NIS 2 Incident Reporting: Timelines and Obligations

Key Takeaways

Point	Summary
Early warning	Within 24 hours of becoming aware of a significant incident
Incident notification	Within 72 hours with an updated assessment
Final report	Within one month of the incident notification
Who to notify	National CSIRT or competent authority
Applies to	Both essential and important entities

Quick Answer: NIS 2 requires a three-stage incident reporting process: early warning within 24 hours, incident notification within 72 hours, and a final report within one month. These timelines apply to both essential and important entities for any significant incident.

What is a Significant Incident?

Not every cybersecurity event triggers reporting obligations. NIS 2 defines a "significant incident" as one that:

• Has caused or is capable of causing severe operational disruption of services or financial loss for the entity
• Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Incident Type	Likely Significant	Likely Not Significant
Ransomware attack affecting operations	Yes	-
Data breach exposing customer data	Yes	-
DDoS attack disrupting services for hours	Yes	-
Routine malware blocked by antivirus	-	Yes
Failed login attempts	-	Yes
Minor configuration error quickly fixed	-	Yes
Supply chain compromise affecting services	Yes	-

The determination of significance should consider both the immediate impact and the potential consequences if the incident were to escalate.

The Three-Stage Reporting Process

Stage 1: Early Warning (Within 24 Hours)

The early warning must be submitted to the competent authority or CSIRT within 24 hours of becoming aware of the significant incident.

Required content:

• Indication that a significant incident has occurred
• Whether the incident is suspected to be caused by unlawful or malicious acts
• Whether the incident could have a cross-border impact

Purpose: This initial notification alerts authorities quickly so they can coordinate response efforts and warn other potentially affected entities. It does not require a detailed analysis at this stage.

For incidents involving unlawful or malicious acts, the early warning should also indicate this to enable potential law enforcement engagement.

Stage 2: Incident Notification (Within 72 Hours)

Within 72 hours of becoming aware of the incident, the entity must submit an updated notification.

Required content:

• Update on the information provided in the early warning
• Initial assessment of the incident, including its severity and impact
• Indicators of compromise, where available

Purpose: This provides authorities with a clearer picture of the incident's scope and impact, enabling more effective coordination and support.

Stage 3: Final Report (Within One Month)

Within one month of the incident notification, the entity must submit a detailed final report.

Required content:

• Detailed description of the incident, including its severity and impact
• The type of threat or root cause that likely triggered the incident
• Applied and ongoing mitigation measures
• Where applicable, the cross-border impact of the incident

Purpose: This comprehensive report supports post-incident analysis, helps improve sector-wide security, and enables authorities to assess the entity's response and compliance.

Intermediate Reports

If the incident is still ongoing at the time the final report is due, the entity must provide:

• A progress report at the one-month deadline
• A final report within one month of incident resolution

Reporting Timeline Summary

Event	Deadline	Content
Incident detected	T=0	Internal assessment begins
Early warning	T+24 hours	Basic notification, malicious act indication, cross-border potential
Incident notification	T+72 hours	Severity assessment, impact analysis, indicators of compromise
Final report	T+1 month	Root cause, full description, mitigation measures, cross-border impact
Progress report (if ongoing)	T+1 month	Status update if incident not yet resolved
Final report (if delayed)	Resolution +1 month	Complete report after incident resolution

Who Receives the Reports?

Reports must be submitted to the relevant national authority:

Recipient	Role
Competent authority	The national authority responsible for NIS 2 supervision in your sector
CSIRT	The national Computer Security Incident Response Team
Single point of contact	National coordination point for cross-border issues

Member states may establish specific reporting channels and formats. Organizations should identify their national authority and CSIRT before an incident occurs and establish communication procedures in advance.

Voluntary Reporting

NIS 2 also allows for voluntary reporting:

• Entities can report incidents that do not meet the "significant" threshold
• Entities not in scope of NIS 2 can also submit voluntary reports
• Voluntary reports are handled in the same manner as mandatory reports
• No additional obligations are imposed on the reporting entity as a result of voluntary reporting

Comparison with Other Reporting Requirements

Framework	Reporting Timeline	Scope
NIS 2	24h early warning, 72h notification, 1 month final	Cybersecurity incidents
GDPR	72 hours to supervisory authority	Personal data breaches
DORA	4 hours initial, 72 hours intermediate, 1 month final	ICT-related incidents (financial sector)
NIS 1	"Without undue delay"	Significant incidents

Organizations subject to multiple frameworks should map out their reporting obligations to ensure they meet all timelines. A single incident may trigger reporting under both NIS 2 and GDPR, for example.

Preparing Your Incident Reporting Process

Step 1: Establish Detection Capabilities

Implement monitoring and detection tools that can identify significant incidents quickly. The 24-hour clock starts when you "become aware" of the incident, so faster detection means more time for assessment and reporting.

Step 2: Define Internal Escalation Procedures

Create clear escalation paths so that when a potential significant incident is detected, the right people are notified immediately. Define who has the authority to classify an incident as significant and initiate external reporting.

Step 3: Prepare Report Templates

Have pre-formatted templates ready for each stage of reporting. This reduces the time needed to compile and submit reports under pressure.

Step 4: Identify Your Authorities

Know which CSIRT and competent authority you report to before an incident occurs. Establish communication channels and test them periodically.

Step 5: Conduct Regular Exercises

Run tabletop exercises and incident simulations that include the reporting process. This helps teams practice meeting the strict timelines under realistic conditions.

Common Questions

What happens if we miss the 24-hour deadline?

Missing reporting deadlines constitutes non-compliance with NIS 2 and can result in enforcement action, including administrative fines. However, the directive recognizes that precise timelines may be challenging, and authorities generally focus on whether the entity made reasonable efforts to report promptly.

Does every cyberattack need to be reported?

No. Only "significant incidents" that cause or could cause severe operational disruption, financial loss, or considerable damage to others need to be reported. Routine security events that are handled through normal processes do not trigger reporting obligations.

Can we report to multiple authorities simultaneously?

Yes, and in some cases you may need to. If an incident affects both cybersecurity (NIS 2) and personal data (GDPR), you should report to both the CSIRT/competent authority and the data protection authority within their respective timelines.