NIS2 · Article

Designing a 24-hour incident report

NIS2 puts a clock on you the moment a significant incident is detected. The early-warning notification is due within 24 hours — here is what regulators expect, and how to build...

Under NIS2, the reporting timeline starts the moment you become aware of a significant incident — not when you have finished investigating it. The first deadline, an early-warning notification, lands at 24 hours. The teams that meet it calmly are the ones who designed the workflow long before the incident.

The 24-hour notification is not a full report. It is a short, honest heads-up to your national CSIRT or competent authority that something significant is underway. Treating it as a forensic write-up is the most common way to miss the window.

The reporting clock

NIS2 defines a staged timeline, each stage building on the last:

  1. Within 24 hours — an early warning: that a significant incident occurred, with an initial sense of cause and cross-border impact.
  2. Within 72 hours — an incident notification: an updated assessment, severity and indicators of compromise.
  3. Within one month — a final report: root cause, mitigation and lessons learned.
”The clock starts at awareness, not at resolution. Your job at hour one is to notify, not to explain.”

What counts as “significant”

You only owe a report for a significant incident — broadly, one that has caused or can cause serious operational disruption or financial loss, or that has affected others through considerable material or non-material damage. Translate that abstract test into your own concrete triggers in advance.

  • A service your customers depend on is down or degraded beyond a set threshold.
  • Confidentiality or integrity of important data is compromised.
  • The incident is spreading, or has reached partners or customers.
Decide thresholds now

Do not debate “is this significant?” mid-incident. Agree the quantitative triggers — downtime minutes, records affected, customers impacted — while everyone is calm, and write them into the runbook.

What the 24-hour warning needs

Keep it short and factual. The early warning should state, as far as you know at the time:

  • That a significant incident has occurred, and when you became aware.
  • A preliminary view of whether it may be unlawful or malicious.
  • Whether it could have cross-border impact.
  • Your initial assessment — explicitly flagged as preliminary and subject to change.

You are not penalised for an incomplete early warning. You are exposed for a silent one.

Build the workflow before you need it

At hour one, nobody should be asking who decides, who drafts, or where the authority’s portal is. Pre-wire it:

  • One decision-maker empowered to declare a reportable incident, with a named deputy.
  • A pre-filled contact list for your national CSIRT/authority and the submission channel.
  • A standing template so drafting is filling blanks, not writing prose.
  • A timestamped log capturing when you became aware — your clock starts there.

A reusable early-warning template

Hold a one-page template ready with these fields: incident reference, time of awareness, systems and services affected, suspected nature (malicious / unknown), potential cross-border impact, actions underway, and a named contact. Filling it should take minutes.

After the 24 hours

The early warning buys you room to investigate properly for the 72-hour update and the final report. Keep a clean, timestamped record of detection, decisions and actions throughout — the same evidence trail satisfies the later stages and any follow-up from the authority. A continuous evidence layer makes this a byproduct of how you operate, not a scramble.

Key takeaways

  • The NIS2 clock starts at awareness: early warning in 24h, notification in 72h, final report in one month.
  • The 24-hour warning is a brief heads-up, not a forensic report.
  • Agree your “significant” thresholds before an incident, not during one.
  • Pre-wire the decision-maker, contacts, template and timestamped log.

Want your incident workflow ready before you need it? Book a 30-minute demo and we will set up your NIS2 reporting flow together.

This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.

NIS2Incident responseReporting
Put it into practice

Be ready before
the clock starts

Book a 30-minute demo and we will set up your NIS2 incident-reporting workflow — template, contacts and timestamped log included.