---
title: NIS2 Incident Typology Model Explained
description: "NIS2 incident typology model: condition, compromise, and affected systems classification. How to categorize incidents for CSIRT notification compliance."
canonical: https://www.aegister.com/en/cms/insights/nis2-incident-typology-model/
url: /en/cms/insights/nis2-incident-typology-model/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Incident Typology Model: Condition, Compromise, and Affected Object

---

![NIS2 Incident Typology Model: Condition, Compromise, and Affected Object](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Incident Typology Model: Condition, Compromise, and Affected Object

February 10, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[CSIRT](/en/cms/keyword/csirt/)
+7

The ACN baseline guidance describes significant-incident typologies through a practical model built on three elements: condition, compromise, and object of compromise. This model helps organizations decide when notification obligations are triggered and how incidents should be classified consistently.

Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Key takeaways

- The typology model supports repeatable qualification of significant incidents.
- The triggering condition is linked to the entity having evidence of the incident.
- Compromise type and object of compromise determine how the event is framed in notification workflows.
- Details for each incident code are defined in official baseline documentation.

Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Model components in practice

### 1. Condition

The condition is the circumstance that triggers notification obligations. In operational terms, this is tied to the moment the organization acquires evidence of a relevant incident.

### 2. Compromise

Compromise describes the nature of the security event (for example, loss of confidentiality, loss of integrity, or service-level violation, depending on the applicable typology).

### 3. Object of compromise

The object identifies what is impacted, such as data or service/network components, according to the incident typology in scope.

Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## How to use the model in operations

| Step | Operational question | Expected output |
| --- | --- | --- |
| Evidence checkpoint | Do we have objective evidence of incident occurrence? | Timestamped evidence record |
| Typology mapping | Which compromise pattern applies? | Incident-type classification |
| Object identification | What asset/service/data set is affected? | Impact object statement |
| Decision support | Does the case meet notification criteria? | Escalation and notification decision |

Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## 90-day implementation checklist

1. Standardize incident records with explicit fields for condition, compromise, and object.
2. Align SOC/CSIRT triage to the typology model before escalation decisions.
3. Define evidence-quality criteria for "incident evidence acquired" checkpoints.
4. Run simulation drills to test consistent typology assignment across teams.
5. Maintain a decision log linking typology assessment to notification outcomes.

## FAQ

### Does the model replace technical investigation?

No. The model structures classification and notification decisions, while technical investigation remains necessary to determine scope and root causes. Source: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

### When does the notification clock start?

The timing references are tied to when the organization has evidence of a significant incident, as defined in official documentation. Source: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

### Where are code-level details (IS categories) defined?

Details are defined in the official call documentation and ACN baseline annexes. Source: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

### Related guides in this series

- [confidentiality loss (IS-1)](/en/cms/insights/nis2-significant-incident-is-1-confidentiality-loss/)
- [integrity loss (IS-2)](/en/cms/insights/nis2-significant-incident-is-2-integrity-loss/)
- [service level violation (IS-3)](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 Article 25 in Practice: Incident Notification Obligations and Operating Timeline](/en/cms/insights/nis2-article-25-incident-notification/)
- [NIS2 Significant Incident IS-1: Confidentiality Loss Affecting Digital Data](/en/cms/insights/nis2-significant-incident-is-1-confidentiality-loss/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)

## Official sources

- [ACN - Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)
- [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

Share this post

## Related News

[![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

[![NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/)

[NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/)

[IS-3 in the ACN baseline model covers service-level violation incidents affecting entity services and activities. Practical guide to qualification, service-impact mapping, and escalation workflow.](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

[![NIS2 Significant Incident IS-2: Integrity Loss Affecting Digital Data](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-significant-incident-is-2-integrity-loss/)

[NIS2 Significant Incident IS-2: Integrity Loss Affecting Digital Data](/en/cms/insights/nis2-significant-incident-is-2-integrity-loss/)

[IS-2 in the ACN baseline model covers integrity loss affecting digital data under entity ownership or control. Practical guide to qualification, evidence capture, and escalation workflow.](/en/cms/insights/nis2-significant-incident-is-2-integrity-loss/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+9

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)