NIS2Incident

NIS2 incident notification: 24h, 72h and the final report

What to file at each of the three notification deadlines. Early-warning template and the three mistakes that make a filing officially "late".

2 min read

TL;DR

NIS2 requires three incident notification times: early warning within 24h, full notification within 72h, final report within 1 month. A ready template + a defined chain of responsibility = the difference between an accepted notification and a contested one.

The three timings

Early warning (24 hours)

A preliminary notification to CSIRT-Italia with what is known immediately:

  • nature of incident (suspected / confirmed);
  • category (ransomware, DDoS, intrusion, malfunction);
  • estimated impact (systems involved, estimated duration);
  • lead contact.

Five to ten lines are enough. The goal is fast communication, not perfect.

Full notification (72 hours)

Structured update:

  • more detailed technical description;
  • identified attack vector (if known);
  • updated actual impact;
  • containment measures taken;
  • preliminary third-party risk assessment.

Final report (1 month)

  • root cause analysis;
  • full timeline;
  • total impact (data, services, users);
  • corrective actions implemented;
  • lessons learned.

Early warning template

` Subject: [NIS2 Early Warning] [Entity name] - [Date]

Entity: [name] NIS2 sector: [essential / important] Lead: [name, role, contacts]

Incident type: [confirmed / suspected] Category: [e.g. ransomware] Incident start: [date, time]

Estimated impact:

  • systems involved: [list]
  • degraded services: [list]
  • affected users: [estimate]

Immediate actions taken:

  • [containment]
  • [internal communication]
  • [vendor engagement]

Update expected within 72 hours. `

3-5 minutes to fill out. Print it, place it in the runbook.

The chain of responsibility

Define before the incident:

  • who classifies an event as a "NIS2 incident" (usually the CISO);
  • who signs the notification (lead named in ACN registration);
  • who notifies internal stakeholders (legal, comms);
  • who notifies customers if you are a supply-chain subject.

Without a defined chain, the 24 hours expire in "but who decides?".

Mistakes that make a notification "late"

  • failing to recognise the event as a "NIS2 incident": always ask "is this an incident?";
  • waiting for technical confirmation before notifying: suspicions are enough;
  • coordinating with all vendors before the first notification: notify first, coordinate after.

Coordination with GDPR notification

If personal data is involved, also activate the GDPR procedure (72h to the data protection authority). Often the same event, two separate notifications.

FAQ

Can I file one notification for both GDPR and NIS2?

No, different authorities. But the text can be nearly identical.

What if I notify an incident that turns out to be false?

Nothing, it is appreciated. A false alarm is better than a late notification.

Are notifications public?

No. They are confidential, except in cases of public interest.

For the full procedure, NIS2 and DR. For audits, NIS2 audit checklist.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo