NIS2’s incident reporting requirements introduce the tightest regulatory notification timeline in EU cybersecurity law to date. Article 23 requires in-scope entities to notify their national CSIRT (Computer Security Incident Response Team) or competent authority within 24 hours of becoming aware of a “significant incident” — an early warning that confirms something has happened and initiates the regulatory dialogue, before the full picture of the incident is known.
Meeting a 24-hour notification window requires operational readiness that most organisations have not built. This post explains what triggers the notification obligation and what the three-stage reporting process requires.
What Makes an Incident “Significant”
Not all incidents require NIS2 notification. Article 23 creates the obligation for “significant” incidents — defined by reference to criteria that include:
Incidents that cause or are capable of causing severe operational disruption or financial losses for the entity. Incidents that have affected or are capable of affecting other natural or legal persons by causing considerable material or non-material damage. Incidents affecting the continuity of essential services, the public safety or security of persons, or the functioning of critical networks and systems.
The implementing acts and guidance from ENISA and member state competent authorities will elaborate on these criteria with more specific thresholds. In practice, organisations should treat any incident that causes significant disruption to operations, involves material data loss or breach, or affects the delivery of services to a material number of customers as a candidate significant incident — and have a classification process that makes the significant/non-significant determination rapidly.
The Three-Stage Reporting Process
Early warning — within 24 hours of becoming aware of the significant incident. The early warning is not a comprehensive incident report — it confirms that an incident has occurred, provides an initial indication of whether the incident is suspected to involve unlawful or malicious acts, and notes whether the incident may have cross-border impact. The 24-hour clock starts from when the entity becomes aware — not from when the incident occurred or was confirmed as significant. Awareness is the trigger.
Incident notification — within 72 hours of becoming aware. The incident notification updates the early warning with an assessment of the incident — its severity and impact, indicators of compromise, and whether it is an ongoing incident. This is not yet the final report, but it requires a significantly more developed understanding of the incident than the early warning.
Final report — within one month of submitting the incident notification. The final report provides a full account: detailed incident description, type of threat or root cause, applied and ongoing mitigation measures, and cross-border impact where relevant.
Building a Reporting-Ready Incident Response Process
The 24-hour early warning requirement makes speed and classification accuracy the critical capabilities. An incident response process that is reporting-ready must include: clear criteria for classifying incidents as significant or non-significant, applied early in the incident response process; pre-identified contacts and channels for notifying the national CSIRT or competent authority; pre-approved early warning notification templates that can be populated quickly under incident conditions; and a defined escalation path that reaches the authorised notification decision-maker within the 24-hour window.
These capabilities must be tested — not designed on paper and assumed to work. A tabletop exercise that runs a significant incident scenario and tests the classification and notification process against the 24-hour clock is the only way to know whether the process works before you need it to.
At Bitsecura, we design and implement NIS2-compliant incident reporting processes and run the tabletop exercises that test them. If your incident response process is not currently designed to meet the NIS2 reporting timeline, reach out here.
Bitsecura provides NIS2 compliance consulting and cybersecurity services for essential and important entities. Learn more about our NIS2 services.