Publication date: February 2, 2026
According to an analysis by lawyers from KG LEGAL KIELTYKA GLADKOWSKI, legal concepts such as incident and cyberattack are key elements in the EU cybersecurity and data protection law ecosystem. The fragmentation of cybersecurity law into various sectoral legal acts necessitates a comprehensive analysis of the coherence of all the legal acts comprising this ecosystem. This article demonstrates that the legal layer of cybersecurity in an incident is a highly sensitive issue from the perspective of the responsibility to protect, and therefore, responsible entities should examine the differences in the legal scope of application of individual acts. These concepts are intuitively understood but in legal practice are only superficially identical and lead to different regulatory obligations. The following summary is original and creative and can be used by entities to properly analyze their obligations under current EU law.
INCIDENT vs. CYBERATTACK
| INCIDENT | CYBER ATTACK | references | |
| Act of 5 July 2018 on the national cybersecurity system (Journal of Laws of 2024, item 1077, as amended). | Article 2 5) incident – an event that has or may have an adverse impact on cybersecurity; 6) critical incident – an incident resulting in significant damage to public security or order, international interests, economic interests, the operation of public institutions, civil rights and freedoms or human life and health, classified by the appropriate CSIRT MON, CSIRT NASK or CSIRT GOV; 7) serious incident – an incident that causes or may cause a serious reduction in the quality or interruption of the continuity of the provision of a key service; 8) significant incident – an incident that has a significant impact on the provision of a digital service within the meaning of ARTICLE 4 OF COMMISSION IMPLEMENTING REGULATION (EU) 2018/151 OF 30 JANUARY 2018 laying down rules for the application of Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to further specifying the elements to be taken into account by digital service providers in managing existing risks to the security of network and information systems and the parameters for determining whether an incident has a significant impact (OJ EU L 26, 31.01.2018, p. 48), hereinafter referred to as “Implementing Regulation 2018/151”; 9) incident in a public entity – an incident that causes or may cause a reduction in the quality or interruption of the implementation of a public task carried out by a public entity referred to in Art. 4 points 7-15; 10) incident handling – activities enabling detection, recording, analysis, classification, prioritization, taking corrective actions and limiting the effects of an incident; | NO DEFINITION OF CYBER ATTACK | Significant incident – reference to Implementing Regulation 2018/151, which has become null and void. |
| Act of 2 December 2021 on special rules for remunerating persons performing tasks in the field of cybersecurity (Journal of Laws of 2024, item 1662) | No definition | No definition | |
| Act of 24 May 2002 on the Internal Security Agency and the Foreign Intelligence Agency (Journal of Laws of 2024, item 812, as amended). | No definition | No definition | |
| Act of 26 April 2007 on crisis management (Journal of Laws of 2023, item 122, as amended). | No definition | No definition | |
| UN Regulation No. 155 – Uniform provisions concerning the approval of vehicles with regard to cybersecurity and their safety management system [2021/387] (OJ EU L 82, 2021, p. 30). | No definition | No definition | |
| Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 2022, p. 80 | Article 2 6) “incident” means an event that compromises the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or services offered by or accessible through networks and information systems; (7 ) ‘ large-scale cybersecurity incident‘ means an incident that causes a level of disruption that exceeds the capacity of a Member State to respond to it or that has a significant impact in two or more Member States; | No definition | from the “cybersolidarity act ” “incident”large-scale cybersecurity incident ” From Regulation 2019/881 – “incident”, “large-scale cybersecurity incident” Commission Implementing Regulation 2024/2690 |
| Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 on establishing measures to enhance solidarity and capacity in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 ( Cyber Solidarity Act) (OJ L 38, 2025, item 38, as amended). | Article 2 9) “incident” means an incident as defined in point 6 of Article 6 of Directive (EU) 2022/2555; (10) ‘major cybersecurity incident’ means an incident meeting the criteria set out in Article 23(3) of Directive (EU) 2022/2555; (11 ) ‘serious incident‘ means a serious incident as defined in point 8 of Article 3 of Regulation (EU, Euratom ) 2023/2841 of the European Parliament and of the Council 22; (12) ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in point (7) of Article 6 of Directive (EU) 2022/2555 ; (13) ‘incident equivalent to a large-scale cybersecurity incident’ means, in the case of Union institutions, bodies, offices and agencies, a major incident and, in the case of third countries associated to the Digital Europe programme, an incident that causes a level of disruption that exceeds the response capacity of the third country associated to the Digital Europe programme; | No definition | |
| Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and information and communication technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 2019, p. 15, as amended). | “incident” means an incident as defined in Article 4(7) of Directive (EU) 2016/1148; (repealed) (“incident” means any event that has a real adverse impact on the security of networks and information systems;) | No definition | |
| Regulation 2023/2841 of the European Parliament and of the Council of 13 December 2023 laying down measures for a high common level of cybersecurity in the Union institutions, bodies, offices and agencies (OJ L 2841, 2023). | Article 3 (7)”incident” means an incident as defined in point 6 of Article 6 of Directive (EU) 2022/2555 ; (8) ‘major incident‘ means an incident that causes disruption beyond the response capacity of a Union entity and CERT-EU or that has a significant impact on two or more Union entities; (9) ‘large-scale cybersecurity incident‘ means a large-scale cybersecurity incident as defined in point (7) of Article 6 of Directive (EU) 2022/2555; | No definition | Cyber Solidarity Act – “serious incident” |
| Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technological and Research Competence Centre and the Network of National Coordination Centres (OJ L 2021, No. 202, p. 1). | No definition | No definition | |
| Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ EU L 333, 2022, p. 1, as amended). | Article 3 8) 40 “ICT incident ” means a single event or a series of related events, unplanned by a given financial entity, that compromises the security of networks and information systems and has a negative impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by that financial entity; 9) 41 “payment-related operational or security incident ” means an event or series of related events, unplanned by the financial entities referred to in points (a) to (d) of Article 2(1), whether ICT-related or not, that has a negative impact on the availability, authenticity, integrity or confidentiality of payment-related data or on the payment-related services provided by the financial entity; (10) “major ICT incident” means an ICT incident with a significant negative impact on networks and information systems that support critical or important functions of a financial entity; (11) “major operational or security incident related to payments ” means an operational or security incident related to payments with a significant negative impact on the provision of payment services; | Article 3 14) 42 “cyber attack” means a malicious ICT incident triggered by an attempt by any attacker to destroy, disclose, alter, deactivate, steal or gain unauthorised access to or use of a resource; | Commission Delegated Regulation (EU) 2024/1366 – “Cyberattack” |
| Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe programme and repealing Decision (EU) 2015/2240 (Text with EEC relevance) (OJ L 166, 2021, p. 1, as amended). | No definition | No definition | |
| Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures to combat cyberattacks threatening the Union or its Member States (OJ L 129, 2019, item 129, as amended). | No definition | Article 1 1. This Decision applies to cyber-attacks with a significant effect, including attempted cyber-attacks with a potential significant effect, which constitute an external threat to the Union or its Member States. 2. Cyberattacks that constitute an external threat include cyberattacks that: (a) were prepared outside the territory of the Union or are carried out outside the territory of the Union; (b)use infrastructure located outside the territory of the Union; (c) they are carried out by a natural or legal person, entity or body established or operating outside the Union; or (d) are carried out with the support, at the direction or under the control of a natural or legal person, entity or body operating outside the territory of the Union. 3. Therefore, cyberattacks are activities that include at least one of the following elements: a)access to information systems; b) interference with information systems; c) interference with data; or d) data capture, and provided that such activities are not duly authorised by the owner or any other entity having rights to the system or data or parts thereof or are not permitted under the law of the Union or the Member State concerned. 4. Cyber attacks posing a threat to Member States include cyber attacks on information systems related to, inter alia: (a) critical infrastructure – including submarine cables and objects launched into space – that is essential for maintaining essential societal functions or the health, safety, security and material or social well-being of people; (b) services essential for maintaining basic social or economic activities, in particular in the energy sector (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health (healthcare centres, hospitals and private clinics), drinking water supply and distribution, digital infrastructure, and any other sector that is critical to the Member State concerned; c) critical state functions, in particular in the areas of defence, management and functioning of institutions, including national elections or the voting process, the functioning of economic and civilian infrastructure, internal security and external relations, including through diplomatic missions; d)storing or processing classified information; or e) government crisis response teams. 5. Cyber-attacks constituting a threat to the Union include cyber-attacks conducted against its institutions, bodies, offices and agencies, its delegations in third countries or international organisations, its Common Security and Defence Policy ( CSDP ) operations and missions and its Special Representatives. 6. Where deemed necessary to achieve the objectives of the CFSP as defined in the relevant provisions of Article 21 of the Treaty on European Union, restrictive measures under this Decision may also be applied in response to cyber-attacks against third States or international organisations with a significant effect. | |
| Commission Implementing Regulation (EU) 2024/3143 of 18 December 2024 establishing the circumstances, formats and procedures for notification pursuant to Article 61(5) of Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity ) and information and communication technology cybersecurity certification (OJ L 3143, 2024). | No definition | No definition | |
| Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council with regard to the adoption of a European cybersecurity certification scheme based on common criteria (EUCC) (OJ EU L 2024, item 482, as amended). | No definition | No definition | |
| Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 with regard to technical and methodological requirements for cybersecurity risk management measures and further specifying the cases in which an incident is considered to be serious in relation to DNS service providers, TLD name registries, cloud service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking platforms, and trust service providers (OJ L 2690, 2024). | Article 3 Serious incidents 1. An incident shall be considered serious for the purposes of Article 23(3) of Directive (EU) 2022/2555 in relation to the relevant entities where at least one of the following criteria is met: (a) the incident has caused or is likely to cause a financial loss to the relevant entity that exceeds EUR 500 000 or 5% of the total annual turnover of the relevant entity in the preceding financial year, whichever is lower; (b) the incident has caused or may cause a leak of trade secrets, as defined in point 1 of Article 2 of Directive (EU) 2016/943, of the relevant entity; (c) the incident has caused or may cause the death of an individual; d) the incident has caused or is likely to cause significant harm to the health of a natural person; (e) there has been effective, possibly malicious and unauthorised access to networks and information systems that may cause significant operational disruptions; (f) the incident meets the criteria set out in Article 4; (g) the incident meets at least one of the criteria set out in Articles 5-14. 2. Planned service interruptions and planned consequences of planned maintenance work carried out by or on behalf of relevant entities shall not be considered major incidents. 3. When calculating the number of users affected by an incident for the purposes of Article 7 and Articles 9 to 14, the relevant entities shall take into account all of the following: (a) the number of customers who have concluded an agreement with the relevant entity granting them access to the networks and information systems of the relevant entity or to the services offered by or accessible through those networks and information systems; b) the number of natural and legal persons associated with business customers who use the entities’ networks and information systems or the services offered by or accessible through these networks and information systems. Article 4 Recurring incidents Incidents that are not individually considered a serious incident within the meaning of Article 3 shall be considered collectively as a single serious incident if they meet all of the following criteria: a) occurred at least twice within six months; b) have the same apparent root cause; (c) they cumulatively meet the criteria set out in Article 3(1)(a). | No definition | |
| Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the amount of supervisory fees charged by the lead supervisory authority to key external ICT service providers and the manner of payment of those fees (OJ L 1505, 2024). | No definition | No definition | |
| Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sectoral rules on cybersecurity aspects of cross-border flows of electricity (OJ L 1366, 2024, item 1366, as amended). | Art. 3 11) “cyber-attack” means an incident as defined in point 14 of Article 3 of Regulation (EU) 2022/2554; | ||
| Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, the severity thresholds and details for reporting major incidents (OJ L 1772, 2024). | No definition | No definition |