GRC Answer

How does NIS2 incident reporting work?

Under Article 23 of NIS2, essential and important entities must report significant incidents to their national CSIRT or competent authority in stages: an early warning shortly after becoming aware of the incident, a fuller incident notification, and a final report once the incident is handled. An incident is significant if it has caused or is capable of causing serious operational disruption or financial loss, or has affected other people through considerable material or non-material damage. Because NIS2 is a directive, the exact deadlines and mechanics are shaped by each member state's transposition, so confirm the specifics against your applicable national law. The staged structure exists so authorities get an early signal quickly, then a complete picture as the situation resolves. The reporting clock only starts once you determine an incident is significant, which is why fast, accurate classification matters as much as the reporting itself. NIS2 sets out when an incident is significant, based on the disruption or loss it causes or could cause, and the harm to others. National transposition and guidance sharpen these thresholds. Classifying correctly is the gate: misjudge it and you either over-report routine events or, worse, miss the clock on a reportable one. Reporting is a sequence, not a single filing: an early warning soon after awareness, a subsequent notification with a fuller assessment, and a final report after the incident is resolved including root cause and mitigation. The precise timeframes are set by Article 23 and national implementation, so verify the current figures for your member state before relying on them.