Since 2016, it has been mandatory for government agencies to report serious IT incidents to MSB. During the years 2016-2018, one third of the agencies reported IT incidents, which MSB estimates is an under-reporting. This study examines reasons why agencies do not report IT incidents and why they do not report IT incidents originating from criminal acts to the police. Through a survey directed to all reporting agencies, the study gathered information about the agencies' prerequisites for IT incident reporting as well as their own assessment of potential reasons for not reporting to MSB or the police. The analysis of the survey data shows that there is no single reason to explain the low reporting rates. The current situation is instead due to several factors that, individually and in collaboration, contribute to the failure of reporting. Some factors that emerge are; lack of internal routines for identifying IT incidents and routines for the transmission of classified information; high workload; difficulties in assessing the severity of incidents; lack of feedback from MSB; and lack of knowledge regarding reporting obligations. Factors for not reporting to the police are, above all, difficulties in assessing the severity; non-established routines for reporting to the police; and low perceived benefit of reporting to the police. The government agencies are not a homogeneous group. Therefore, not all the reasons behind the failure to report IT incidents are relevant to the same extent to all agencies.