NIS2 incident reporting: the 24-hour and 72-hour deadlines
By ComplyBricks · Last reviewed Jul 12, 2026
One of the obligations NIS2 adds that a security standard like ISO 27001 does not is mandatory incident reporting on a tight, staged timeline. Article 23 sets out what to report, to whom, and when.
What counts as a "significant incident"?
Reporting is triggered by a significant incident — broadly, one that:
- has caused or is capable of causing severe operational disruption of the service or financial loss for your entity; or
- has affected or is capable of affecting other people by causing considerable material or non-material damage.
Not every event is reportable; the threshold is significance. National transpositions and implementing rules may add specific criteria — verify them for your sector.
Who you notify
Report to your CSIRT (Computer Security Incident Response Team) or the relevant competent authority, as designated by your member state. In some cases you may also need to inform the recipients of your services — for example, where they need to take protective action.
The reporting timeline
NIS2 reporting happens in stages, not a single filing:
| Stage | Deadline | What it covers |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Whether the incident is suspected to be caused by unlawful/malicious acts or could have cross-border impact |
| Incident notification | Within 72 hours of becoming aware | An update to the early warning, an initial assessment (severity, impact), and indicators of compromise where available |
| Intermediate report | On request | Relevant status updates if the competent authority or CSIRT asks |
| Final report | Within 1 month of the notification | A detailed description, the type of threat/root cause, mitigation applied, and any cross-border impact |
If the incident is still ongoing at the one-month mark, a progress report is provided, with the final report following once it is resolved.
Why this matters
The clock starts when you become aware of the incident — which is why detection and an incident-handling process (one of the Art. 21 measures) matter so much: you can't hit a 24-hour early warning if you don't know an incident is happening. Build the reporting workflow, roles, and contact points before you need them.
Next step
If you're still confirming whether NIS2 applies to you, start with Am I in scope for NIS2?.
References
- NIS2 — Directive (EU) 2022/2555, Art. 23 (reporting obligations)
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →