NIS2 Incident Reporting
Practical guide to NIS2 incident reporting obligations under Article 23, covering the three-stage reporting process, significant incident thresholds, cross-border coordination, and internal escalation workflows.
- 1
Only significant incidents — those causing severe operational disruption or capable of causing considerable damage to others — trigger NIS2 mandatory reporting under Article 23.
- 2
The three-stage reporting timeline requires an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month.
- 3
DORA is lex specialis to NIS2: financial entities report under DORA, but mixed-activity groups may still have residual NIS2 obligations for non-financial services.
- 4
Cross-border impact assessment must be part of the early warning — entities need situational awareness of their multi-jurisdictional service footprint from the first hours of an incident.
- 5
A dedicated reporting officer, separate from the incident response commander, is essential to avoid reporting delays during high-pressure incidents.
Significant Incident Definition Under Article 23
NIS2 (Directive 2022/2555) establishes incident reporting obligations in Article 23, but the threshold for mandatory reporting is narrower than many organisations initially assume. Not every security incident triggers reporting — only those classified as "significant." Article 23(3) defines a significant incident as one that has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
The determination of significance requires assessment against both quantitative and qualitative factors. The European Commission's implementing acts under Article 23(11) provide further guidance on when incidents affecting specific sectors should be considered significant. Factors include the number of users affected, the duration of the disruption, the geographical reach, the extent of the disruption of the service's functioning, and the impact on economic and societal activities. For entities operating critical infrastructure, even brief disruptions to essential services can meet the significance threshold.
Organisations must develop internal classification procedures that map these regulatory criteria to their specific operational context. A hospital network operator, for example, will have different materiality thresholds than a DNS provider or an energy utility. The classification procedure must be documented, staff must be trained to apply it, and the classification decision must be recorded for each incident — regardless of whether the outcome is that reporting is triggered. Regulators will not only examine whether significant incidents were reported, but also whether the entity had a credible classification process for incidents that were assessed and deemed not significant.
Three-Stage Reporting: Early Warning, Notification, Final Report
NIS2 Article 23(4) establishes a three-stage reporting process that balances the need for rapid awareness with the reality that comprehensive information is only available after investigation. The three stages are the early warning, the incident notification, and the final report. Each has a distinct timeline and content expectation.
The early warning must be submitted to the CSIRT or competent authority without undue delay and in any event within 24 hours of the entity becoming aware of the significant incident. The early warning is deliberately light-touch: it must indicate whether the incident is suspected of being caused by unlawful or malicious acts, and whether it could have a cross-border impact. The purpose is to alert authorities quickly so they can coordinate a response if needed. The early warning does not require root cause analysis or impact quantification — speed takes priority.
The incident notification must be submitted without undue delay and in any event within 72 hours of the entity becoming aware of the significant incident. This notification must update or replace the early warning with an initial assessment of the incident, including its severity and impact, and where available, the indicators of compromise. The 72-hour window aligns with GDPR's breach notification timeline, which is helpful for entities managing parallel reporting obligations. The final report must be submitted no later than one month after the incident notification. It must include a detailed description of the incident, the type of threat or root cause, the mitigation measures applied and ongoing, and where applicable, the cross-border impact of the incident.
For incidents that are still ongoing at the one-month mark, the entity must submit a progress report at that time and a final report within one month of the incident being resolved. This provision acknowledges that complex cyber incidents — particularly advanced persistent threat campaigns — may take months to fully investigate and remediate.
The 24-hour early warning clock starts from the moment the entity becomes "aware" of the significant incident — not from the moment of detection by automated systems. Organisations must define clearly in their incident response procedures what constitutes "awareness" (e.g., when a human analyst confirms classification).
Reporting Recipients: CSIRTs and Competent Authorities
Under NIS2, entities report to their designated CSIRT (Computer Security Incident Response Team) or, depending on Member State transposition, to the competent authority. Each Member State has designated one or more CSIRTs and competent authorities under Article 8. The choice of recipient depends on the sector, the Member State, and how the directive has been transposed into national law.
The designated CSIRTs have an active role beyond passive report collection. Upon receiving an early warning, the CSIRT must respond within 24 hours with initial feedback on the incident and, upon request, with guidance or operational advice on the implementation of possible mitigation measures. This creates a two-way relationship that entities should proactively leverage. CSIRTs also coordinate cross-border incident response through the CSIRTs network established under Article 15, which includes ENISA in a secretariat role.
Entities operating across multiple EU Member States face the practical challenge of identifying the correct reporting recipient in each jurisdiction. NIS2 Article 23(1) requires notification to the CSIRT or competent authority of the Member State where the entity is established. For entities established in multiple Member States, the primary reporting obligation is to the authority where the main establishment is located, but cross-border coordination obligations may require notification to additional authorities. Entities should map their reporting obligations by jurisdiction during the initial compliance setup and maintain a contact register with the relevant CSIRT and competent authority for each operating location.
The reporting format is determined by each Member State's transposition and implementing measures. ENISA has published guidance and templates to promote harmonisation, but entities should verify the specific requirements in their jurisdiction. Some Member States have established dedicated electronic reporting portals, while others accept structured email submissions. Testing the reporting channel — before an actual incident — is a prudent step.
Cross-Border Incident Coordination
NIS2 places significant emphasis on cross-border incident coordination, recognising that cyber incidents rarely respect national borders. Article 23(5) requires the CSIRT or competent authority that receives a notification to determine whether the incident has cross-border relevance and, if so, to inform other affected Member States and ENISA. This coordination happens at the authority level — the entity's primary obligation is to report to its own CSIRT.
However, entities themselves have obligations related to cross-border impact assessment. The early warning (24-hour report) must indicate whether the incident could have a cross-border impact. This requires the entity to have sufficient situational awareness during the early hours of an incident to assess whether services, data, or infrastructure in other Member States are or could be affected. For entities operating pan-European networks or services, this cross-border impact assessment should be a standard element of the incident triage procedure.
The EU-CyCLONe (Cyber Crisis Liaison Organisation Network), established under Article 16, provides the large-scale incident coordination mechanism. When an incident or crisis affects multiple Member States at a level that could have systemic impact, EU-CyCLONe coordinates between national authorities, the CSIRTs network, the European Commission, and ENISA. While individual entities do not interact directly with EU-CyCLONe, they should be aware that a significant cross-border incident they report may escalate to this level — and they may receive coordination instructions or information requests through their national CSIRT as a result.
Entities with operations across the EU should integrate cross-border considerations into their incident response playbooks. This includes: maintaining an inventory of services and data processing activities by jurisdiction, pre-defining criteria for cross-border impact assessment, establishing communication channels with local IT and legal teams in each operating jurisdiction, and understanding the specific notification requirements in each Member State where the entity is established.
Comparison with DORA for Dual-Regulated Entities
Entities in the financial sector may fall within the scope of both NIS2 and DORA. Article 4 of NIS2 and Article 1(2) of DORA clarify the relationship: DORA is lex specialis, meaning its incident reporting requirements take precedence over NIS2 for financial entities within DORA's scope. In practice, financial entities report ICT-related incidents under DORA's regime, not NIS2's.
The key differences between the two reporting regimes are worth understanding even for entities that clearly fall under DORA. DORA's initial notification window is 4 hours (with a 24-hour backstop), compared to NIS2's 24-hour early warning. DORA uses "major ICT-related incident" as its threshold, with detailed quantitative criteria in the RTS, while NIS2 uses "significant incident" with broader qualitative criteria. DORA reports go to financial supervisory authorities, while NIS2 reports go to CSIRTs or cybersecurity authorities.
The complexity arises for financial groups that include entities with activities outside the financial regulatory perimeter. A financial group that also operates a data centre providing services to non-financial clients, for example, may have NIS2 obligations for the data centre activity even while reporting ICT incidents affecting banking operations under DORA. Legal entity mapping and activity-level analysis are essential to determine which regime applies to each activity within the group.
For entities unambiguously within DORA scope only, the practical advice is straightforward: implement DORA's incident reporting requirements, which are more prescriptive and faster-paced than NIS2's. Meeting DORA's standards will, by design, exceed what NIS2 would require. The dual-regulation complexity primarily affects groups with mixed financial and non-financial activities or entities operating in sectors covered by both directives.
If your entity is exclusively a financial entity within DORA's scope, you do not need to implement NIS2 incident reporting separately. DORA's requirements are more demanding and take precedence. Focus your compliance effort on the DORA regime.
Practical Workflow and Internal Escalation
Building an effective NIS2 incident reporting workflow begins with the detection and triage layer. Security operations teams must be trained to escalate potential significant incidents through a defined pathway that leads to a classification decision within hours — not days. The classification decision must be made by a designated individual or team with the authority and training to apply the Article 23(3) significance criteria. This person should not be the same individual managing the technical incident response, to avoid conflicts between response priorities and reporting obligations.
The escalation pathway should be documented in the entity's incident response policy and should include clear triggers, timeframes, and handoff procedures. When an incident is detected, the SOC or IT team performs initial triage and, if it meets predefined criteria (e.g., impacts a critical service, affects personal data, involves suspected malicious activity), escalates to the designated classification authority. The classification decision must be made, documented, and communicated within a timeframe that leaves sufficient margin for preparing and submitting the 24-hour early warning.
Once an incident is classified as significant, a parallel reporting track should activate alongside the technical response track. A designated reporting officer should be responsible for compiling the early warning, liaising with the CSIRT, and managing the 72-hour notification and final report preparation. This officer should have access to the technical incident response team for information but should not be dependent on the response team's availability to prepare reports — during a major incident, the response team will be fully occupied.
Regular exercises are essential. At minimum annually, the entity should conduct a tabletop exercise that simulates a significant incident and walks through the entire reporting workflow — from detection and classification through early warning submission, CSIRT interaction, cross-border assessment, 72-hour notification, and final report preparation. The exercise should test not just the procedures but also the people, the communication channels, and the templates. Findings from these exercises must be documented and fed into the continuous improvement process for the incident response programme.
What qualifies as a significant incident under NIS2?
Under Article 23(3), a significant incident is one that has caused or is capable of causing severe operational disruption of the entity's services or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage. The European Commission's implementing acts provide sector-specific guidance. The assessment considers factors like the number of affected users, duration, geographical scope, and impact on economic or societal activities.
Do we report to our CSIRT or our competent authority?
This depends on how your Member State transposed NIS2. Some Member States designate the CSIRT as the primary recipient, others the competent authority, and some require notification to both. Check your national transposition law and the authority designations published by your Member State. ENISA maintains a directory of designated CSIRTs and competent authorities across the EU.
What if our incident is ongoing when the final report is due?
If the incident has not been resolved one month after the incident notification, the entity must submit a progress report at that point. A final report must then be submitted within one month of the entity handling the incident (i.e., one month after resolution). This provision in Article 23(4)(d) acknowledges that complex incidents can take months to fully resolve.
Does NIS2 require us to notify affected individuals?
NIS2 Article 23(7) allows competent authorities or CSIRTs to require the entity to inform the recipients of its services — and in some cases the public — about the significant incident. However, NIS2 does not directly impose a general obligation on entities to notify affected individuals. If personal data is involved, GDPR Article 34 obligations regarding notification of data subjects may apply separately and in parallel. The two obligations must be managed independently.
How does NIS2 incident reporting interact with sector-specific regulations?
NIS2 Article 4 establishes that where sector-specific EU legislation requires measures for cybersecurity or incident notification that are at least equivalent in effect, those sector-specific provisions prevail. DORA for financial services is the primary example. For other sectors (energy, transport, health), entities should check whether sector-specific legislation imposes incident reporting obligations that might supersede or supplement NIS2. Where no sector-specific lex specialis exists, NIS2 applies in full.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.