The NIS2 24-hour rule: Handling incident reporting requirements

The NIS2 Directive introduces a strict multi-stage reporting timeline for "significant" cyber incidents. Affected entities must submit an initial "early warning" to authorities within 24 hours of becoming aware of a threat or incident.

Summary: What is the NIS2 24-hour rule?

The 24-hour rule is the first phase of the mandatory reporting process under the NIS2 Directive (Network and Information Security Directive). It requires "essential" and "important" entities to notify their national CSIRT (Computer Security Incident Response Team) or competent authority within 24 hours of detecting a significant incident. This phase focuses on speed rather than detail, acting as a rapid alert to help authorities spot cross-border patterns.

Why is rapid incident reporting mandatory?

The European Union implemented this requirement to minimize the ripple effect of cyberattacks across critical infrastructure. By receiving an alert within 24 hours, authorities can provide early assistance and warn other organizations potentially facing the same threat.

What defines a "significant" incident?

Not every minor glitch requires a report. Under NIS2, an incident is considered significant if:

• It has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned.
• It has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

The NIS2 reporting timeline: A step-by-step guide

To remain compliant, organizations must follow a specific three-stage sequence:

1. The 24-hour early warning: A brief notification stating whether the incident is suspected of being caused by unlawful or malicious acts and if it has a cross-border impact.
2. The 72-hour incident notification: A more detailed report updating the initial warning, including an initial assessment of severity and impact, as well as indicators of compromise.
3. The final progress report: Submitted no later than one month after the initial notification. This must include a detailed description of the incident, the root cause, and the applied mitigation measures.

Read more: Why contract management is the foundation of NIS2 compliance.

Checklist for NIS2 reporting readiness

Effective compliance requires pre-defined internal processes. Organizations should ensure the following elements are in place:

• Incident detection systems: Tools capable of identifying "significant" anomalies in real-time.
• Internal escalation procedures: Clear protocols for moving from detection to reporting within hours.
• Pre-defined reporting channels: Verified contact points for the relevant national authority or CSIRT.
• Documented audit trails: Precise logging of when an incident was first detected to prove compliance with the 24-hour window.
• Third-party risk mapping: Identification of digital supply chain partners that could trigger a reporting obligation.

Conclusion

The 24-hour rule under NIS2 shifts the focus from "if" an incident should be reported to "how fast" it can be alerted. Success depends on having a robust governance structure and digital tools that provide a central overview of risk and compliance status.

Read more: NIS2 documentation: What auditors expect to see.

FAQ

Does the 24-hour rule apply to all companies?

It applies to entities categorized as "essential" or "important" under the NIS2 sectors, which includes energy, transport, banking, health, and digital infrastructure.

What happens if a company misses the 24-hour deadline?

Non-compliance can lead to significant administrative fines, which can reach up to €10 million or 2% of total global annual turnover, whichever is higher.

Do I need a full analysis within 24 hours?

No. The 24-hour early warning is intended only to alert authorities. The deep technical analysis is reserved for the 72-hour and 1-month reports.

Disclaimer: House of Control is a software company. We do not offer NIS2 compliance consulting services. Thus, following this guidance does not guarantee compliance with all NIS2 legal requirements. The content of this article is based on our own research of the NIS2 requirements and our experience with regulatory compliance, and includes inspiration from various actors offering compliance services. We do not assume any responsibility or liability for any failure to comply with NIS2 requirements or resulting from the use of this guidance.