NIS2 Incident Reporting: The 24-Hour and 72-Hour Deadlines (Article 23)

The Article 23 reporting clock

When a NIS2 entity suffers a significant incident, Article 23 of Directive (EU) 2022/2555 starts a three-stage clock. Miss it and you are non-compliant — even if you handled the incident itself well.

Stage	Deadline	What you file
Early warning	Within 24 hours of becoming aware	A short alert: is the incident suspected to be unlawful or malicious, and could it have cross-border impact?
Incident notification	Within 72 hours of becoming aware	An update to the early warning plus an initial assessment: severity, impact, and indicators of compromise where available
Final report	Within 1 month of the 72-hour notification	A detailed description, the threat type or root cause, mitigations applied, and any cross-border impact

A CSIRT or competent authority may also request an intermediate status report between the 72-hour and final stages.

Stage 1 — Early warning (24 hours)

The clock starts when you become aware of the incident — not when it began. The early warning is deliberately lightweight: its job is to flag, fast, whether the incident is suspected to be malicious and whether it could spill across borders. You are not expected to have a full diagnosis at this point.

Stage 2 — Incident notification (72 hours)

Within 72 hours you update the early warning with an initial assessment: how severe the incident is, what it has affected, and any indicators of compromise you have gathered. This is where a prepared template and a working monitoring stack pay off.

If the incident is still ongoing

If the incident has not been resolved by the time the final report would be due, you submit a progress report at the one-month mark and then a final report within one month of handling the incident.

What counts as a "significant" incident?

Article 23(3) defines an incident as significant if it (a) has caused or is capable of causing severe operational disruption of the services or financial loss for the entity, or (b) has affected or is capable of affecting other parties by causing considerable material or non-material damage. For several digital-infrastructure and ICT entity types, Commission Implementing Regulation (EU) 2024/2690 sets out concrete thresholds for what counts as significant.

Who you report to

You notify your national CSIRT or competent authority through your Member State's single entry point. Transposition differs by country — for example, Germany routes through the BSI and Italy through the ACN, each with its own portal and rules.

Informing your users

Where a significant incident may adversely affect the provision of your service, you must also inform affected recipients — and, where relevant, tell them about significant cyber threats and the measures they can take in response.

Be ready before the clock starts

• A documented incident-response plan that names who files each report and by when
• Pre-drafted report templates mapped to the 24h / 72h / 1-month fields
• Monitoring that tells you precisely when "aware" starts
• Your CSIRT/authority portal account and contacts set up in advance
• A vendor-incident clause so suppliers alert you fast enough to meet your own 24-hour clock

How ArvexLab helps

ArvexLab tracks the Article 23 deadlines from the moment an incident is logged, helps classify severity, and generates a regulator-ready report you can review and export — so the clock never catches you off guard. See the platform or check whether NIS2 applies to you.

Sources

• Directive (EU) 2022/2555 (NIS2) — EUR-Lex — Article 23, incident reporting obligations
• Commission Implementing Regulation (EU) 2024/2690 — EUR-Lex — technical requirements and "significant incident" thresholds
• ENISA — NIS Directive — guidance and resources

*This article is for general information only and is not legal advice. NIS2 obligations are determined by your national competent authority and Member State transposition law; consult qualified counsel for your situation.*