NIS2 Article 23: the 24-hour and 72-hour reporting deadlines
When a significant incident hits, the NIS2 clock starts immediately. Here's the 24h / 72h / 1-month timeline and how to hit it.
What counts as a 'significant' incident
Article 23 applies to incidents that have a significant impact on the provision of your services, for example those causing serious operational disruption or financial loss, or affecting others through considerable material or non-material damage. If an incident is significant, the reporting clock starts.
The reporting timeline
- Within 24 hours, early warning: notify your CSIRT (or competent authority) that a significant incident has occurred, including whether it's suspected to be malicious or could have cross-border impact.
- Within 72 hours, incident notification: update the early warning with an initial assessment, severity, impact and any indicators of compromise.
- On request, intermediate updates: provide status updates if the authority asks.
- Within 1 month, final report: a detailed description, root cause, mitigations applied, and any cross-border impact.
Why teams miss the window
The deadlines are short, and the early warning often lands in the middle of active incident response. Assembling an accurate picture (affected systems, data in scope, controls in place) by hand, across fragmented tools, is exactly when details get missed or reports go late.
How Alexus makes reporting a query
Alexus keeps a live operational graph, so the facts a report needs are already in one place. It assembles pre-formatted 24-hour early-warning and 72-hour full-report templates aligned to your national CSIRT's accepted format, populated from that graph, turning a frantic write-up into a review-and-send.
This article is general guidance, not legal advice; confirm the exact thresholds and channels in your national NIS2 transposition.