Under NIS2, the reporting timeline starts the moment you become aware of a significant incident — not when you have finished investigating it. The first deadline, an early-warning notification, lands at 24 hours. The teams that meet it calmly are the ones who designed the workflow long before the incident.
The 24-hour notification is not a full report. It is a short, honest heads-up to your national CSIRT or competent authority that something significant is underway. Treating it as a forensic write-up is the most common way to miss the window.
The reporting clock
NIS2 defines a staged timeline, each stage building on the last:
- Within 24 hours — an early warning: that a significant incident occurred, with an initial sense of cause and cross-border impact.
- Within 72 hours — an incident notification: an updated assessment, severity and indicators of compromise.
- Within one month — a final report: root cause, mitigation and lessons learned.
What counts as “significant”
You only owe a report for a significant incident — broadly, one that has caused or can cause serious operational disruption or financial loss, or that has affected others through considerable material or non-material damage. Translate that abstract test into your own concrete triggers in advance.
- A service your customers depend on is down or degraded beyond a set threshold.
- Confidentiality or integrity of important data is compromised.
- The incident is spreading, or has reached partners or customers.
Do not debate “is this significant?” mid-incident. Agree the quantitative triggers — downtime minutes, records affected, customers impacted — while everyone is calm, and write them into the runbook.
What the 24-hour warning needs
Keep it short and factual. The early warning should state, as far as you know at the time:
- That a significant incident has occurred, and when you became aware.
- A preliminary view of whether it may be unlawful or malicious.
- Whether it could have cross-border impact.
- Your initial assessment — explicitly flagged as preliminary and subject to change.
You are not penalised for an incomplete early warning. You are exposed for a silent one.
Build the workflow before you need it
At hour one, nobody should be asking who decides, who drafts, or where the authority’s portal is. Pre-wire it:
- One decision-maker empowered to declare a reportable incident, with a named deputy.
- A pre-filled contact list for your national CSIRT/authority and the submission channel.
- A standing template so drafting is filling blanks, not writing prose.
- A timestamped log capturing when you became aware — your clock starts there.
A reusable early-warning template
Hold a one-page template ready with these fields: incident reference, time of awareness, systems and services affected, suspected nature (malicious / unknown), potential cross-border impact, actions underway, and a named contact. Filling it should take minutes.
After the 24 hours
The early warning buys you room to investigate properly for the 72-hour update and the final report. Keep a clean, timestamped record of detection, decisions and actions throughout — the same evidence trail satisfies the later stages and any follow-up from the authority. A continuous evidence layer makes this a byproduct of how you operate, not a scramble.
Key takeaways
- The NIS2 clock starts at awareness: early warning in 24h, notification in 72h, final report in one month.
- The 24-hour warning is a brief heads-up, not a forensic report.
- Agree your “significant” thresholds before an incident, not during one.
- Pre-wire the decision-maker, contacts, template and timestamped log.
Want your incident workflow ready before you need it? Book a 30-minute demo and we will set up your NIS2 reporting flow together.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.