FAQEU

NIS2 72-hour incident notification

The NIS2 72-hour incident notification is the Article 23 follow-up report for a significant incident, due without undue delay and in any event within 72 hours of awareness.

Use it to update the 24-hour early warning with the initial severity and impact assessment, available indicators of compromise, authority route, and evidence trail.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

NIS2 Article 23 requires essential and important entities to notify their CSIRT or, where applicable, competent authority of significant incidents. The 72-hour notification is not the first alert: it follows the 24-hour early warning and gives the authority a more complete initial assessment of the incident.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What does the NIS2 72-hour incident notification require?

Submit the incident notification without undue delay and in any event within 72 hours of becoming aware of a significant incident. It should update the 24-hour early warning and include the entity's initial assessment of the significant incident, including severity, impact, and indicators of compromise where those are available.

Do not wait for perfect root-cause certainty if the Article 23 significance threshold is met. Record what is known, what is estimated, what is unavailable, and which facts will be updated through intermediate reports or the final report.

  • Confirm that the incident is significant because it has caused, or is capable of causing, severe operational disruption, financial loss, or considerable material or non-material damage to others.
  • Start the 72-hour clock from awareness of the significant incident, and preserve the awareness timestamp separately from detection and submission timestamps.
  • Send the notification to the CSIRT or, where applicable, competent authority for the relevant Member State route.
  • Update the early warning with severity, impact, affected services, cross-border indicators, and available indicators of compromise.
  • Keep the submission receipt, report version, approver, and known uncertainty in the incident file.
Citations
Question 2

What should the 72-hour notification record contain?

The record should be operational enough for incident responders and defensible enough for later legal, management, audit, or authority review. It should show why the incident met the significance threshold, when the organization became aware, what was submitted, and what remains open.

Separate the authority notification from customer, recipient, public, and law-enforcement communications. Article 23 includes recipient communication and authority guidance paths, but those decisions may have different owners, approval steps, and confidentiality constraints.

  • Entity and service: the essential or important entity, affected service, affected systems, and Member State reporting route.
  • Clock evidence: awareness time, early-warning submission, 72-hour notification submission, authority acknowledgement, and any missed or delayed step rationale.
  • Impact assessment: operational disruption, financial-loss indicators, affected recipients or third parties, and material or non-material damage indicators.
  • Technical facts: incident timeline, available indicators of compromise, suspected unlawful or malicious activity, and known cross-border impact.
  • Follow-up plan: requested intermediate reports, mitigation work, recipient communications, final-report owner, and final-report deadline.
Citations
Question 3

What happens after the 72-hour notification?

After the 72-hour notification, be ready to provide intermediate reports if the CSIRT or competent authority requests status updates. The final report is due not later than one month after the incident notification and should include the detailed incident description, severity and impact, likely threat type or root cause, mitigation measures, and cross-border impact where applicable.

If the incident is still ongoing when the final report would otherwise be due, Article 23 calls for a progress report at that time and a final report within one month after handling the incident.

  • Track authority requests for intermediate reports and assign a status-update owner.
  • Keep root-cause language qualified until the investigation supports it.
  • Update mitigation evidence as containment, eradication, recovery, and longer-term remediation work progresses.
  • Escalate suspected criminal conduct through the guidance path offered by the CSIRT or competent authority.
  • Document cross-border and recipient-impact decisions separately from the authority submission.
Citations
Recommended next step

Use this FAQ as a cited incident-reporting checklist

Sorena can turn the NIS2 72-hour notification requirements into owner assignments, incident-clock evidence, report templates, and source-linked review steps.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 23 incident reporting, significant-incident thresholds, evidence fields, and follow-up reports.

Explore next step
Talk to Sorena
Talk through implementation

Review your NIS2 notification clock, authority route, report content, and evidence file with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for Article 23 significant-incident reporting obligations, including the 24-hour early warning, 72-hour incident notification, intermediate reports, final reports, and authority routing.
"Reporting obligations"
Directive (EU) 2022/2555 (NIS2), Article 23
eur-lex.europa.eu
Referenced sections
  • Sets the intermediate-report, final-report, ongoing-incident progress-report, law-enforcement guidance, and cross-border sharing rules.
"final report"
ENISA - NIS2 technical implementation guidance
enisa.europa.eu
Referenced sections
  • Provides practical implementation guidance and examples of evidence for NIS2 cybersecurity risk-management requirements for entities covered by the implementing regulation.
"examples of evidence"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview for NIS2 scope, reporting requirements, national authorities, and incident-response cooperation.
"significant incidents"
NIS2 recital 102 on staged reporting
eur-lex.europa.eu
Referenced sections
  • Explains the purpose of the staged reporting sequence and clarifies that reporting should not divert resources from significant incident handling.
"incident handling"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.