the people whose data was compromised: the window between the breach and the notification is precisely the window in which data subjects could act to protect themselves.
The systemic dimension is equally concerning. Figure 5 illustrates the gap between incidents reported under NIS and the significant incidents captured by the NCSC in the United Kingdom in 2024: only 30 of the 89 incidents reached the authorities, a coverage rate of 33.7%. When incidents are not reported, the cybersecurity governance system is deprived of information essential to detecting attack patterns, coordinating responses and formulating effective policy. Ruohonen et al. (2025) document that, despite the ambition of NIS2, the management of cybersecurity crises at European level remains operationally unclear, in part due to a lack of complete and timely data. This gap is further aggravated by the absence of a centralized pan-European registry of essential and important entities, identified by Steen & Shabani (2025).
Beyond penalties and the systemic impact, delay generates lasting reputational consequences. The way an organization communicates an incident, including how quickly it does so, is decisive for the perception of reliability on the part of customers, partners and investors. Organizations that report late tend to suffer disproportionate losses relative to the actual technical harm, a pattern that is particularly visible in cases of recurring breaches. The T-Mobile case, with two incidents in two years, illustrates how the inability to resolve structural weaknesses amplifies the negative effects of each new episode.
Figure 3.
Comparison of the maximum penalties provided for in the main mandatory cybersecurity incident reporting regimes. Values in pounds sterling were converted to euros at the approximate rate of 1.165.
Figure 3.
Comparison of the maximum penalties provided for in the main mandatory cybersecurity incident reporting regimes. Values in pounds sterling were converted to euros at the approximate rate of 1.165.
Beyond the legal and financial implications, delayed reporting has concrete and immediate consequences for the people whose data was compromised. The time window between the occurrence of a breach and its communication to data subjects is precisely the window in which they could act to protect themselves: changing passwords, cancelling bank cards, alerting their financial institutions or monitoring suspicious transactions. The later the notification arrives, the greater the exposure to harm. Zuiderveen Borgesius et al. (2023) cite North American studies showing that the obligation to notify state authorities reduces identity fraud rates by around 10%, which suggests that timely notification has a real and measurable impact on the protection of individuals. Delay is therefore not merely a compliance problem, but an issue with concrete human consequences.
One of the most concerning structural consequences is the systematic under-reporting of cybersecurity incidents. The available data suggest that a significant share of serious incidents is never reported to the competent authorities, whether through ignorance of the obligations, lack of technical detection capacity, fear of regulatory consequences or an incorrect assessment of the notification thresholds. Ali & Hicks (2025) obtained empirical data that quantify this reality precisely: in 2024, in the United Kingdom, only 30 cybersecurity incidents were formally reported under the NIS Regulations, while the National Cyber Security Centre recorded 89 incidents classified as highly significant in the same period. The coverage ratio, of about 34%, indicates that more than two thirds of serious incidents escape the regulatory radar. The authors further warn of the limited access of academic researchers to mandatory reporting data, which constrains the independent assessment of the effectiveness of the regimes.
Under-reporting also has an impact on the effectiveness of the cybersecurity governance system at European level. Mandatory reporting regimes were designed to create a flow of information that allows authorities to detect attack patterns, identify systemic vulnerabilities and coordinate responses to large-scale incidents. When incidents are not reported or are reported late, this flow is compromised. Ruohonen et al. (2025) document that, despite the ambition of the EU's new legislative instruments, the concrete functioning of cybersecurity crisis management at European level remains unclear, particularly regarding the articulation between national governance bodies and European coordination structures. The absence of a centralized pan-European registry of essential and important entities aggravates this problem by making comprehensive monitoring of notification obligations impossible.
Beyond the direct consequences, delayed reporting generates reputational and operational impacts that extend well beyond the incident. The available research on organizations' behavior after major data breaches shows that the way an organization manages the communication of an incident, including the speed with which it informs those affected and the authorities, is a decisive factor in the perception of its reliability by customers, partners and investors. Organizations that report late or incompletely tend to suffer disproportionate losses relative to the actual technical harm of the incident, a pattern that is particularly evident in cases of recurring breaches, such as the one analyzed in the following section.
Figure 4.
Mandatory cybersecurity incident reporting deadlines under the GDPR, the NIS2 Directive and the UK Cyber Security and Resilience Bill (2025).
Figure 4.
Mandatory cybersecurity incident reporting deadlines under the GDPR, the NIS2 Directive and the UK Cyber Security and Resilience Bill (2025).
Figure 5.
Cybersecurity incidents reported under the United Kingdom's NIS Regulations versus highly significant incidents recorded by the NCSC in 2024 (Ali & Hicks, 2025).
Figure 5.
Cybersecurity incidents reported under the United Kingdom's NIS Regulations versus highly significant incidents recorded by the NCSC in 2024 (Ali & Hicks, 2025).
Table 1.
Comparison of the mandatory cybersecurity incident reporting regimes.
Table 1.
Comparison of the mandatory cybersecurity incident reporting regimes.
| Instrument |
Scope |
Early Warning (24h) |
Notification (72h) |
Maximum Penalty |
| GDPR (Art. 33–34) |
All controllers of personal data |
— |
Yes |
€20M or 4% of global turnover |
| NIS2 — Essential entities (Art. 23) |
Energy, health, transport, digital infrastructure, public administration |
Yes |
Yes |
€10M or 2% of global turnover |
| NIS2 — Important entities (Art. 23) |
Relevant sectors of broader scope (postal services, waste, space) |
Yes |
Yes |
€7M or 1.4% of global turnover |
| UK Cyber Security and Resilience Bill (2025) |
Designated MSPs, data centres and critical suppliers |
Yes |
Yes |
£17M or 4% of global turnover |
Table 2.
Taxonomy of the main causes of delay in reporting security incidents.
Table 2.
Taxonomy of the main causes of delay in reporting security incidents.
| Category |
Factor |
Impact |
Main Source |
| Technical |
Gap between forensic artefacts and legal reporting requirements |
High |
Arrus et al. (2026) |
| Technical |
Alert overload and insufficient automation in incident response |
High |
Rao (2024) |
| Organizational |
Lack of awareness, resources and qualifications (especially in SMEs) |
High |
Mentzelou et al. (2025); Garrone (2025) |
| Organizational |
Absence of formal incident response processes |
Medium-High |
Mentzelou et al. (2025) |
| Regulatory |
Ambiguity of the NIS2 notification criteria |
Medium |
Seeba et al. (2025) |
| Regulatory |
Fragmentation of notification regimes across jurisdictions |
Medium |
Rodrigues et al. (2024); Avanzi et al. (2025) |
3.3. Case Analysis
Cui & Song (2025) analyze T-Mobile's two major data breaches in 2021 and 2023 through a combination of documentary review and active security audit. In the first incident, the data of 77 million customers was compromised; in the second, 37 million. The analysis reveals that structural weaknesses identified after 2021 remained present in the systems in 2023, which indicates that the corrective measures implemented were insufficient. In neither case were the notification deadlines met, which led to regulatory investigations and substantial settlement payments. The authors' financial modeling demonstrates that a five-year investment in the recommended countermeasures would represent less than 1.1% of the losses estimated from the two incidents: clear evidence of the cost of preventive inaction.
The study by Ali & Hicks (2025) approaches the problem from a different angle. Instead of analyzing a specific case, the researchers assess the systemic functioning of the British NIS Regulations during 2024, using freedom-of-information requests to regulatory bodies and comparative data from the NCSC. The results show three structural failures: a coverage rate of 33.7%, with most significant incidents escaping the notification regime; limited access by academic researchers to mandatory reporting data, which prevents an independent assessment of the regime's effectiveness; and the absence of mechanisms to ensure that the data collected is used to improve the collective response to threats. Together, the two cases show that the existence of clear legal deadlines is not a sufficient condition to ensure effective reporting: detection capabilities, mature organizational processes and robust supervisory mechanisms are equally necessary.