Incident workflowEU

NIS2 Article 23 incident notification

Use this workflow to separate a reportable NIS2 significant incident from lower-severity incidents and to preserve the notification record required by Article 23.

Built for security, legal, compliance, incident-response, customer-communications, and management owners who need a shared clock, evidence trail, and authority route.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

NIS2 Article 23 requires essential and important entities to notify their CSIRT or, where applicable, competent authority of significant incidents. The practical work is to identify when an incident has a significant impact, start the awareness clock, send the required reports without diverting response resources, and keep enough evidence to show what was known at each step.

Section 1

Trigger test: is the incident significant under Article 23?

Start with the Article 23 significance test, not with the communications template. An incident is significant when it has caused, or is capable of causing, severe operational disruption or financial loss for the entity, or when it has affected, or is capable of affecting, other natural or legal persons by causing considerable material or non-material damage.

The trigger record should capture the service affected, the time the entity became aware, the expected or actual disruption, affected recipients or third parties, financial-loss indicators, material or non-material damage indicators, and whether the incident may have cross-border impact. If the facts are still incomplete, record the uncertainty and update the assessment as the incident response team learns more.

  • Open an Article 23 assessment when service disruption, financial loss, third-party harm, malicious activity, or cross-border impact is plausible.
  • Name the in-scope essential or important entity and the service whose provision is affected.
  • Record the awareness timestamp separately from detection, triage, escalation, and authority-submission timestamps.
  • Keep the non-reporting decision if the team closes the Article 23 assessment below the significant-incident threshold.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 23
Defines significant incidents and requires essential and important entities to notify the CSIRT or competent authority.
European Commission - NIS2 Directive overview
Explains that NIS2 applies reporting requirements to more sectors and requires notification of significant incidents.
Section 2

Build the reporting sequence around the Article 23 clocks

Article 23 uses a staged reporting sequence. The early warning is due without undue delay and in any event within 24 hours of becoming aware of the significant incident. The incident notification is due without undue delay and in any event within 72 hours of awareness and should update the early warning with an initial severity and impact assessment and, where available, indicators of compromise.

After the 72-hour notification, be ready for intermediate reports when the CSIRT or competent authority requests status updates. The final report is due not later than one month after the incident notification. If the incident is still ongoing at that point, provide a progress report and then a final report within one month of handling the incident.

  • 24-hour early warning: suspected malicious or unlawful cause, possible cross-border impact, and enough information for the authority to understand the event.
  • 72-hour incident notification: updated facts, initial severity and impact assessment, and available indicators of compromise.
  • Intermediate report: status updates requested by the CSIRT or competent authority.
  • Final report: detailed incident description, severity and impact, likely threat type or root cause, mitigation measures, and cross-border impact where applicable.
  • Ongoing incident path: progress report at final-report time, then final report within one month after handling the incident.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 23
Sets the 24-hour early warning, 72-hour incident notification, intermediate report, final report, and ongoing-incident report sequence.
NIS2 recital 102 on notification burden
Clarifies that reporting obligations should not divert resources from significant incident response handling.
Section 3

Route authority, recipient, and cross-border communications separately

The authority route is not the same as customer or recipient communication. Article 23 requires notification to the CSIRT or competent authority, and where appropriate, notification to recipients of services when significant incidents are likely to adversely affect the provision of those services.

Keep separate decision owners for authority reporting, recipient communications, law-enforcement escalation, and public disclosure. Article 23 also anticipates cross-border and cross-sector cases, where single points of contact and other affected Member States may need relevant information, while preserving the entity's security, commercial interests, and confidentiality.

  • Confirm the competent national route before the incident: CSIRT, competent authority, portal, form, and backup contact.
  • Use a separate recipient-communication assessment for affected service recipients and significant cyber threats.
  • Flag suspected criminal conduct for the authority guidance path on law-enforcement reporting.
  • Escalate cross-border or cross-sector indicators early because Article 23 information may need to move through single points of contact.
  • Do not merge public-disclosure messaging with Article 23 authority submissions unless the competent authority requires or coordinates that disclosure.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 23
Covers notification to authorities, communication to affected recipients, cross-border sharing, law-enforcement guidance, and public-awareness cases.
European Commission - NIS2 Directive overview
Describes the CSIRT network and EU-CyCLONe context for incident response and cross-border coordination.
Section 4

Evidence to preserve for an Article 23 notification file

A useful Article 23 file shows why the team treated the event as reportable or not reportable, what the entity knew at each reporting point, and how the submitted information changed as investigation and mitigation progressed. It should be usable by incident responders during the event and by management, auditors, and regulators after the event.

For entities covered by Commission Implementing Regulation (EU) 2024/2690, align the notification file with incident-handling evidence such as incident classification, escalation records, logs, root-cause work, mitigation decisions, post-incident review, and management-body updates. ENISA guidance for that regulation describes practical advice and examples of evidence for cybersecurity requirements.

  • Awareness-clock record: who became aware, when, through which channel, and what facts were known.
  • Significance assessment: disruption, financial loss, third-party damage, affected services, affected recipients, and cross-border indicators.
  • Submission pack: early warning, incident notification, requested intermediate reports, final or progress report, authority acknowledgements, and portal receipts.
  • Investigation record: indicators of compromise, likely threat type or root cause, containment actions, mitigation measures, and unresolved uncertainty.
  • Governance record: legal review, management-body updates, recipient-communication approvals, and post-incident lessons learned.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 23
Identifies the facts required in staged notifications, including severity, impact, indicators of compromise, root cause, mitigation, and cross-border impact.
Implementing Regulation (EU) 2024/2690
Specifies technical and methodological cybersecurity risk-management requirements for listed digital and ICT service entities under NIS2.
ENISA - NIS2 technical implementation guidance
Provides practical advice, examples of evidence, and mappings for implementing NIS2 cybersecurity risk-management requirements for covered entities.
Section 5

Checklist for operating the Article 23 workflow

Use this checklist before an incident to make Article 23 operational, and during an incident to keep the reporting record complete. The goal is not to wait for perfect forensic certainty; it is to report the required information on time, update it as facts mature, and avoid unsupported claims.

Trust service providers need separate handling for significant incidents affecting trust services because Article 23 sets a 24-hour notification derogation for that case. Other sector-specific Union laws may also change which NIS2 provisions apply when their incident-notification requirements are at least equivalent in effect.

When does NIS2 Article 23 require notification?

Notification is required when an essential or important entity becomes aware of an incident that has a significant impact on the provision of its services. Article 23 treats an incident as significant when it has caused or is capable of causing severe operational disruption or financial loss, or considerable material or non-material damage to other natural or legal persons.

What are the NIS2 Article 23 reporting deadlines?

Article 23 requires an early warning without undue delay and in any event within 24 hours of awareness, an incident notification without undue delay and in any event within 72 hours of awareness, requested intermediate reports, and a final report not later than one month after the incident notification. If the incident is still ongoing at final-report time, the entity provides a progress report and then a final report within one month of handling the incident.

  • Pre-map the CSIRT or competent authority route for each Member State where the entity may need to report.
  • Define who can start the Article 23 clock, approve the early warning, approve the 72-hour notification, and approve recipient communications.
  • Prepare templates for early warning, incident notification, intermediate report, final report, progress report, and non-reporting rationale.
  • Require every report draft to distinguish known facts, current estimates, unavailable data, and planned updates.
  • Add special-case review for trust service providers, cross-border incidents, ongoing incidents, suspected criminal conduct, and potentially equivalent sector-specific reporting rules.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 23
Supports the checklist for notification timing, trust-service-provider handling, intermediate reports, final reports, and ongoing incidents.
Directive (EU) 2022/2555 (NIS2), Article 4
Explains when sector-specific Union legal acts may displace NIS2 provisions if their requirements are at least equivalent in effect.
ENISA - NIS2 technical implementation guidance
Supports pre-incident evidence planning for entities covered by the NIS2 implementing regulation.
Recommended next step

Prepare the clock, authority route, and evidence pack before the incident

Sorena can help convert Article 23 duties into source-cited templates, escalation rules, owner assignments, and evidence requests that incident teams can use under time pressure.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 23 notifications, significant-incident thresholds, reporting clocks, and evidence.

Explore next step
Talk to Sorena
Talk through implementation

Review your NIS2 Article 23 notification route, templates, evidence gaps, and incident escalation model with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for Article 23 significant-incident reporting obligations, notification timing, authority routing, recipient communications, and final-report content.
"Reporting obligations"
Directive (EU) 2022/2555 (NIS2), Article 23
eur-lex.europa.eu
Referenced sections
  • Supports the checklist for notification timing, trust-service-provider handling, intermediate reports, final reports, and ongoing incidents.
"final report"
Directive (EU) 2022/2555 (NIS2), Article 4
eur-lex.europa.eu
Referenced sections
  • Explains when sector-specific Union legal acts may displace NIS2 provisions if their requirements are at least equivalent in effect.
"at least equivalent"
Implementing Regulation (EU) 2024/2690
eur-lex.europa.eu
Referenced sections
  • Specifies technical and methodological cybersecurity risk-management requirements for listed digital and ICT service entities under NIS2.
"incident handling"
NIS2 recital 102 on notification burden
eur-lex.europa.eu
Referenced sections
  • Clarifies that reporting obligations should not divert resources from significant incident response handling.
"incident handling"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.