NIS 2 incident reporting: 24 hours, 72 hours, one month

What counts as a significant incident

Article 23(3) defines a significant incident as one that has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

The threshold is interpreted by competent authorities. Most national transpositions provide more specific guidance, often referencing sector-specific impact criteria (e.g. number of users affected, geographic scope, duration of disruption, financial losses).

Stage 1: 24-hour early warning

Within 24 hours of becoming aware of a significant incident, the entity must submit an early warning to its competent authority or CSIRT. The early warning indicates whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have a cross-border impact.

The warning is not a full incident report. It is a flag that something is happening and gives authorities the chance to coordinate. Submitting an early warning does not lock in a position; updates are expected as the picture clarifies.

Stage 2: 72-hour incident notification

Within 72 hours of becoming aware, the entity submits a formal incident notification. The notification updates the early warning with the entity’s initial assessment, including severity, impact, and where available indicators of compromise.

In practice this is the document most entities have to scramble to produce. The 24-hour warning is a short message. The 72-hour notification is the first structured assessment, and producing it well during an active incident requires a pre-built incident response runbook and a team that has rehearsed.

Stage 3: one-month final report

No later than one month after the 72-hour notification, the entity submits a final report. The final report contains a detailed description of the incident (including severity, impact, and root cause), the mitigation measures applied, and where relevant the cross-border impact.

Where the incident is ongoing at the one-month mark, the entity submits a progress report and then a final report once the incident is closed.

Penalties for failure to report

Failure to comply with the reporting obligations is one of the categories that can trigger administrative fines. The fines align with the entity class: up to €10 million or 2% of global turnover for essential entities, up to €7 million or 1.4% for important entities. Several national transpositions also create personal liability for management body members in the case of serious or repeated reporting failures.

Practical setup

• Maintain a registered point of contact with the competent authority and CSIRT for each member state in which you operate.
• Build the 24-hour early warning template in advance. It should be sendable from a phone with minimal information.
• Pre-build the 72-hour notification structure as a runbook step. Fields to capture: detection time, suspected root cause, affected services, number of customers affected, geographic scope, indicators of compromise, mitigation in progress.
• Rehearse. Most entities discover the gap between "we have a runbook" and "the runbook works under pressure" only the first time they run it.
• Where the incident is cross-border, expect coordinated reporting via the EU CyCLONe network and the cooperation group. Do not wait for explicit instruction; flag cross-border impact in the early warning.