The NIS Directive aims to increase the overall level of cyber security in the EU and establishes a mandatory reporting regime for operators of essential services and digital service providers. While this reporting has attracted much attention, both in society at large and in the scientific community, the non-public nature of reports has led to a lack of empirically based research. This paper uses the unique set of all the mandatory NIS reports in Sweden in 2020 to shed light on incident costs. The costs reported exhibit large variability and skewed distributions, where a single or a few higher values push the average upwards. Numerical values are in the range of tens to hundreds of kSEK per incident. The most common incident causes are malfunctions and mistakes, whereas attacks are rare. No operators funded their incident costs using loans or insurance. Even though the reporting is mandated by law, operator cost estimates are incomplete and sometimes difficult to interpret, calling for additional assistance and training of operators to make the data more useful.