Preprint
Article

This version is not peer-reviewed.

Delay in Reporting Security Incidents in Critical Information Systems: Causes, Consequences and Regulatory Framework

Submitted:

13 June 2026

Posted:

16 June 2026

You are already at the latest version

Abstract
Meeting the legal reporting deadline after a cybersecurity incident is, for many organizations, harder than the law suggests. The General Data Protection Regulation requires personal data breaches to be reported to the competent authorities within 72 hours; the NIS2 Directive adds a 24-hour early warning for essential and important entities. Despite the clarity of these deadlines, delayed reporting remains a systemic problem with significant legal, reputational and human consequences. This article analyzes its causes and consequences based on a review of 14 recent academic sources. The results identify three categories of factors: the technical distance between forensic investigation and the legal reporting format; organizational barriers, aggravated in small and medium-sized enterprises; and the ambiguity of regulatory requirements. The consequences include regulatory penalties, aggravated harm to data subjects and chronic under-reporting. The article concludes with recommendations aimed at organizations and legislators. The findings are particularly relevant for critical information systems environments, where delayed incident reporting may affect operational continuity, resilience, regulatory compliance, and coordinated response capabilities.
Keywords: 
;  ;  ;  ;  ;  ;  ;  ;  

1. Introduction

On 5 October 2021, T-Mobile publicly confirmed that the data of 77 million customers had been compromised. The alert reached the company through external channels before any internal detection, which raises a simple but uncomfortable question: if an organization does not know it has been attacked, it cannot notify anyone. This scenario, far from being an exception, illustrates one of the deepest tensions in mandatory reporting regimes. The General Data Protection Regulation, in force since 2018, imposes 72 hours to report a personal data breach to the competent supervisory authority. The NIS2 Directive, transposed into the Member States by October 2024, goes further: it requires an early warning within 24 hours and a formal notification within 72 hours for essential and important entities, followed by a final report within one month (Ruohonen, 2024).
The available data confirm that compliance with these deadlines is far from universal. In the United Kingdom, in 2024, only 30 cybersecurity incidents were reported under the NIS Regulations, while the National Cyber Security Centre recorded 89 incidents classified as highly significant in the same period. The coverage rate of 33.7% shows that most serious incidents do not even reach the competent authorities (Ali & Hicks, 2025). In the United States, the analysis of data from eight states with mandatory reporting laws shows inconsistent reporting patterns that distort the assessment of cyber risk (Avanzi et al., 2025).
In critical information systems environments, timely incident reporting constitutes a fundamental security and governance mechanism. Delays in notification may compromise coordinated response activities, situational awareness, operational continuity, and the protection of essential services. Consequently, incident reporting should be viewed not only as a regulatory obligation but also as a critical component of cyber resilience and operational assurance.
This article presents an integrated analysis of the causes and consequences of delayed reporting of security incidents, based on a review of 14 academic sources published between 2023 and 2026. The aim is twofold: to clarify the current regulatory framework and to identify the factors that make timely compliance difficult for many organizations, proposing concrete recommendations for organizations and legislators. The article is organized in five sections: legal framework (Section 2), analysis of causes and consequences (Section 3), discussion of the results (Section 4) and conclusions (Section 5).

3. Analysis: Delayed Incident Reporting

The legal framework defines the obligations, but it does not guarantee the capacity to meet them. That capacity depends on technical, organizational and regulatory factors that combine differently in each organization and sector. The following sections first analyze the causes of delay, then its consequences, and illustrate both with two concrete case studies.

3.1. Causes of Reporting Delay

3.1.1. Internal and External Factors

The most direct technical cause of delay is the distance between the artefacts produced during forensic investigation and the legal reporting requirements. Analysts work with system logs, network traffic captures and code execution traces, but authorities need to know who was affected, what data was compromised and what the impact on data subjects is. Translating this technical information into legally structured language is a manual and time-consuming process. Arrus et al. (2026) propose a system that automates this process, combining malware analysis with a report-generation module based on large language models, and demonstrate that it significantly reduces the time required to prepare a compliant notification. Rao (2024) complements this diagnosis by showing that most existing automated attack investigation systems fail in the most critical objective: reducing the workload of analysts, who often operate with alert volumes far exceeding the available triage capacity.
Organizational barriers are equally decisive. Mentzelou et al. (2025) apply the DEMATEL methodology to European organizations and conclude that organizational factors are the most influential barriers: lack of awareness at top management level, scarcity of qualified resources and the absence of formal incident response processes. These conditions precede and condition the technical barriers. Garrone (2025) focuses specifically on small and medium-sized enterprises, which NIS2 now covers above certain size thresholds, and documents how their structural constraints make it difficult to meet 24- and 72-hour deadlines without prior investment in response capacity. Table 2 presents the complete taxonomy of the factors identified in the literature.
On the regulatory side, the ambiguity of the NIS2 notification criteria adds difficulty. Seeba et al. (2025) show that determining whether an incident exceeds the thresholds that make notification mandatory requires combining technical and legal skills that rarely coexist in the same team. For organizations operating in multiple jurisdictions, the challenge is even greater: Rodrigues et al. (2024) and Avanzi et al. (2025) document how the fragmentation of international regimes increases the likelihood of error and delay, particularly when an incident affects systems distributed across several countries.
Figure 2. Taxonomy of the main causes of delay in reporting cybersecurity incidents, organized in three categories: technical, organizational and regulatory.
Figure 2. Taxonomy of the main causes of delay in reporting cybersecurity incidents, organized in three categories: technical, organizational and regulatory.
Preprints 218501 g002

3.1.2. Detection as a Precondition for Reporting

Before reporting, one must know. This simple statement conceals a serious problem: a significant share of serious incidents is never detected internally by the affected organizations. The legal 72-hour deadline counts from the moment the organization becomes aware of the incident, which introduces a relevant ambiguity. If detection is late, or does not occur at all, the deadline never starts to run and the incident is not reported. Ali & Hicks (2025) confirm this reality in the British data: of the 89 highly significant incidents captured by the NCSC in 2024, more than two thirds were not reported under the NIS, in many cases because the affected organizations simply did not detect them.
The T-Mobile case exemplifies the problem. In the 2021 incident, the alert reached the company through external publications before any internal detection, which indicates that the existing monitoring systems were insufficient to identify the ongoing intrusion (Cui & Song, 2025). Investing in early detection capabilities, including zero-trust architectures and continuous monitoring, is not only a matter of operational security: it is a necessary condition for the legal reporting deadline to even begin to run. The sharing of threat information, through platforms such as MISP and the NIS2 CSIRTs network, can accelerate this detection, especially in cases of attack campaigns that affect multiple entities simultaneously.

3.2. Consequences of Reporting Delay

The consequences of delay are multiple and operate in distinct dimensions. The most immediate is exposure to penalties: the GDPR provides for fines of up to 20 million euros or 4% of global turnover for breaches of notification obligations; NIS2 adds its own penalties for the entities covered; and the new British regime establishes fines of up to 17 million pounds (Shelby, 2025). But the financial consequences are not limited to regulatory penalties. Civil liability towards affected data subjects is a growing avenue in the European space, and litigation costs may exceed the fines themselves (Zuiderveen Borgesius et al., 2023). At the same time, delay directly aggravates the harm to the people whose data was compromised: the window between the breach and the notification is precisely the window in which data subjects could act to protect themselves.
The systemic dimension is equally concerning. Figure 5 illustrates the gap between incidents reported under NIS and the significant incidents captured by the NCSC in the United Kingdom in 2024: only 30 of the 89 incidents reached the authorities, a coverage rate of 33.7%. When incidents are not reported, the cybersecurity governance system is deprived of information essential to detecting attack patterns, coordinating responses and formulating effective policy. Ruohonen et al. (2025) document that, despite the ambition of NIS2, the management of cybersecurity crises at European level remains operationally unclear, in part due to a lack of complete and timely data. This gap is further aggravated by the absence of a centralized pan-European registry of essential and important entities, identified by Steen & Shabani (2025).
Beyond penalties and the systemic impact, delay generates lasting reputational consequences. The way an organization communicates an incident, including how quickly it does so, is decisive for the perception of reliability on the part of customers, partners and investors. Organizations that report late tend to suffer disproportionate losses relative to the actual technical harm, a pattern that is particularly visible in cases of recurring breaches. The T-Mobile case, with two incidents in two years, illustrates how the inability to resolve structural weaknesses amplifies the negative effects of each new episode.
Figure 3. Comparison of the maximum penalties provided for in the main mandatory cybersecurity incident reporting regimes. Values in pounds sterling were converted to euros at the approximate rate of 1.165.
Figure 3. Comparison of the maximum penalties provided for in the main mandatory cybersecurity incident reporting regimes. Values in pounds sterling were converted to euros at the approximate rate of 1.165.
Preprints 218501 g003
Beyond the legal and financial implications, delayed reporting has concrete and immediate consequences for the people whose data was compromised. The time window between the occurrence of a breach and its communication to data subjects is precisely the window in which they could act to protect themselves: changing passwords, cancelling bank cards, alerting their financial institutions or monitoring suspicious transactions. The later the notification arrives, the greater the exposure to harm. Zuiderveen Borgesius et al. (2023) cite North American studies showing that the obligation to notify state authorities reduces identity fraud rates by around 10%, which suggests that timely notification has a real and measurable impact on the protection of individuals. Delay is therefore not merely a compliance problem, but an issue with concrete human consequences.
One of the most concerning structural consequences is the systematic under-reporting of cybersecurity incidents. The available data suggest that a significant share of serious incidents is never reported to the competent authorities, whether through ignorance of the obligations, lack of technical detection capacity, fear of regulatory consequences or an incorrect assessment of the notification thresholds. Ali & Hicks (2025) obtained empirical data that quantify this reality precisely: in 2024, in the United Kingdom, only 30 cybersecurity incidents were formally reported under the NIS Regulations, while the National Cyber Security Centre recorded 89 incidents classified as highly significant in the same period. The coverage ratio, of about 34%, indicates that more than two thirds of serious incidents escape the regulatory radar. The authors further warn of the limited access of academic researchers to mandatory reporting data, which constrains the independent assessment of the effectiveness of the regimes.
Under-reporting also has an impact on the effectiveness of the cybersecurity governance system at European level. Mandatory reporting regimes were designed to create a flow of information that allows authorities to detect attack patterns, identify systemic vulnerabilities and coordinate responses to large-scale incidents. When incidents are not reported or are reported late, this flow is compromised. Ruohonen et al. (2025) document that, despite the ambition of the EU's new legislative instruments, the concrete functioning of cybersecurity crisis management at European level remains unclear, particularly regarding the articulation between national governance bodies and European coordination structures. The absence of a centralized pan-European registry of essential and important entities aggravates this problem by making comprehensive monitoring of notification obligations impossible.
Beyond the direct consequences, delayed reporting generates reputational and operational impacts that extend well beyond the incident. The available research on organizations' behavior after major data breaches shows that the way an organization manages the communication of an incident, including the speed with which it informs those affected and the authorities, is a decisive factor in the perception of its reliability by customers, partners and investors. Organizations that report late or incompletely tend to suffer disproportionate losses relative to the actual technical harm of the incident, a pattern that is particularly evident in cases of recurring breaches, such as the one analyzed in the following section.
Figure 4. Mandatory cybersecurity incident reporting deadlines under the GDPR, the NIS2 Directive and the UK Cyber Security and Resilience Bill (2025).
Figure 4. Mandatory cybersecurity incident reporting deadlines under the GDPR, the NIS2 Directive and the UK Cyber Security and Resilience Bill (2025).
Preprints 218501 g004
Figure 5. Cybersecurity incidents reported under the United Kingdom's NIS Regulations versus highly significant incidents recorded by the NCSC in 2024 (Ali & Hicks, 2025).
Figure 5. Cybersecurity incidents reported under the United Kingdom's NIS Regulations versus highly significant incidents recorded by the NCSC in 2024 (Ali & Hicks, 2025).
Preprints 218501 g005
Table 1. Comparison of the mandatory cybersecurity incident reporting regimes.
Table 1. Comparison of the mandatory cybersecurity incident reporting regimes.
Instrument Scope Early Warning (24h) Notification (72h) Maximum Penalty
GDPR (Art. 33–34) All controllers of personal data Yes €20M or 4% of global turnover
NIS2 — Essential entities (Art. 23) Energy, health, transport, digital infrastructure, public administration Yes Yes €10M or 2% of global turnover
NIS2 — Important entities (Art. 23) Relevant sectors of broader scope (postal services, waste, space) Yes Yes €7M or 1.4% of global turnover
UK Cyber Security and Resilience Bill (2025) Designated MSPs, data centres and critical suppliers Yes Yes £17M or 4% of global turnover
Table 2. Taxonomy of the main causes of delay in reporting security incidents.
Table 2. Taxonomy of the main causes of delay in reporting security incidents.
Category Factor Impact Main Source
Technical Gap between forensic artefacts and legal reporting requirements High Arrus et al. (2026)
Technical Alert overload and insufficient automation in incident response High Rao (2024)
Organizational Lack of awareness, resources and qualifications (especially in SMEs) High Mentzelou et al. (2025); Garrone (2025)
Organizational Absence of formal incident response processes Medium-High Mentzelou et al. (2025)
Regulatory Ambiguity of the NIS2 notification criteria Medium Seeba et al. (2025)
Regulatory Fragmentation of notification regimes across jurisdictions Medium Rodrigues et al. (2024); Avanzi et al. (2025)

3.3. Case Analysis

Cui & Song (2025) analyze T-Mobile's two major data breaches in 2021 and 2023 through a combination of documentary review and active security audit. In the first incident, the data of 77 million customers was compromised; in the second, 37 million. The analysis reveals that structural weaknesses identified after 2021 remained present in the systems in 2023, which indicates that the corrective measures implemented were insufficient. In neither case were the notification deadlines met, which led to regulatory investigations and substantial settlement payments. The authors' financial modeling demonstrates that a five-year investment in the recommended countermeasures would represent less than 1.1% of the losses estimated from the two incidents: clear evidence of the cost of preventive inaction.
The study by Ali & Hicks (2025) approaches the problem from a different angle. Instead of analyzing a specific case, the researchers assess the systemic functioning of the British NIS Regulations during 2024, using freedom-of-information requests to regulatory bodies and comparative data from the NCSC. The results show three structural failures: a coverage rate of 33.7%, with most significant incidents escaping the notification regime; limited access by academic researchers to mandatory reporting data, which prevents an independent assessment of the regime's effectiveness; and the absence of mechanisms to ensure that the data collected is used to improve the collective response to threats. Together, the two cases show that the existence of clear legal deadlines is not a sufficient condition to ensure effective reporting: detection capabilities, mature organizational processes and robust supervisory mechanisms are equally necessary.

4. Discussion

The body of evidence analyzed points to a common diagnosis: delayed incident reporting is, for the most part, a structural problem, not one of intent. Organizations that fail to meet legal deadlines generally do not do so through deliberate disregard, but because they face technical, organizational and regulatory conditions that make compliance genuinely difficult. This distinction has direct implications for public policy: increasing penalties without removing the structural obstacles increases the pressure without improving the results.
The most promising interventions operate on the three identified levels. On the technical level, the automation of the reporting process, proposed by Arrus et al. (2026), can significantly reduce the time and effort required to prepare a compliant notification, provided that the formats required by national authorities are standardized within the EU and the automation systems are integrated with the incident response platforms already in use. On the organizational level, differentiation by size is essential: the requirements applicable to a large energy company should not be identical to those applicable to a small telecommunications company. Garrone's (2025) model provides a solid conceptual basis for a proportionate approach that does not sacrifice the minimum standards of protection. On the regulatory level, the clarification of the NIS2 notification criteria and progressive harmonization with the regimes of the United Kingdom and the United States are conditions for reducing the regulatory fragmentation that increases the likelihood of error and delay in multinational organizations.
An important limitation of this analysis deserves to be made explicit: most of the available knowledge about reporting delay is based on incidents that were reported, which constitutes a biased sample. Unreported incidents are, by definition, invisible to academic research. To overcome this limitation, it is necessary to create public repositories of incident data with regulated access for researchers, to carry out independent audits of the notification regimes and to conduct longitudinal studies that follow the behavior of organizations over time. Without better data, it is impossible to know whether the mandatory reporting regimes are meeting the objectives for which they were created.

5. Conclusions

Delayed reporting of cybersecurity incidents results from three categories of mutually reinforcing factors: the technical distance between forensic investigation and regulatory reporting, organizational barriers with particular incidence in SMEs, and the ambiguity and fragmentation of regulatory requirements. The documented consequences include regulatory penalties, aggravated harm to data subjects, systematic under-reporting and limitations in the effectiveness of European cybersecurity governance. The available empirical evidence, in particular the 2024 British data, suggests that the magnitude of the problem is greater than the official reporting data indicate.
Three directions of intervention emerge as priorities. The first is the automation of the notification process, in order to reduce the burden on security teams and to eliminate translation errors between technical and legal language. The second is the differentiation of compliance requirements by entity size, ensuring that SMEs have proportionate and progressive models that allow them to build response capacity in a sustainable way. The third is regulatory harmonization, both within the EU and with international partners, to reduce the ambiguity that increases the risk of involuntary non-compliance. These three directions are complementary: automation without organizational structure produces no results, regulatory clarity without implementation capacity results in dead letter, and organizational capacity without adequate tools amounts to no more than good intentions.
ENISA and the national cybersecurity centres have a central role to play, not only in enforcement, but also in supporting organizations through sectoral guides, simulation exercises and maturity assessment tools. The first NIS2 supervisory data, as it is made public by national authorities, will make it possible to identify the sectors with the greatest compliance difficulties and to feed a cycle of continuous improvement of the regulatory framework. Future research should follow this process and contribute, in particular, to the creation of public repositories of incident data that allow a rigorous and independent assessment of the effectiveness of the mandatory reporting regimes.
The role of supervisory authorities is equally central to the effectiveness of the notification regimes. ENISA, the European Union Agency for Cybersecurity, and the national cybersecurity centres have a dual role: on the one hand, to enforce compliance with the obligations; on the other, to support organizations in building the capacities needed to meet them. This second role is often neglected in public policy debates, which tend to focus on penalties at the expense of technical support and practical guidance. The publication of sectoral notification guides, the organization of incident simulation exercises and the provision of free maturity assessment tools are instruments that authorities can use to reduce the gap between legal obligations and real organizational capacity.
The experience accumulated in the first years of NIS2 application in the Member States will be decisive in assessing whether the current regulatory framework is sufficient or whether it requires adjustments. The first supervisory data, as it is made public by the competent national authorities, will make it possible to identify the sectors with the greatest compliance difficulties, the types of incidents most frequently under-reported and the factors that most contribute to delay. This information should feed a cycle of continuous improvement of the regulatory framework, oriented not only towards punishing non-compliance but towards understanding its causes and creating the conditions that allow organizations to comply consistently and sustainably.
From a critical information systems perspective, timely incident reporting should be regarded as a strategic security requirement. Effective reporting mechanisms contribute directly to cyber resilience, coordinated response, and the protection of critical infrastructures and essential services.

Abbreviations

The following abbreviations are used in this article:
CSIRT Computer Security Incident Response Team
DEMATEL Decision-Making Trial and Evaluation Laboratory
DPA Data Protection Authority
ENISA European Union Agency for Cybersecurity
GDPR General Data Protection Regulation
MISP Malware Information Sharing Platform
NCSC National Cyber Security Centre
NIS Network and Information Systems
NIS2 Directive (EU) 2022/2555 — Cybersecurity
SME Small and Medium-sized Enterprise

References

  1. Ali, J.; Hicks, C. On the effectiveness of the UK NIS regulations as a mandatory cybersecurity reporting regime; Preprint; The Alan Turing Institute, Defence and National Security Programme, 2025. [Google Scholar]
  2. Arrus, A.; Di Gisi, M.; Lilli, S.; Quadrini, M. Accelerating incident response: A hybrid approach for data breach reporting. In IMT School for Advanced Studies Lucca; Preprint, 2026. [Google Scholar]
  3. Avanzi, B.; Tan, X.; Taylor, G.; Wong, B. On the evolution of data breach reporting patterns and frequency in the United States: A cross-state analysis; Preprint; University of Melbourne, 2025. [Google Scholar]
  4. Cui, Z.; Song, Z. Enterprise security incident analysis and countermeasures based on the T-Mobile data breach; Preprint; University of Sydney, 2025. [Google Scholar]
  5. Garrone, R. Proportionate cybersecurity for micro-SMEs: A governance design model under NIS2; Preprint; University of Milano-Bicocca, 2025. [Google Scholar]
  6. Mentzelou, K.; Chountalas, P. T.; Kitsios, F. C.; Magoutas, A. I.; Dasaklis, T. K. Identifying and modeling barriers to compliance with the NIS2 Directive: A DEMATEL approach. Journal of Cybersecurity and Privacy 2025, 5, 97. [Google Scholar] [CrossRef]
  7. Pimenta Rodrigues, G. A.; Marques Serrano, A. L.; Lopes Espiñeira Lemos, A. N.; Canedo, E. D.; Lopes de Mendonça, F. L. L.; de Oliveira Albuquerque, R.; Sandoval Orozco, A. L.; García Villalba, L. J. Understanding data breach from a global perspective: Incident visualization and data protection law review. Data 2024, 9(2), 27. [Google Scholar] [CrossRef]
  8. Rao, S. After the breach: Incident response within enterprises; Preprint; UC San Diego, 2024. [Google Scholar]
  9. Ruohonen, J. A systematic literature review on the NIS2 Directive; Preprint; University of Southern Denmark, 2024. [Google Scholar]
  10. Ruohonen, J.; Rindell, K.; Busetti, S. From cyber security incident management to cyber security crisis management in the European Union; Preprint; University of Southern Denmark, 2025. [Google Scholar]
  11. Seeba, M.; Valgre, M.; Matulevičius, R. Evaluating organization security: User stories of European Union NIS2 Directive. Proceedings of CAiSE 2025; Springer. Springer, 2025. [Google Scholar]
  12. Shelby, J. The UK Cyber Security and Resilience Bill: A practitioner's guide to legislative reform, compliance, and organisational readiness; Preprint; University of Oxford, 2025. [Google Scholar]
  13. Steen, F. A.; Assani Shabani, D. A NIS2 pan-European registry for identifying and classifying essential and important entities; arXiv:2508.19395; Kristiania University College, 2025. [Google Scholar]
  14. Zuiderveen Borgesius, F.; Asghari, H.; Bangma, N.; Hoepman, J.-H. The GDPR's rules on data breaches: Analysing their rationales and effects. SCRIPT-ed 2023, 20(2), 352–380. [Google Scholar] [CrossRef]
Figure 1. Decision flow for the reporting of cybersecurity incidents under the GDPR and the NIS2 Directive.
Figure 1. Decision flow for the reporting of cybersecurity incidents under the GDPR and the NIS2 Directive.
Preprints 218501 g001
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings