NIS 2 Directive

6 min read

NIS 2 Incident Reporting Requirements: 24h, 72h, and 1-Month Deadlines Explained

NIS 2 introduces one of the most demanding incident reporting frameworks in cybersecurity regulation. Organizations must issue an early warning within 24 hours, a detailed notification within 72 hours, and a comprehensive final report within one month of becoming aware of a significant incident. Missing these deadlines can result in penalties on top of the incident itself. This guide breaks down each reporting phase, what constitutes a significant incident, and how to build an incident reporting process that meets NIS 2 requirements.

What Constitutes a Significant Incident Under NIS 2

Not every security event triggers NIS 2 reporting obligations. Article 23 defines a significant incident as one that has caused or is capable of causing severe operational disruption of services or financial loss for the entity concerned, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Organizations must establish internal criteria for classifying incidents as significant, considering factors such as the number of users affected, the duration of the incident, the geographic spread, the extent of disruption to the service, and the impact on economic and societal activities. Cyber threats that have not yet materialized as incidents but could potentially cause significant harm may also trigger reporting obligations under certain circumstances. Organizations should err on the side of reporting when in doubt, as failure to report a significant incident carries greater regulatory risk than reporting an event that ultimately proves less severe.

Significant incidents must cause or be capable of causing severe operational disruption or financial loss
Classification considers user impact, duration, geographic spread, and disruption extent
Potential threats that could cause significant harm may also trigger reporting
Organizations should err on the side of reporting when significance is uncertain
Internal criteria for significance classification must be documented and consistently applied

Phase 1: Early Warning Within 24 Hours

The first reporting phase requires an early warning to the competent authority or CSIRT within 24 hours of becoming aware of a significant incident. The early warning must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have a cross-border impact. This phase is intentionally lightweight — its purpose is to alert authorities quickly so they can assess whether coordination or assistance is needed. The early warning does not require a full investigation or root cause analysis. Organizations should have pre-drafted early warning templates that can be completed rapidly, designated personnel authorized to submit early warnings (available 24/7), clear internal escalation procedures that route potential significant incidents to authorized reporters, and established communication channels with the relevant national CSIRT or competent authority. The 24-hour clock starts when the organization becomes aware of the significant incident, not when the incident occurred. However, organizations cannot unreasonably delay becoming aware by neglecting monitoring and detection capabilities.

Early warning must be submitted within 24 hours of becoming aware of a significant incident
Must indicate if the incident is suspected malicious and if it could have cross-border impact
The early warning is intentionally lightweight — full investigation is not required at this stage
Pre-drafted templates and 24/7 authorized reporters are essential for meeting the deadline
The clock starts at awareness, not occurrence, but organizations cannot neglect detection

Phase 2: Incident Notification Within 72 Hours

The second reporting phase requires an incident notification within 72 hours of becoming aware of the significant incident. This notification must update or replace the early warning and include an initial assessment of the incident including its severity and impact, indicators of compromise where available, and any mitigation measures taken or underway. The 72-hour notification requires more substance than the early warning but still does not demand a complete root cause analysis, which may take weeks or months for complex incidents. Organizations should focus on providing actionable information that helps authorities understand the scope and potential impact. If additional information becomes available between the early warning and the 72-hour notification, it should be included. If the incident is ongoing at the 72-hour mark, the notification should describe the current state and expected resolution timeline. For incidents suspected to involve criminal activity, the notification should also be shared with law enforcement authorities as designated by the member state.

Incident notification must be submitted within 72 hours of awareness
Must include initial severity assessment, indicators of compromise, and mitigation measures
Full root cause analysis is not required at this stage
If the incident is ongoing, describe current state and expected resolution timeline
Criminal incidents should also be reported to designated law enforcement authorities

Phase 3: Final Report Within One Month

The final report must be submitted within one month of the incident notification (not one month from the incident itself). If the incident is still ongoing at the one-month mark, organizations must submit a progress report at that time and a final report within one month of handling the incident. The final report must contain a detailed description of the incident including its severity and impact, the type of threat or root cause that is likely to have triggered the incident, applied and ongoing mitigation measures, and where applicable, the cross-border impact of the incident. The final report should demonstrate thorough investigation and analysis. It should include a timeline of the incident from detection through resolution, technical details of the attack vector or root cause, a complete assessment of impact on services and affected parties, lessons learned, and planned improvements to prevent recurrence. This report serves as the definitive record of the incident and may be used by authorities for statistical analysis, trend identification, and policy development.

Final report due within one month of the incident notification submission
If the incident is ongoing, submit a progress report at one month and final report after resolution
Must include detailed description, root cause, mitigation measures, and cross-border impact
Should include incident timeline, technical details, impact assessment, and lessons learned
The final report serves as the definitive record and may inform regulatory policy development

Building an NIS 2-Compliant Reporting Process

Meeting NIS 2 reporting deadlines requires a well-designed process with clear roles and pre-built tooling. Start by establishing a 24/7 incident detection and classification capability that can identify significant incidents quickly. Define internal escalation procedures with specific time targets: security teams should classify incident significance within 2-4 hours, leaving sufficient time for the early warning preparation and submission within the 24-hour deadline. Create report templates for each phase pre-populated with organizational information, regulatory references, and structured fields for incident details. Designate primary and backup reporters authorized to communicate with national authorities and ensure they have current contact information for the relevant CSIRT and competent authority. Conduct tabletop exercises at least twice annually that simulate the full three-phase reporting cycle under realistic time pressure. Integrate reporting obligations into your incident response plan so that evidence collection, timeline documentation, and impact assessment happen in parallel with containment and remediation rather than as afterthoughts.

Establish 24/7 incident detection with internal escalation targets well within NIS 2 deadlines
Create pre-populated report templates for each of the three reporting phases
Designate primary and backup reporters with current authority contact information
Conduct tabletop exercises at least twice annually simulating the full reporting cycle
Integrate reporting into incident response so evidence collection happens alongside remediation

Coordination with Other Reporting Obligations

Organizations subject to NIS 2 may also have reporting obligations under other frameworks. GDPR requires notification to supervisory authorities within 72 hours for personal data breaches. The Digital Operational Resilience Act (DORA) imposes incident reporting for financial entities. Sector-specific regulations in energy, telecommunications, and other domains may have their own reporting requirements. Organizations must map all applicable reporting obligations and design processes that satisfy multiple frameworks simultaneously. In practice, this means a single incident may require reports to the national CSIRT under NIS 2, the Data Protection Authority under GDPR, a sector-specific regulator, and law enforcement if criminal activity is suspected. Using a single incident record that captures all required data fields across frameworks prevents duplication and ensures consistency. Member states are encouraged to establish single reporting portals to reduce the burden on organizations, but this integration is not yet universal.

Map all applicable reporting obligations across NIS 2, GDPR, DORA, and sector regulations
Design processes that satisfy multiple reporting frameworks from a single incident record
A single incident may require reports to CSIRT, DPA, sector regulators, and law enforcement
Consistent incident records prevent contradictions across multiple regulatory reports
Monitor member state developments for potential single reporting portal availability

Key Takeaways

NIS 2 incident reporting follows a three-phase timeline: 24-hour early warning, 72-hour notification, and one-month final report
Significant incidents are those causing or capable of causing severe operational disruption or financial loss
Pre-built templates, designated reporters, and regular tabletop exercises are essential for meeting deadlines
The 24-hour clock starts at awareness, not incident occurrence, but detection cannot be neglected
Organizations must coordinate NIS 2 reporting with GDPR, DORA, and sector-specific obligations

Related Resources

nis2 incident response nis2 cybersecurity policy nis 2 directive essential entity nis2 incident response breach notification

Other Compliance Guides

NIS 2 Directive

HIPAA Business Associate Agreement (BAA) Guide

Frequently Asked Questions

What happens if I miss the 24-hour early warning deadline?

Missing NIS 2 reporting deadlines can result in administrative fines and other enforcement measures. Competent authorities consider the severity and circumstances when determining penalties. Even if you miss the 24-hour deadline, submit the early warning as soon as possible — late reporting is better than no reporting, and demonstrating good faith efforts can mitigate penalties.

Do I report to my national CSIRT or competent authority?

This depends on how your member state has transposed NIS 2. Some member states designate the CSIRT as the primary recipient, others designate sector-specific competent authorities, and some establish a single reporting point. Check your national transposition law for the correct reporting channel. In many cases, ENISA provides a directory of national reporting contacts.

What if I am not sure whether an incident is significant?

When in doubt, report. The early warning is intentionally lightweight, and submitting an early warning for an incident that ultimately proves less severe carries minimal regulatory risk. Failing to report a significant incident, however, can result in substantial penalties. Your internal classification criteria should include a presumption of significance for incidents affecting critical services.

Can I submit combined reports for NIS 2 and GDPR?

Some member states are working toward single reporting portals that accept combined notifications. However, NIS 2 and GDPR reports go to different authorities (CSIRT/competent authority versus Data Protection Authority) and have different requirements. For now, organizations should prepare separate reports but use a single internal incident record to ensure consistency across submissions.

How should I handle cross-border incidents?

If a significant incident has cross-border impact, you must indicate this in the early warning. The national CSIRT will coordinate with CSIRTs in affected member states through the CSIRTs Network. You are required to report to the authorities in the member state where your main establishment is located (or where your representative is designated for non-EU entities).

Does the one-month final report deadline extend if the incident is still ongoing?

Yes. If the incident is still being handled at the one-month mark, you must submit a progress report at that time and then submit a final report within one month after the incident handling is complete. This prevents organizations from being forced to submit incomplete final reports for complex, long-running incidents.

NIS 2 Directive Overview Requirements Guides Compliance Glossary Compare Frameworks

Generate NIS 2 Directive policies automatically

PoliWriter creates all the policies you need for NIS 2 Directive compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free