Guide
January 16, 2026 6 min read

NIS2 Incident Reporting: A Step-by-Step Guide

One of the most operationally demanding aspects of NIS2 compliance is the **mandatory incident reporting framework**. Unlike previous frameworks that allowed vague or delayed reporting, NIS2 imposes strict timelines, specific content requirements, and clear escalation paths — with serious penalties for organizations that fail to comply.

NIS2 Incident Reporting: A Step-by-Step Guide

Table of Content

What is a "Significant Incident" Under NIS2?

Not every cybersecurity event triggers a reporting obligation. NIS2 defines a significant incident as one that:

  1. Causes or is capable of causing severe operational disruption of services or financial losses for the affected entity, or
  2. Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

In practice, the following factors are used to assess significance:

  • Number of users affected by the disruption
  • Duration of the incident
  • Geographic spread of impact
  • Extent of disruption to service delivery
  • Impact on critical dependencies (other entities that rely on your services)
  • Financial impact (costs incurred or inflicted)
  • Potential reputational damage
Important:

The threshold for reporting is deliberately broad. When in doubt, report. Failure to report a significant incident is itself a compliance violation.

The Three-Stage Reporting Timeline

NIS2 establishes a three-stage reporting obligation for significant incidents:

1

Stage: Early Warning — Within 24 Hours

The early warning must be submitted to the competent national authority (in Portugal: CNCS or the relevant sector authority) within 24 hours of becoming aware of the significant incident.

Content required at this stage:

  • Basic description of the incident (nature, type of threat suspected)
  • Whether cross-border impact is possible
  • Whether a criminal act is suspected

This is a preliminary notification — detailed information is not required at this stage. The goal is to give authorities early visibility so they can prepare support if needed.

2

Stage: Incident Notification — Within 72 Hours

A full incident notification must follow within 72 hours of awareness. This must include:

  • Updated assessment of the incident (severity, scope, impact)
  • Indicators of compromise (if available)
  • Initial assessment of whether the incident is caused by a criminal or hostile act
  • Mitigation measures taken or underway

3

Stage: Final Report — Within One Month

The final (or intermediate) report must be submitted within one month of the incident notification. This comprehensive report must include:

  • Detailed description of the incident (timeline, root cause analysis)
  • Type of threat or root cause that triggered the incident
  • Mitigation measures applied and their effectiveness
  • Cross-border impact assessment (if applicable)
  • Lessons learned and recommended improvements

Note:

For incidents with ongoing effects at the time the final report is due, an intermediate report is submitted instead, with a final report submitted once the incident is fully resolved.

Reporting to Affected Users and the Public

In certain circumstances, you may also be required to inform your users about significant incidents:

  • When the incident is likely to adversely affect the recipients of your services
  • When disclosure is in the public interest (e.g., widespread data exposure)
  • When directed to do so by the competent authority

This means your incident response plan must include a communications protocol covering both regulatory authorities and affected stakeholders.

Building Your Internal Incident Reporting Process

Meeting NIS2's 24/72-hour deadlines requires preparation long before an incident occurs. Here's how to build a compliant internal process:

Step 1: Define "Significant Incident" Criteria Internally

Translate NIS2's definition into practical internal classification criteria. Create a decision matrix that your team can use in the middle of an incident to quickly determine whether reporting is required.

Step 2: Appoint a Reporting Officer

Designate a specific individual (or role) responsible for NIS2 incident reporting. This person must know:

  • Who to contact at CNCS
  • What information is needed at each stage
  • Where to find relevant logs, system data, and documentation

Step 3: Establish Incident Detection Capabilities

You cannot report an incident you haven't detected. Ensure you have:

  • Security monitoring (SIEM, EDR, IDS/IPS)
  • Clear escalation procedures from technical teams to management
  • A 24/7 escalation path for out-of-hours incidents

Step 4: Prepare Reporting Templates

Pre-prepare templates for the early warning, incident notification, and final report. These should be partially filled out in advance with standing organizational information, so that during an incident, your team only needs to add incident-specific details.

Step 5: Conduct Incident Response Drills

Run tabletop exercises at least annually that simulate a significant incident and test your ability to meet each reporting deadline. These drills should involve IT, legal, communications, and senior management.

Step 6: Maintain an Incident Log

Keep a detailed log of all cybersecurity incidents — significant and non-significant. This log serves as evidence of your incident management capability and is often requested by supervisory authorities during audits.

Common Pitfalls to Avoid

  • Waiting to confirm the full scope before reporting: The 24-hour early warning is designed to be submitted with incomplete information. Don't wait for certainty — report what you know and update later.
  • Treating every incident the same: Not all security events are reportable. Invest time upfront in defining your significance criteria to avoid both over-reporting and under-reporting.
  • Not involving legal counsel: The decision to report (and what to say) has legal implications. Loop in your legal team early for significant incidents.
  • Failing to document the timeline: Regulatory authorities will scrutinize when you became aware of the incident. Maintain detailed logs with timestamps from the moment of detection.
  • Neglecting cross-border implications: If your incident may affect services in other EU member states, note this in your early warning — even if you're unsure. CNCS will assess cross-border dimensions.

Penalties for Non-Reporting

Failing to report a significant incident in accordance with NIS2 timelines is a compliance violation that can result in:

  • Administrative fines (up to €10M or 2% of global turnover for Essential Entities)
  • Reputational damage from enforcement actions made public
  • Potential personal liability for management where failures are attributed to negligence or deliberate concealment

Conclusion

Proper incident reporting under NIS2 is operationally complex but achievable with the right preparation. Build your detection capabilities, prepare your reporting templates, train your team, and drill your response procedures before an incident occurs.

The goal is to be able to hit all three reporting deadlines — 24 hours, 72 hours, 1 month — without scrambling. That level of readiness is not just a compliance requirement; it is a mark of genuine organizational security maturity.

Important

This article is for informational purposes only and does not constitute legal advice. Always consult qualified legal professionals for guidance specific to your organization's situation.

Not Sure If NIS2 Applies to Your Organization?

Take our free 5-minute assessment to determine your NIS2 classification and get personalized recommendations for compliance.

Start Free Assessment