NIS2 Incident Notification: The Practical 72-Hour Guide

Ransomware hits your main server at 11pm on a Friday night. The NIS2 clock starts immediately. You have 24 hours for the early warning, 72 hours for the full report.

What counts as a significant incident under NIS2?

Article 23 of Directive 2022/2555 defines a significant incident as one that causes or may cause severe operational disruption, significant financial loss, or affects other entities by causing considerable damage. Examples: ransomware, data breach, DDoS taking services offline, supply chain compromise.

Phase 1: Early Warning (24 hours)

Once you become aware of the incident, you have 24 hours to send an early warning to the NCSC or your national CSIRT (Article 23, Directive 2022/2555). Content: nature of incident, suspected cause, cross-border impact assessment.

Phase 2: Full Notification (72 hours)

Within 72 hours: severity assessment, impact on services, indicators of compromise (IOCs), remediation measures underway.

Phase 3: Final Report (1 month)

Within one month of resolution: root cause analysis, corrective measures, lessons learned.

What to prepare NOW

An incident response team with clear roles. Pre-saved national authority contact details. Incident classification matrix. Pre-drafted notification templates. Defined internal communication chain. Evidence preservation procedures.

Common mistakes to avoid

Waiting too long to classify as significant. Delaying notification due to internal escalation. Incomplete initial report without IOCs. Remediating before preserving forensic evidence.

The 72-hour clock does not wait. Prepare now, or pay later — up to EUR 10 million (Article 34, Directive 2022/2555).

*This article is for informational purposes only and does not constitute legal advice.*