İçeriğe geç
NISDESK

NIS2 Incident Reporting Deadlines

NIS2 Article 23 establishes a three-stage incident reporting obligation for significant cybersecurity incidents. Missing any deadline can trigger supervisory action and fines.

1

T+0

Incident detected

Your organisation becomes aware of a potential significant incident. Clock starts.

2

T+24h

Early warning

Submit an early warning to your national CSIRT / competent authority. Indicate whether the incident is suspected to be malicious and whether it has cross-border impact.

3

T+72h

Formal incident notification

Submit a detailed notification including: incident description, severity, impact scope, initial cause assessment, and mitigation measures taken so far.

4

T+1 month

Final incident report

Submit a final report with: full root cause analysis, detailed description of the incident, cross-border impact, remediation measures implemented, and lessons learned.

What triggers the reporting obligation?

An incident qualifies as "significant" under NIS2 Article 23(3) if it:

Note on parallel obligations: If the incident involves personal data, GDPR Article 33 also requires notifying the data protection authority within 72 hours. Both notifications run in parallel to different regulators. Use our incident tool to track both simultaneously.

Track incident notifications with NISDESK

Our incident module tracks 24h/72h/1-month deadlines, pre-fills authority contact details for your country and generates draft notifications.

Check your NIS2 scope →

Frequently asked questions

What counts as a 'significant incident' under NIS2?

Under NIS2 Article 23(3), a significant incident is one that: causes or could cause severe operational disruption, financial loss to the entity, or significant damage to individuals. Indicators include the number of users affected, the duration of disruption, and whether critical services were interrupted.

When does the 24-hour NIS2 clock start?

The 24-hour early warning deadline starts from the moment the organisation becomes aware of the significant incident — not from when the incident actually began. This is the moment your incident response team has enough information to classify it as significant.

What must be included in the 72-hour NIS2 notification?

The formal notification (within 72 hours) must include: a description of the incident, initial severity assessment, impact on services, number of users/entities affected, and initial cause assessment if known. This is reported to your national CSIRT or competent authority.

Is the 72-hour NIS2 deadline the same as the GDPR 72-hour deadline?

They are parallel requirements. NIS2 Article 23 requires 72-hour incident notification to the national cybersecurity authority. GDPR Article 33 requires 72-hour personal data breach notification to the data protection authority. If an incident involves personal data, both may apply simultaneously to different regulators.

Based on NIS2 Article 23. For decision-support purposes only.