Artifact GuideEU

NIS2 Article 23 Incident Reporting Workflow

Use this workflow to decide whether an incident is significant under NIS2, notify the right CSIRT or competent authority, and keep the 24-hour, 72-hour, intermediate, and final-report records together.

Grounded in Directive (EU) 2022/2555 Article 23, the Commission NIS2 overview, ENISA CIRAS reporting context, and Implementing Regulation (EU) 2024/2690 for covered digital and trust-service entities.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This workflow converts NIS2 incident reporting into an operating record for essential and important entities. It starts when security, operations, customer support, a supplier, a customer, an authority, media reporting, or another source raises a suspicious event that may affect covered services.

Section 1

Workflow goal: make NIS2 reporting decisions fast and auditable

NIS2 requires essential and important entities to notify a significant incident without undue delay to the CSIRT or, where applicable, the competent authority designated by the relevant Member State. The workflow record should show when the entity became aware of the incident, why the incident was or was not significant, and which notifications or communications were sent.

Treat incident handling as the priority. The reporting workflow should collect enough information for the authority and for later review without pulling responders away from containment, recovery, and mitigation work.

  • Trigger: a suspicious event, confirmed incident, third-party notice, customer report, authority request, or public report affecting a covered service.
  • Decision: not an incident, incident below NIS2 significance, significant incident, or escalation needed because impact is still uncertain.
  • Recipients: the Member State CSIRT or competent authority, potentially affected service recipients where required, and internal legal, incident-response, communications, and management owners.
  • Evidence: awareness time, significance rationale, service impact, severity, indicators of compromise where available, mitigation status, cross-border assessment, recipient notices, authority feedback, and final report materials.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23 sets the core notification recipients, significant-incident test, reporting sequence, and recipient-communication duties.
European Commission - NIS2 Directive overview
Commission overview confirming that NIS2 introduces reporting requirements across more sectors and structures EU cooperation through CSIRTs and other authorities.
ENISA CIRAS incident reporting
ENISA context for EU incident reporting statistics, national reporting processes, and the Cybersecurity Incident Reporting and Analysis System.
Section 2

Step 1: triage significance before the reporting clock is missed

Open a significance triage as soon as the incident lead has enough information to suspect an impact on a NIS2-covered service. Under Article 23, an incident is significant if it has caused or is capable of causing severe operational disruption or financial loss for the entity, or if it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

For DNS, TLD registry, cloud, data centre, CDN, managed service, managed security service, online marketplace, online search engine, social networking platform, and trust-service providers covered by Implementing Regulation (EU) 2024/2690, add the regulation's incident-significance criteria to the triage. Do not apply those sector-specific criteria to other entity types unless the relevant law or authority guidance says to do so.

  • Record the first time the entity had a reasonable basis to treat the event as a significant incident.
  • Map affected services, users or relying parties where relevant, systems, countries, suppliers, and customer groups.
  • Capture whether the incident could involve severe operational disruption, financial loss, material or non-material damage, death, considerable damage to health, trade-secret exfiltration, malicious unauthorised access, or recurring incidents with the same apparent root cause.
  • Separate scheduled maintenance and planned interruptions from reportable incident impact where the grounding criteria support that distinction.
  • Escalate unresolved significance questions to legal, compliance, and the incident commander before the 24-hour early-warning deadline is at risk.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23(3) defines when an incident is significant for NIS2 reporting.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Further specifies significant-incident cases for listed digital infrastructure, digital service, managed service, managed security service, and trust-service entities.
Section 3

Step 2: send the 24-hour early warning

If the incident is significant, prepare the early warning for the CSIRT or competent authority without undue delay and in any event within 24 hours of becoming aware of the significant incident. The early warning is not the full root-cause report; it should make the authority aware of the incident and enable assistance where needed.

The early warning should state, where applicable, whether unlawful or malicious acts are suspected and whether cross-border impact could exist. Keep the submission receipt, the exact time sent, the recipient authority, and the information set that was available at the time.

  • Owner: incident commander prepares facts; legal or compliance confirms the authority route; communications prepares recipient-facing language if needed.
  • Minimum record: awareness time, services affected, known or suspected cause, current severity, containment status, malicious-activity suspicion, cross-border risk, and assistance requested.
  • Evidence: incident ticket, timeline, logs or monitoring extracts, submitter name, notification channel, authority acknowledgement, and any request for operational advice.
  • Control: update the triage if new facts show the incident is not significant, has wider cross-border impact, or requires recipient communication.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23(4)(a) requires the early warning within 24 hours of awareness of the significant incident.
ENISA CIRAS incident reporting
ENISA describes national incident reporting for cybersecurity incidents with significant impact and provides CIRAS context for reporting processes.
Section 4

Step 3: submit the 72-hour incident notification

Follow the early warning with the incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident. This notification updates the early warning and adds an initial assessment of severity and impact, plus indicators of compromise where available.

Trust service providers have a specific Article 23 derogation for significant incidents affecting their trust services: the incident notification must be made without undue delay and in any event within 24 hours of awareness. Keep that trust-service branch explicit in the workflow so the wrong deadline is not applied.

  • Add impact detail: affected services, users or relying parties where applicable, duration or availability status, geographic spread, customer impact, and current recovery position.
  • Add technical detail: suspected threat type or root cause, indicators of compromise where available, systems affected, containment actions, and evidence quality.
  • Add business detail: material or non-material damage indicators, financial-loss estimate where available, supplier involvement, and customer or recipient notification status.
  • Add governance detail: authority recipient, legal basis, submitter, internal approver, and open assumptions that may change the next report.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23(4)(b) sets the 72-hour incident notification, and the same paragraph sets the trust-service provider derogation.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Useful for covered relevant entities when assessing users, service availability, malicious unauthorised access, recurring incidents, and other specified significant-incident criteria.
Section 5

Step 4: manage authority feedback, recipient notices, and cross-border handling

After the early warning, the CSIRT or competent authority should provide initial feedback without undue delay and where possible within 24 hours, including guidance or operational advice if requested. Route that feedback into the incident command channel and record any action taken or rejected.

Where appropriate, notify recipients of services that are likely to be adversely affected by the significant incident or significant cyber threat. If the incident concerns two or more Member States, expect cross-border handling through the CSIRT, competent authority, or single point of contact; your record should preserve the facts needed to determine cross-border impact.

  • Track authority feedback, requests for more information, operational advice, law-enforcement guidance, and technical support requests.
  • Prepare recipient notices with practical measures or remedies recipients can take where Article 23 requires communication.
  • Flag whether public awareness may be necessary to prevent or deal with the incident, while keeping authority consultation and confidentiality controls in the record.
  • Preserve commercial-sensitive and security-sensitive information handling decisions when sharing incident information across jurisdictions.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23 covers authority feedback, recipient communication, cross-border forwarding, ENISA information flow, and public-awareness handling.
European Commission - NIS2 Directive overview
Commission overview describes NIS2 cooperation, information-sharing, supervision, and enforcement context.
ENISA CIRAS incident reporting
ENISA explains that critical service provider incident reports are collected, anonymised, aggregated, and analysed at EU level.
Section 6

Step 5: close with intermediate, final, or progress reports

Be ready to provide an intermediate report on relevant status updates if the CSIRT or competent authority requests one. Do not wait for root-cause certainty before maintaining the reporting record; distinguish confirmed facts from working hypotheses.

Submit the final report not later than one month after the 72-hour incident notification. If the incident is still ongoing at that point, provide a progress report and then submit the final report within one month of handling the incident.

  • Final report content: detailed incident description, severity and impact, likely threat type or root cause, applied and ongoing mitigation measures, and cross-border impact where applicable.
  • Evidence package: notification copies, authority responses, recipient communications, timeline, affected services, forensic or technical summaries, mitigation decisions, lessons learned, and management review notes.
  • Reopen triggers: materially different root cause, additional affected Member State, new customer harm, revised financial-loss estimate, law-enforcement instruction, or authority request.
  • Post-incident control: feed lessons into risk management, incident handling, business continuity, supplier management, logging, and management-body reporting processes.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23(4)(c) through (e) sets intermediate report, final report, progress report, and final-report content expectations.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
The annex links significant incidents to review of security policies, roles, risk assessment, compliance monitoring, independent reviews, and incident-handling procedures for covered relevant entities.
Section 7

Quality checks before closing the workflow

Close the workflow only when the reporting timeline, authority route, significance rationale, recipient-communication decision, and evidence package agree. The file should be understandable to an auditor, regulator, customer assurance reviewer, or new incident commander without relying on unwritten project history.

Keep Member State implementation differences visible. NIS2 sets EU-level obligations, but the practical portal, authority name, national forms, and additional local instructions can vary by jurisdiction.

  • Every public source URL is external, HTTPS, and includes ref=sorena.io.
  • The awareness time, 24-hour early warning, 72-hour incident notification, intermediate requests, final report, and progress report are timestamped where applicable.
  • The significance decision cites the relevant NIS2 test and, for covered relevant entities, the applicable Implementing Regulation criteria.
  • Recipient, public-awareness, law-enforcement, and cross-border communication decisions are documented, including why no communication was made if that was the decision.
  • The workflow does not include invented national thresholds, penalties, authority URLs, or deadlines beyond the cited sources.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary legal source for EU-level NIS2 reporting obligations and the multi-stage reporting timeline.
European Commission - NIS2 Directive overview
Confirms NIS2 scope expansion, Member State transposition context, and cooperation structures.
ENISA CIRAS incident reporting
Shows ENISA's incident-reporting aggregation context and country reporting process support through CIRAS.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Provides additional significant-incident and cybersecurity risk-management details for the listed relevant entities.
Recommended next step

Use this NIS2 guide as a cited incident-reporting playbook

Sorena can help convert Article 23 reporting obligations into triage questions, owner assignments, notification templates, evidence fields, and post-incident review steps.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about significant incidents, notification timing, cross-border impact, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through NIS2 incident reporting

Review your reporting workflow, owner map, evidence gaps, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for EU-level NIS2 reporting obligations and the multi-stage reporting timeline.
"Reporting obligations"
ENISA CIRAS incident reporting
ciras.enisa.europa.eu
Referenced sections
  • Shows ENISA's incident-reporting aggregation context and country reporting process support through CIRAS.
"Cybersecurity Incident Reporting and Analysis System"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.