The clock starts ticking upon discovery
When a significant security incident is discovered, the clock starts. NIS2 gives you 24 hours — not 24 working hours, not “next business day”, but 24 actual hours — to send an early warning to your national CSIRT.
This means an incident discovered on Saturday evening requires a report by Sunday evening. Is your organisation prepared for that?
Critical question: Do you have documented contact paths to your national CSIRT that work outside office hours? If the answer is no, that’s the first thing to address.
What is a “significant incident”?
Not all incidents need to be reported. NIS2 focuses on significant incidents — those that have real impact on the service or others.
An incident is considered significant if it:
- Has caused or is capable of causing severe operational disruption of the service
- Has caused or is capable of causing considerable material losses for the entity
- Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
Examples of significant incidents:
- Ransomware that encrypts production systems
- Data breach with leakage of personal data
- DDoS attack making services unavailable to customers
- Compromised supplier with access to your systems
The timeline: Three reports, three deadlines
- Early warning — within 24 hours The first report is a quick notification that something has happened. It doesn't need to be complete — the purpose is to warn. Include: that an incident has occurred, initial assessment of scope, and whether the incident is suspected to be cross-border or affect other EU countries.
- Incident notification — within 72 hours Now more substance is expected. Update with assessment of incident severity and impact, description of what happened (as far as you know), and any indicators of compromise (IOCs) that might help others.
- Final report — within 1 month The complete analysis. Contains detailed description of the incident, root cause analysis, measures taken and planned, and lessons learned and improvement actions.
Detailed content per report
Early warning (24 hours)
| Field | Description | Mandatory |
|---|---|---|
| Time of discovery | When the incident was discovered | Yes |
| Type of incident | Preliminary classification | Yes |
| Affected services | Which services are affected | Yes |
| Initial scope | Estimated impact | Yes |
| Cross-border | Suspected impact in other countries | Yes |
| Contact person | Who the CSIRT can contact | Yes |
Incident notification (72 hours)
| Field | Description | Mandatory |
|---|---|---|
| Updated status | Current situation and development | Yes |
| Severity | Assessment of severity level | Yes |
| Technical description | What happened technically | Yes |
| Impact | Number affected, service loss | Yes |
| IOCs | Indicators of compromise | If available |
| Measures taken | What you’ve done so far | Yes |
Final report (1 month)
| Field | Description | Mandatory |
|---|---|---|
| Complete timeline | Chronology from start to finish | Yes |
| Root cause analysis | Underlying cause of the incident | Yes |
| Impact (final) | Actual impact, those affected | Yes |
| All measures taken | Complete list | Yes |
| Lessons learned | What you learned | Yes |
| Improvement plan | How you prevent recurrence | Yes |
Who do you report to?
All significant incidents are reported to your designated national CSIRT. They coordinate technical handling and can assist with analysis and recommendations. Each EU Member State has designated national CSIRTs under NIS2.
Depending on your sector, you also report to your sector-specific authority. Energy regulators for energy, transport authorities for transport, European Banking Authority for banking, etc.
Practical: Each Member State is establishing unified reporting channels under NIS2. Stay updated via your national competent authority for current information on how reporting should be conducted.
Common pitfalls to avoid
24 hours applies even on weekends and nights. Without functioning on-call arrangements and clear contact paths, it becomes impossible to meet time requirements when it really matters.
During an ongoing incident, the last thing you want to do is figure out format and wording. Have ready templates for all three report types ready to fill in.
Who decides to report? Who writes? Who approves? Unclear roles lead to delays. Document the division of responsibilities now.
The report to CSIRT isn't everything. Don't forget internal escalation to management, possible GDPR report to your Data Protection Authority for personal data incidents, and communication with customers.
Checklist: Are you prepared?
Use this checklist to assess your readiness:
Processes and documentation:
- Clear definition of what constitutes a significant incident
- Documented incident handling process
- Escalation procedures and decision paths
- Templates for all three report types
- Contact details for CSIRT and supervisory authority
Organisation and resources:
- On-call arrangements or equivalent for rapid response
- Designated incident manager with authority
- Trained personnel who can act
- Communication channels that work around the clock
Technical capability:
- Detection capability to discover incidents
- Logging to investigate what happened
- Ability to collect indicators of compromise (IOCs)
- Backup and recovery capability
Practical tips
Build an incident handling exercise
Conduct regular exercises where you simulate a significant incident. Focus on:
- Can you produce an early warning within 24 hours?
- Do the contact paths to CSIRT work?
- Does everyone involved know what to do?
Create templates now
Don’t wait for the incident. Create templates for:
- Early warning — Standard form with pre-filled fields
- Incident notification — Structure for deeper analysis
- Final report — Template for complete documentation
Establish contact paths
- Register with your national CSIRT if you haven’t already
- Test the reporting channel before it becomes critical
- Have backup contact paths (phone, not just email)
Want to know more about NIS2’s other requirements? Read our NIS2 framework overview for a complete picture of the directive, or check if you’re covered by NIS2 with our classification tool.
How Securapilot can help
Securapilot’s incident management module is built with NIS2’s time requirements in mind:
- Incident classification — Automatic assessment against NIS2’s definition of significant incident
- Time tracking — Deadline tracking with warnings before they expire
- Template generation — Automatic generation of reports based on incident data
- Escalation — Built-in workflows for approval and escalation
- Documentation — Complete traceability for the final report
Book a demo and see how we can help you be prepared when it really matters.
Frequently asked questions
What constitutes a 'significant incident' under NIS2?
An incident is considered significant if it has caused or is capable of causing severe operational disruption of the service, considerable material losses for the entity, or affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Who do I report to?
In the EU, incidents are reported to your designated national CSIRT and to your sector-specific supervisory authority. The exact reporting pathway depends on your sector and Member State. Each Member State has designated national competent authorities under NIS2.
What happens if I miss the 24-hour deadline?
Missing reporting deadlines can lead to sanctions. However, the most important thing is to report as soon as possible, even if the deadline has passed. Not reporting at all is significantly more serious than reporting late.
Must I report incidents at suppliers?
If an incident at a supplier affects your ability to deliver your services, it may become a reportable incident for you. You need agreements and processes that ensure suppliers promptly inform you of incidents that could impact your operations.
