--- title: "NIS2 incident clock triage workflow" canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/incident-clock-triage-workflow" source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/incident-clock-triage-workflow" author: "Sorena AI" description: "Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "NIS2 incident clock" - "Article 23 triage" - "significant incident" - "24-hour early warning" - "72-hour incident notification" - "NIS2 incident response" - "NIS2" - "Article 23" - "incident clock" - "incident triage" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIS2 incident clock triage workflow Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks. *Incident workflow* *EU* ## NIS2 incident clock triage workflow Use this workflow when a security event might become a NIS2 significant incident and the team needs to decide what clock is running, who must act, and what evidence belongs in the file. Built for incident response, legal, compliance, customer communications, service owners, and management-body reporting teams that need a shared Article 23 triage record. NIS2 Article 23 reporting starts from awareness of a significant incident, not from the moment a ticket is opened or a root cause is confirmed. This workflow helps teams preserve the awareness timestamp, run the significance test, route the early warning and incident notification, and keep the incident response effort moving while the reporting record matures. If a sector-specific Union legal act already covers the entity's cybersecurity risk-management measures or incident notification rules, that act can apply instead; for example, Regulation (EU) 2022/2554 governs financial entities, and Article 4 of NIS2 says equivalent sector-specific rules take precedence for the covered scope. ## Start the clock file before the facts are complete Open the clock file when an event could have a significant impact on the provision of an in-scope service. The first decision is not whether the final report can be drafted; it is whether the entity has enough information to treat the event as a potential NIS2 significant incident and preserve the awareness timeline. Separate four timestamps: first technical signal, human triage, entity awareness of a possible significant incident, and any authority submission. That separation matters because Article 23 deadlines run from becoming aware of the significant incident, while Commission Implementing Regulation (EU) 2024/2690 explains that awareness follows an initial assessment giving the entity a reasonable degree of certainty that a significant incident has occurred. - Open a clock record for major service disruption, suspected malicious activity, financial-loss indicators, third-party harm, or possible cross-border impact. - Record the affected legal entity, service, Member State route, system, supplier, customer group, and current incident commander. - Keep known facts, estimates, unknowns, and planned updates in separate fields. - If the event is closed below the significant-incident threshold, keep the non-reporting rationale and the facts available at the time. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary source for significant-incident reporting and the Article 23 reporting sequence. - [Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Clarifies that notification deadlines run from awareness and links awareness to the entity's initial assessment of the suspicious event. ## Run the Article 23 significance triage Use the significance triage to decide whether Article 23 is in play. Under NIS2, a significant incident is tied to severe operational disruption, financial loss for the entity, or considerable material or non-material damage affecting other natural or legal persons. The triage should produce a defensible yes, no, or continue-monitoring decision. It should not wait for perfect forensic certainty, and it should not turn every security alert into a reportable incident without linking the facts to the Article 23 impact test. - Service impact: what service is affected, how important is it to the entity's provision of services, and is disruption actual or reasonably expected? - Severity and duration: what is known about outage, degradation, data exposure, safety, operational dependence, or recovery uncertainty? - Financial loss: what loss indicators are known or plausible from downtime, remediation, service credits, fraud, or interrupted operations? - Third-party damage: could customers, recipients, suppliers, patients, citizens, or other legal persons suffer considerable material or non-material damage? - Cross-border impact: could affected services, recipients, infrastructure, or suppliers involve two or more Member States? Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Defines when an incident is significant for the reporting obligation. - [NIS2 recital 101 on significant-incident assessment](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Lists assessment factors such as affected systems, service importance, threat severity, exploited vulnerabilities, duration, and affected recipients. ## Map the reporting clocks before drafting the message When the triage points to a significant incident, move immediately to the staged Article 23 clock. The early warning is due without undue delay and in any event within 24 hours of awareness. The incident notification is due without undue delay and in any event within 72 hours of awareness. Use the 24-hour step to alert the CSIRT or competent authority with the information needed at that point, including whether malicious or unlawful acts are suspected and whether there may be cross-border impact. Use the 72-hour step to update the early warning with an initial severity and impact assessment and available indicators of compromise. - 24-hour early warning: awareness timestamp, affected service, initial incident summary, suspected malicious or unlawful cause where applicable, and possible cross-border impact. - 72-hour incident notification: updated facts, initial severity and impact assessment, available indicators of compromise, and unresolved information gaps. - Intermediate report: prepare status updates if the CSIRT or competent authority requests them. - Final report: due not later than one month after the incident notification, covering severity, impact, likely threat type or root cause, mitigation, and cross-border impact where applicable. - Ongoing incident path: if the incident is still ongoing when the final report would be due, provide a progress report and then a final report within one month of handling the incident. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Sets the 24-hour early warning, 72-hour notification, intermediate report, final report, and ongoing-incident progress path. - [NIS2 recital 102 on staged reporting](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Explains the purpose of swift staged reporting and warns against diverting resources from incident handling. ## Assign authority, recipient, and escalation owners The triage record should identify who owns each external communication path. Article 23 notification goes to the CSIRT or, where applicable, the competent authority. Recipient communications are a separate decision when significant incidents are likely to adversely affect the provision of services or when recipients can take measures or remedies in response to a significant cyber threat. Do not leave cross-border, law-enforcement, trust-service-provider, or public-disclosure questions until after the deadline. Article 23 includes routes for single points of contact, other affected Member States and ENISA, law-enforcement guidance where criminal activity is suspected, and public awareness where necessary or in the public interest. - Authority owner: confirms the national CSIRT or competent-authority portal, form, backup contact, and submission receipt process. - Recipient owner: decides whether affected service recipients need measures, remedies, or threat information in clear language. - Legal owner: checks sector-specific Union law, trust-service-provider handling, law-enforcement guidance, confidentiality, and privilege questions. - Cross-border owner: flags affected Member States, shared infrastructure, multinational customers, and supplier dependencies. - Management owner: receives concise status updates without slowing containment, eradication, recovery, and reporting work. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Covers authority routing, recipient communications, cross-border sharing, law-enforcement guidance, and public-awareness cases. - [ENISA CIRAS incident reporting](https://ciras.enisa.europa.eu/ciras-consolidated-reporting?ref=sorena.io) - ENISA incident-reporting portal context for national authority reporting and aggregated incident analysis. ## Preserve the evidence that explains the clock decision A usable clock file shows what the team knew, when it knew it, why the incident was or was not treated as significant, and what was submitted or communicated at each reporting point. The file should support live response first and later review second. For entities covered by Commission Implementing Regulation (EU) 2024/2690, align the triage evidence with the required incident-handling policy: incident categorisation, escalation, communication plans, assigned roles, response documents, documentation, reporting, and post-incident improvement. - Clock evidence: detection source, initial assessor, awareness decision, authority-deadline calculations, and submission timestamps. - Impact evidence: service metrics, outage or degradation windows, affected recipients, financial-loss indicators, material or non-material damage indicators, and cross-border facts. - Response evidence: containment decisions, mitigation measures, indicators of compromise, root-cause hypotheses, supplier inputs, and unresolved uncertainty. - Communication evidence: authority submissions, acknowledgements, recipient notices, management updates, and public-disclosure decisions. - Review evidence: post-incident lessons, policy or runbook changes, control updates, and reasons for reopening or closing the clock file. Sources for this answer: - [Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Requires incident-handling policies with categorisation, escalation, reporting, roles, response documents, and post-incident improvement for covered entities. - [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - Provides practical guidance and examples of evidence for entities implementing the NIS2 implementing regulation. ## Clock-triage closure checklist Close the clock triage only after the team can explain the decision from the record alone. If the event remains uncertain, keep the file open with a named owner, next fact needed, and next review time. The closure decision should also consider whether the incident triggers post-incident review, risk-assessment updates, business-continuity changes, supplier follow-up, or management-body reporting. The implementing regulation repeatedly ties significant incidents to review and update duties for incident handling, risk treatment, continuity, crisis management, and related controls. - The awareness timestamp and Article 23 deadline calculations are recorded and approved. - The significance decision is linked to service disruption, financial loss, third-party damage, and cross-border indicators. - The authority route, recipient route, legal route, and management route each have an owner. - Known facts, estimates, unknowns, and corrections are separated across every draft and submission. - The file states whether the workflow is closed, still monitoring, converted to the Article 23 reporting workflow, or reopened after new facts. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports the closure checklist for awareness, reporting clocks, final-report content, and ongoing incidents. - [Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Supports post-incident review and updates after significant incidents for covered digital and ICT service entities. *Recommended next step* *Placement: before sources* ## Prepare the awareness clock, reporting route, and evidence fields before the incident Sorena can help convert this NIS2 incident-clock workflow into cited templates, escalation rules, owner assignments, and evidence requests that incident teams can use under time pressure. - [Open Research Copilot for NIS2](/solutions/research-copilot.md): Ask source-linked questions about Article 23 awareness, significant-incident triage, reporting clocks, and evidence. - [Talk through incident triage](/contact.md): Review your NIS2 incident-clock workflow, authority routes, templates, evidence gaps, and escalation model with Sorena. ## Primary sources - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary legal source for Article 23 significant-incident reporting, notification clocks, recipient communications, cross-border handling, and final-report content. - Quote: "Reporting obligations" - [Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Sets technical and methodological cybersecurity risk-management requirements for covered digital and ICT service entities, including incident handling and awareness guidance. - Quote: "incident handling" - [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - Provides practical implementation guidance, mappings, and examples of evidence for the NIS2 implementing regulation. - Quote: "examples of evidence" - [ENISA CIRAS incident reporting](https://ciras.enisa.europa.eu/ciras-consolidated-reporting?ref=sorena.io) - ENISA incident-reporting portal context for national reporting and aggregated EU incident analysis. - Quote: "significant impact" ## Related Topic Guides - [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence. - [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence. - [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items. - [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep. - [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident. - [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence. - [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources. - [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations. - [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication. - [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review. - [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence. - [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence. - [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records. - [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls. - [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive. - [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split. - [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties. - [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for. - [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records. - [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence. - [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details. - [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers. - [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep. - [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines. - [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records. - [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists. - [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep. - [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks. - [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work. - [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs. - [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap. - [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse. - [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits. - [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/nis2-directive/incident-clock-triage-workflow