NIS2 incident reporting: the 24-hour and 72-hour deadlines

By ComplyBricks · Last reviewed Jul 12, 2026

One of the obligations NIS2 adds that a security standard like ISO 27001 does not is mandatory incident reporting on a tight, staged timeline. Article 23 sets out what to report, to whom, and when.

What counts as a "significant incident"?

Reporting is triggered by a significant incident — broadly, one that:

  • has caused or is capable of causing severe operational disruption of the service or financial loss for your entity; or
  • has affected or is capable of affecting other people by causing considerable material or non-material damage.

Not every event is reportable; the threshold is significance. National transpositions and implementing rules may add specific criteria — verify them for your sector.

Who you notify

Report to your CSIRT (Computer Security Incident Response Team) or the relevant competent authority, as designated by your member state. In some cases you may also need to inform the recipients of your services — for example, where they need to take protective action.

The reporting timeline

NIS2 reporting happens in stages, not a single filing:

Stage Deadline What it covers
Early warning Within 24 hours of becoming aware Whether the incident is suspected to be caused by unlawful/malicious acts or could have cross-border impact
Incident notification Within 72 hours of becoming aware An update to the early warning, an initial assessment (severity, impact), and indicators of compromise where available
Intermediate report On request Relevant status updates if the competent authority or CSIRT asks
Final report Within 1 month of the notification A detailed description, the type of threat/root cause, mitigation applied, and any cross-border impact

If the incident is still ongoing at the one-month mark, a progress report is provided, with the final report following once it is resolved.

Why this matters

The clock starts when you become aware of the incident — which is why detection and an incident-handling process (one of the Art. 21 measures) matter so much: you can't hit a 24-hour early warning if you don't know an incident is happening. Build the reporting workflow, roles, and contact points before you need them.

Next step

If you're still confirming whether NIS2 applies to you, start with Am I in scope for NIS2?.

References

  • NIS2 — Directive (EU) 2022/2555, Art. 23 (reporting obligations)

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →