NIS2 Incident Reporting Deadlines
NIS2 Article 23 establishes a three-stage incident reporting obligation for significant cybersecurity incidents. Missing any deadline can trigger supervisory action and fines.
T+0
Incident detected
Your organisation becomes aware of a potential significant incident. Clock starts.
T+24h
Early warning
Submit an early warning to your national CSIRT / competent authority. Indicate whether the incident is suspected to be malicious and whether it has cross-border impact.
T+72h
Formal incident notification
Submit a detailed notification including: incident description, severity, impact scope, initial cause assessment, and mitigation measures taken so far.
T+1 month
Final incident report
Submit a final report with: full root cause analysis, detailed description of the incident, cross-border impact, remediation measures implemented, and lessons learned.
What triggers the reporting obligation?
An incident qualifies as "significant" under NIS2 Article 23(3) if it:
- ▸Causes severe operational disruption to the service
- ▸Results in significant financial loss to the entity
- ▸Affects other natural or legal persons with considerable damage
- ▸Involves a large number of users affected or a wide geographic area
- ▸Results in significant data loss or service unavailability lasting more than a few hours
Track incident notifications with NISDESK
Our incident module tracks 24h/72h/1-month deadlines, pre-fills authority contact details for your country and generates draft notifications.
Check your NIS2 scope →Frequently asked questions
What counts as a 'significant incident' under NIS2?
Under NIS2 Article 23(3), a significant incident is one that: causes or could cause severe operational disruption, financial loss to the entity, or significant damage to individuals. Indicators include the number of users affected, the duration of disruption, and whether critical services were interrupted.
When does the 24-hour NIS2 clock start?
The 24-hour early warning deadline starts from the moment the organisation becomes aware of the significant incident — not from when the incident actually began. This is the moment your incident response team has enough information to classify it as significant.
What must be included in the 72-hour NIS2 notification?
The formal notification (within 72 hours) must include: a description of the incident, initial severity assessment, impact on services, number of users/entities affected, and initial cause assessment if known. This is reported to your national CSIRT or competent authority.
Is the 72-hour NIS2 deadline the same as the GDPR 72-hour deadline?
They are parallel requirements. NIS2 Article 23 requires 72-hour incident notification to the national cybersecurity authority. GDPR Article 33 requires 72-hour personal data breach notification to the data protection authority. If an incident involves personal data, both may apply simultaneously to different regulators.
Based on NIS2 Article 23. For decision-support purposes only.