---
title: "NIS2 24-hour early warning: what to send and when"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/24-hour-early-warning"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/24-hour-early-warning"
author: "Sorena AI"
description: "Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIS2 24-hour early warning"
  - "EU NIS2 Directive"
  - "Article 23"
  - "significant incident"
  - "essential entities"
  - "important entities"
  - "incident notification"
  - "NIS2"
  - "24-hour early warning"
  - "Article 21"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIS2 24-hour early warning: what to send and when

Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.

*Artifact Guide* *EU*

## EU NIS2 Directive 24-hour early warning

NIS2 Article 23 requires an early warning without undue delay and within 24 hours after a covered entity becomes aware of a significant incident.

Use this FAQ to decide what to send, what evidence to preserve, and when to route country-specific details to the competent authority or CSIRT.

This FAQ answers the NIS2 24-hour early-warning question directly: when a covered essential or important entity becomes aware of a significant incident, it should submit the early warning without undue delay and in any event within 24 hours through the applicable national CSIRT or competent-authority route.

## What does the NIS2 24-hour early warning require?

Under NIS2 Article 23, essential and important entities notify their CSIRT or competent authority of significant incidents. The first required step is an early warning submitted without undue delay and, in any event, within 24 hours of becoming aware of the significant incident.

The early warning is not the full incident report. It should flag that a significant incident exists and, where applicable, say whether the incident is suspected to involve unlawful or malicious acts or could have a cross-border impact.

- Start with the Article 23 significance test: severe operational disruption, financial loss, or considerable material or non-material damage to others.
- Record the point at which the entity became aware that the incident was significant.
- Send the early warning through the national route designated for the entity, usually the CSIRT or competent authority.
- Keep the 72-hour incident notification, requested intermediate reports, and final report linked to the same incident record.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Article 23 sets the significant-incident notification duty and the 24-hour early-warning deadline.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview of NIS2 scope, sectors, and policy context for covered entities.
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Further specifies significant-incident cases and awareness timing for listed digital and trust-service providers.

## What evidence should teams keep for the NIS2 24-hour early warning?

The evidence file should prove both the trigger and the timing. Keep the detection record, initial assessment, awareness timestamp, affected services, notification route, warning payload, submission receipt, and escalation approvals together.

Do not wait for the final root cause before sending the early warning. Article 23 expects a staged process: early warning, 72-hour incident notification, intermediate reports if requested, and a final report after the incident notification or after handling a continuing incident.

- Article 23 citation, national authority route, and the exact notification channel used.
- Awareness timestamp, significance assessment, incident commander, legal reviewer, authority-contact owner, and approval time.
- Affected network and information systems, service, country, supplier, customer group, and known or possible cross-border impact.
- Submitted early-warning text, submission receipt, acknowledgement, and any CSIRT or competent-authority request.
- Links to the 72-hour notification, requested intermediate updates, final report, mitigation actions, and lessons learned.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Article 23 defines the staged reporting sequence and the contents of the later incident notification and final report.
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Explains timely assessment of suspicious events and awareness for the listed relevant entities.
- [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance provides implementation and evidence examples for entities subject to Regulation 2024/2690.

## Which edge cases can affect the NIS2 24-hour early-warning clock?

The hardest cases are usually about awareness, significance, and routing. Decide when the entity had enough certainty to treat the event as a significant incident, which Member State route applies, and whether the incident may affect recipients in more than one Member State.

For the provider categories covered by Regulation 2024/2690, the regulation says notification deadlines run from awareness and links awareness to an initial assessment with a reasonable degree of certainty. Other entities should check national implementation rules and authority guidance for local routing and procedural detail.

- A group incident may require separate routing if different legal entities, sectors, or Member States are affected.
- A supplier or managed-service-provider alert may start triage, but the covered entity still needs its own NIS2 significance assessment.
- A possible criminal incident should be flagged because Article 23 expects guidance on law-enforcement reporting where the incident appears criminal.
- A country implementation step can add portal, language, acknowledgement, or sector-authority details beyond the EU-level text.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Article 23 covers cross-border notifications, CSIRT or authority feedback, and criminal-reporting guidance.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for understanding whether NIS2 scope and sector obligations are likely to apply.
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Gives horizontal and provider-specific significant-incident criteria for the covered relevant entities.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Binding Article 23 source for significant-incident notification, 24-hour early warning, 72-hour incident notification, and final report.
  - Quote: "within 24 hours of becoming aware"
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for NIS2 scope, covered sectors, and implementation context.
  - Quote: "NIS2 Directive"
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Specifies significant-incident cases and awareness timing for the listed digital infrastructure, ICT service management, digital provider, and trust-service entities.
  - Quote: "reasonable degree of certainty"
- [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - ENISA implementation guidance with evidence examples for entities subject to Regulation 2024/2690.
  - Quote: "practical advice, examples of evidence"

## Topic Guides

- [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
- [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
- [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
- [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
- [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
- [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
- [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
- [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
- [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
- [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
- [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
- [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
- [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
- [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
- [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
- [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
- [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
- [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
- [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
- [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
- [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
- [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
- [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
- [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
- [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
- [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
- [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
- [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
- [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
- [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
- [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
- [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
- [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
- [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.

*Recommended next step*

*Placement: before sources*

## Use this EU NIS2 Directive guide as a cited implementation workflow

Sorena can turn the 24-hour early-warning decisions on this page into cited answers, owner assignments, evidence requests, and reusable review steps for EU NIS2 Directive work.

- [Open Research Copilot for EU NIS2 Directive](/solutions/research-copilot.md): Ask source-linked questions about the 24-hour early warning, scope, deadlines, and evidence using the cited sources on this page.
- [Talk through NIS2 24-hour early warning implementation](/contact.md): Review your 24-hour early-warning workflow, source gaps, and next implementation steps with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/faq/24-hour-early-warning