NIS2 — Incident Notification in 24h, 72h, 1 Month
The 3 strict timeline phases of Art. 23 explained: 24h early warning, 72h notification, 1-month report. ResiPlan pre-wired workflow, ANSSI / CCB / BSI examples, downloadable templates.
The 4 mandatory milestones
Article 23(4) NIS2 — each milestone has its content and recipient.
Early warning — 24 hours
First signal to national CSIRT (ANSSI in France, CCB in Belgium, BSI in Germany). Minimal content: suspected causality, cross-border impact, situation status. Light format, the goal is to timestamp the alert.
Notification — 72 hours
Detailed initial incident notification: magnitude, severity, impacts, known IOCs, measures already taken. If incident still active, estimated duration. Complete form on ANSSI/CSIRT portal.
Intermediate report (if requested)
If CSIRT requests, an intermediate report updates progress, severity evolution, ongoing corrective actions.
Final report — 1 month
Comprehensive report 1 month after 72h notification (or 1 month after incident closure, per national transposition). Content: root cause, full timeline, damages, remediation measures, lessons learned, action plan.
Essential vs Important entity
| Criterion | Essential | Important |
|---|---|---|
| Supervision | Ex ante (proactive, regular audits) | Ex post (reactive, after incident) |
| Max sanctions | €10M or 2% worldwide turnover | €7M or 1.4% worldwide turnover |
| Notification 24h/72h/1m | Same | Same |
| Audits on demand | Possible at any time | On reasonable suspicion |
NIS2 articles covered
NIS2 frequently asked questions
What are the NIS2 notification deadlines?
Three strict timeline phases: (1) early warning within 24 hours of becoming aware of the significant incident; (2) incident notification within 72 hours; (3) final report within 1 month (counted from 72h notification, or from closure depending on transposition). An intermediate report may be requested in between.
What's the difference between essential and important entity in NIS2?
Essential entities (annex I, >250 staff or >€50M turnover in certain sectors) are supervised ex ante (regular audits, proactive instruction) with max sanctions €10M or 2% turnover. Important entities (annex II or smaller) are supervised ex post (reactive after incident) with max sanctions €7M or 1.4% turnover. The 24/72/1m notification deadlines are identical.
What is a significant incident per NIS2 article 23?
An incident is significant (article 23(3)) if it has caused or is likely to cause (a) severe operational disruption or financial losses for the entity, or (b) material or immaterial harm to other natural or legal persons. The ESAs ITS published in 2024 quantify sector thresholds (downtime, customers impacted, revenue loss).
Must we notify customers in case of NIS2 incident?
Yes, in 2 cases. (1) If the incident is likely to adversely affect service provision to customers, the entity must inform them without delay. (2) For digital service providers (ISPs, cloud), customer information must also include measures they can take. The content is simpler than the CSIRT notification.
Is there a NIS2 notification example valid for Belgian CCB?
The CCB (Centre for Cybersecurity Belgium) accepts notifications via its Safeonweb@Work portal for Belgian important/essential entities. Format aligned with ESAs ITS: incident type, sector, cross-border impact, IOCs, measures. ResiPlan automatically generates pre-filled content for CCB, ANSSI, CSIRT.LU and BSI.
How to integrate the NIS2 24/72/1m workflow in an existing BCMS?
BCMS (ISO 22301) covers continuity, NIS2 adds incident traceability and notification. Optimal integration: (1) create an incident in your existing IRP, (2) automatically trigger 24h/72h/1m reminders, (3) link the incident to BIA business processes to measure impact, (4) generate the final report via export. See our BIA and Mass Notifications modules.
Should I register in a NIS2 important entity registry?
Yes. Each member state maintains a registry. In France, ANSSI manages registration. Entities must self-declare if they meet criteria (annex I/II sector + size thresholds). An unregistered but eligible entity remains subject to obligations and risks sanctions.
What are ECB / DORA notification workflow examples valid for Belgian CCB?
For Belgian entities regulated under DORA + NIS2 (banks, insurance), the workflow must send (a) an ECB notification via SSM (single supervisory mechanism) for the DORA dimension, and (b) a CCB notification for the NIS2 dimension. ResiPlan automatically duplicates the notification in both channels when the incident touches both regulations.
Activate the NIS2 24/72/1m workflow in 1 click
Free 14-day trial. Pre-wired workflow for ANSSI, CCB, BSI, AGCS. Automatic notifications to impacted customers.