EuroComply
Zarejestruj się
Back to blog
NIS2 6 min read

NIS2 Incident Response: What to Do in the First 24 Hours

What you need to know: NIS2 Incident Response: What to Do in the First 24 Hours

NIS2 requires a 24-hour early warning for significant incidents. This guide covers the full reporting timeline, what makes an incident 'significant', who to notify, and how to build a response checklist your team can follow under pressure.

Source: EuroComply Editorial (2026-04-14)Reviewed:
EuroComply Team
EU regulatory specialistsContent reviewed against official EUR-Lex texts
EuroComply Editorial Team
0 views

When a significant cybersecurity incident hits, the first 24 hours determine whether your organisation contains the damage or compounds it. Under the NIS2 Directive (Directive 2022/2555), the first 24 hours also carry a hard legal obligation: an early warning to your national CSIRT or competent authority.

This guide covers the full NIS2 reporting timeline, the definition of a significant incident, and how to build a response checklist your team can actually follow under pressure.

The Three-Stage Reporting Timeline (Article 23)

NIS2 establishes a three-stage reporting framework with fixed deadlines:

| Stage | Deadline | What It Requires | |-------|----------|-----------------| | Early warning | 24 hours | Notify that a significant incident has occurred | | Incident notification | 72 hours | Initial assessment with severity and indicators of compromise | | Final report | 1 month | Full technical and administrative account |

These deadlines run from the moment your organisation becomes aware of the incident — not from when you determine it is significant. If you suspect a significant incident, the 24-hour clock starts.

What Makes an Incident "Significant"

Not every security event triggers NIS2 reporting. The obligation applies to "significant incidents." Article 23(3) defines a significant incident as one that:

  • Has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or
  • Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Recital 101 provides additional context: factors include the number of users affected, the duration, the geographic spread, the nature of the service affected, and the entity's systemic importance.

In practice, ask: Has this incident disrupted a service we are required to provide? Could it cause significant financial or reputational damage? Does it affect customers, suppliers, or critical infrastructure? If yes to any, treat it as significant until you determine otherwise.

Who to Notify

NIS2 requires notification to your national CSIRT (Computer Security Incident Response Team) or competent authority. Each EU member state designates these bodies — they are not the same as your national DPA.

Key national contacts:

  • Germany: BSI (Bundesamt für Sicherheit in der Informationstechnik)
  • France: ANSSI (Agence nationale de la sécurité des systèmes d'information)
  • Austria: CERT.at
  • Netherlands: NCSC-NL
  • Ireland: NCSC Ireland

Check your national authority's reporting portal. Most have online incident reporting forms. Register before an incident — not during one.

What the 24-Hour Early Warning Must Contain

The 24-hour early warning does not require a complete technical analysis. Article 23(4)(a) specifies three elements:

  1. That a significant incident has occurred (or is suspected).
  2. Whether it is suspected to be caused by unlawful or malicious act — you do not need certainty, only reasonable suspicion.
  3. Whether the incident has potential cross-border impact — affects services or entities in other member states.

No root cause analysis. No full indicators of compromise. No remediation plan. The purpose of the early warning is to alert authorities so they can prepare to support you if needed. Speed over completeness is the intent.

What the 72-Hour Notification Must Contain

By 72 hours, Article 23(4)(b) requires an updated notification that includes:

  • Initial assessment of the incident, including its severity and impact.
  • Indicators of compromise (IOCs) where available — hashes, IP addresses, domains, malware signatures.
  • Applied mitigations — what containment measures have been implemented.

At this stage, authorities may offer assistance or share threat intelligence. If the incident affects critical infrastructure or has cross-border impact, coordination with EU-CyCLONe (the Cyber Crisis Liaison Organisation Network) may begin.

What the 1-Month Final Report Must Contain

The final report, due within one month of submitting the incident notification, is the full account. Article 23(4)(c) requires:

  • Detailed description of the incident — timeline, affected systems, scope.
  • Type of threat and root cause — where determined.
  • Applied and ongoing mitigation measures — what has been done and what remains in progress.
  • Cross-border impact, if any — actual and potential effects on other member states or entities.

If the incident is still ongoing at the one-month mark, submit an interim progress report at one month and a final report within one month of resolution.

Building Your Incident Response Checklist for the First 24 Hours

Under pressure, checklists are more reliable than memory. Build this into your incident response plan and test it in tabletop exercises before you need it.

8-Item First 24-Hour Checklist

  1. Detect and log — record the time and means of detection; preserve initial evidence.
  2. Assess significance — apply the NIS2 significance criteria; if uncertain, treat as significant.
  3. Activate your IR team — notify the incident response lead; assemble the core team.
  4. Notify your CSIRT — submit the 24-hour early warning to your national CSIRT; log the submission time and confirmation reference.
  5. Preserve evidence — isolate affected systems in a way that preserves logs; do not wipe or reimage before forensic capture.
  6. Contain the incident — implement immediate containment measures; document each action taken.
  7. Communicate internally — notify executive leadership, legal, and communications; establish a war room and communication cadence.
  8. Document everything — maintain a timestamped incident log from detection onwards; this becomes the basis for your 72-hour and 1-month reports.

Interaction with GDPR

If the incident involves a personal data breach — unauthorised access to, disclosure of, or loss of personal data — GDPR Article 33 requires notification to your national DPA within 72 hours of becoming aware.

The NIS2 72-hour notification and the GDPR 72-hour notification are separate obligations to different authorities. A significant NIS2 incident involving personal data triggers both simultaneously. Coordinate your IR team to handle both streams in parallel: one track for the CSIRT, one for the DPA.

The GDPR notification must contain: the nature of the breach; categories and approximate number of data subjects and records concerned; name and contact of the DPO; likely consequences; and measures taken or proposed. Start preparing this immediately alongside the NIS2 notification.

Last updated: April 2026. For informational purposes only — not legal advice.

EC

EuroComply Editorial Team

EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.

For informational purposes only. Consult qualified legal counsel.

Share:

Ready to check compliance?

Start auditing your AI systems and tech stack today.

Related Posts

NIS2

What Is NIS2? A Complete Guide for Businesses

14 Apr

NIS2

NIS2 vs GDPR for Tech Companies: Key Differences and Where They Overlap

14 Apr

← Back to blog