One of the sharpest changes NIS2 brings is a strict, staged incident reporting regime. It is not enough to handle an incident well technically; in-scope entities must also notify the authorities, in a defined sequence, against tight deadlines. Get the timeline wrong and a well-managed incident can still become a regulatory problem.
The reporting flows to your national CSIRT or competent authority, and it happens in three stages. The trigger for all of them is the same: becoming aware of a significant incident.
The three-stage timeline
- Early warning, within 24 hours. Without undue delay, and in any event within 24 hours of becoming aware, you submit a brief early warning. It need only indicate whether the incident is suspected to be caused by unlawful or malicious acts, or could have cross-border impact. It is an alert, not a full report.
- Incident notification, within 72 hours. Within 72 hours of awareness, you provide an update: an initial assessment of the incident, including its severity and impact, and indicators of compromise where available.
- Final report, within one month. No later than one month after the incident notification, you submit a detailed final report: a full description, the type of threat or root cause, the mitigation applied, and any cross-border impact. If the incident is still ongoing at that point, you provide a progress report and the final report within one month of handling it.
An intermediate update may also be requested by the authority along the way. The structure rewards organisations that are prepared and punishes those improvising under pressure.
The 24-hour clock starts when you become aware, not when you finish investigating. Readiness is what makes that deadline survivable.
What counts as a "significant" incident
You do not report everything. NIS2 sets a threshold: an incident is significant if it has caused or is capable of causing severe operational disruption of services or financial loss for your entity, or if it has affected or is capable of affecting other people by causing considerable material or non-material damage. The practical problem is that this judgement must be made fast, often with incomplete information, which is exactly why it should be decided in advance, not in the heat of the moment.
Why this is hard in practice
The deadlines look simple on paper. The difficulty is everything around them: detecting the incident quickly enough that 24 hours is realistic, classifying it correctly under stress, knowing exactly who submits the report and how, and coordinating technical, legal and communications responses in parallel. Organisations that have not rehearsed this discover the gaps at the worst possible moment.
Practical tips: be ready before the clock starts
- Pre-decide your significance criteria. Write down, in business terms, what makes an incident "significant" for you, so the call can be made in minutes.
- Know your authority and channel. Identify your national CSIRT or competent authority and the exact submission method now, not during an incident.
- Name the reporter and a backup. Someone must own submission, with authority to act at 3am on a weekend.
- Template the three reports. Pre-built early-warning, notification and final-report templates save hours when minutes matter.
- Detect faster. The 24-hour deadline is only realistic if monitoring surfaces incidents quickly, invest in detection, not just prevention.
- Rehearse with a tabletop. Run a severe-but-plausible scenario that includes the reporting clock, with business, legal and communications in the room.
- Log everything. A clean timeline of what you knew and when is your best evidence that you met your obligations.
The takeaway
NIS2 incident reporting is a test of readiness, not paperwork. The entities that handle it well are the ones that decided their criteria, channels, owners and templates long before anything went wrong, and practised. Build that readiness once, and the deadlines become manageable rather than frightening.
Ready for the NIS2 reporting clock?
We help in-scope entities build incident readiness, classification criteria, reporting playbooks and tabletop exercises, so you can meet the deadlines under real pressure.
Book a 20-minute discovery callThis article is general information from circl3.tech, not legal advice. NIS2 is transposed into national law, and exact obligations, authorities and thresholds vary by country, we recommend a scoped assessment for your organisation.