NIS2 incident reporting timeline — 24h / 72h / 1-month

What triggers the reporting duty

Article 23(1) requires entities to notify the CSIRT or, where applicable, the competent authority, without undue delay, of any incident that has a significant impact on the provision of their services. Article 23(3) defines an incident as significant if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

The three-stage timeline (Art 23(4))

1. Within 24 hours — early warning. An early warning to the CSIRT or competent authority, which, where applicable, indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
2. Within 72 hours — incident notification. An incident notification that updates the information given in the early warning and indicates an initial assessment of the significant incident, including its severity and impact, and where available, the indicators of compromise.
3. Within one month — final report. A final report not later than one month after the submission of the incident notification, including: (a) a detailed description of the incident, its severity and impact; (b) the type of threat or root cause that likely triggered the incident; (c) applied and ongoing mitigation measures; and (d) where applicable, the cross-border impact.

When the incident is still ongoing

Article 23(4)(d) provides that, where the incident is still ongoing at the time the final report is due, the entity must instead submit a progress report at that point and a final report within one month of the incident’s handling.

Article 23(2) adds a separate duty: where appropriate, the entity must communicate, without undue delay, to the recipients of its services any significant incident likely to adversely affect the provision of the service, and where the incident is likely to adversely affect the recipient, the entity must also communicate measures the recipient can take in response.

Intermediate response on request

Article 23(4)(c) lets the CSIRT or competent authority request an intermediate report on relevant status updates upon request. CSIRTs must, also under Article 23(4)(b), provide a response to the entity within 24 hours of the early warning, including initial feedback and, upon the entity’s request, guidance or operational advice.

Overlap with the AI Act Article 73 serious-incident regime

If a NIS2 incident also constitutes a serious incident under the EU AI Act (Article 3(49): any incident or malfunctioning of an AI system that directly or indirectly leads to death or serious harm to health, serious damage to property or the environment, serious and irreversible disruption of critical infrastructure, or infringement of Union law protecting fundamental rights), providers of high-risk AI systems must report it under Article 73 — within 15 days for general serious incidents, immediately and not later than 2 days for widespread infringement or serious and irreversible disruption of critical infrastructure, and within 10 days for death of a person.

Deployers are not the primary Article 73 reporter, but Article 26(5) requires deployers to inform the provider, the distributor and the relevant market surveillance authority and suspend use where they have reason to consider that the high-risk system in use poses a risk within the meaning of Article 79(1).

Deployer evidence checklist

• Written incident-classification SOP keyed to Article 23(3) significant-incident criteria.
• 24-hour early-warning template with cross-border-impact and malicious-actor fields.
• 72-hour notification template with severity, impact and indicators-of-compromise fields.
• One-month final-report template, plus progress-report template for ongoing incidents.
• Recipient-notification template under Article 23(2) for downstream customers.
• Decision matrix that maps a single incident to NIS2 Art 23 + AI Act Art 73 + GDPR Art 33 obligations.
• Named NIS2 incident-reporting contact and out-of-hours escalation.
• Logs retained for at least 6 months in line with AI Act Art 26(6) for any AI-system-related incident.

Common misconceptions

• “24 / 72 hours is the entire deadline.” No — the 24-hour milestone is an early warning only; the formal notification falls due at 72 hours, and a final report is due at one month.
• “Significant means a major outage.” Article 23(3) is broader: financial loss, severe disruption, or considerable material or non-material damage to other parties all qualify.
• “NIS2 doesn’t apply to us — we’re too small.” The Annex I and II sector list combined with the Art 2(1) size-cap rule (medium or large, i.e. 50+ headcount or EUR 10M+ turnover) captures more HR-tech and SaaS providers than NIS1 did; check the specific national transposition.
• “One report covers NIS2 and the AI Act.” The two regimes have separate timelines, separate authorities (CSIRT vs market surveillance authority), and partly different content requirements. Map them separately.

Related EU guides

• AI Act conformity assessment for high-risk systems
• Annex IV technical documentation
• AI literacy obligation — Article 4
• Prohibited AI practices — Article 5
• GPAI vs deployer obligations

Sources

• Directive (EU) 2022/2555 (NIS2), Articles 2, 3, 21, 23 — EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj
• Regulation (EU) 2024/1689 (AI Act), Articles 3(49), 26(5)–(6), 73, 79 — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• ENISA — NIS2 implementation guidance: enisa.europa.eu/topics/nis-directive