Incident Reporting: The 24/72-Hour Timeline Explained

Article 23 of NIS2 introduces a strict three-stage incident reporting regime for significant incidents. Understanding exactly what triggers reporting obligations and what information must be included at each stage is essential for every compliance programme. Missing these deadlines can itself constitute a violation and lead to penalties.

What Counts as a "Significant Incident"

Not every security incident requires mandatory reporting. Article 23(3) defines a significant incident as one that:

• Has caused or is capable of causing severe operational disruption of services or financial loss for the entity concerned
• Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
• Involves a breach of confidentiality, integrity, or availability of network and information systems that supports essential or important services
• Results in a significant number of users being affected
• Has caused a disruption of long duration to the provision of services
• Has affected a geographically widespread area

Stage 1 — Early Warning (within 24 hours)

Within 24 hours of becoming aware of a significant incident, you must submit an early warning notification. This is designed to give authorities early awareness and allow them to offer assistance if needed. The early warning must include:

• Notification that a significant incident has occurred
• Whether the incident is suspected to be the result of unlawful or malicious action
• Whether the incident may have a cross-border impact (affecting entities or services in other Member States)
• The basic nature of the incident (e.g., ransomware, DDoS, data breach)
• Initial assessment of severity (even if preliminary)

Stage 2 — Incident Notification (within 72 hours)

Within 72 hours of becoming aware of the incident, you must submit a full incident notification. If an early warning has already been submitted, this updates and supplements it. The 72-hour notification must include:

• Updated assessment of severity and impact
• Indicators of compromise (IoCs) where available
• Information about the nature of the threat or root cause (if known)
• Applied and ongoing mitigation measures
• The potential cross-border impact of the incident
• Affected services, systems, and geographic areas
• An estimate of the number of affected users

Stage 3 — Final Report (within 1 month)

Within one month of submitting the incident notification, you must provide a final report. For ongoing incidents at the one-month mark, you submit a progress report instead, with the final report due within one month of incident resolution. The final report must include:

• Detailed description of the incident including its severity and impact
• Type of threat or root cause likely to have triggered the incident
• Applied and completed mitigation and recovery measures
• Cross-border impact, if applicable
• Lessons learned and measures taken to prevent recurrence
• Total duration of the incident and the timeline of events

Who to Report To

Reports must be submitted to your national CSIRT (Computer Security Incident Response Team) or, alternatively, the National Competent Authority (NCA) designated for your sector. In some Member States, these are the same body. Your national authority will be published in the national NIS2 implementing legislation. For incidents affecting critical services across multiple Member States, the CSIRT may escalate to EU-CERT and coordinate with other Member States. If the incident involves a personal data breach, you must also notify your national data protection authority under GDPR — this is a separate obligation with different content requirements.