NIS2 Incident Reporting: The 24-Hour, 72-Hour, and 30-Day Deadlines

---

At 3am on a Tuesday, your IT team discovers that attackers have been inside your network for the past six hours. By 9am, you have confirmed it is a significant incident. The clock is already ticking — and under NIS2, you have less than 18 hours left to file your first mandatory notification with the Irish competent authority.

NIS2 incident reporting is one of the most operationally demanding aspects of the directive. The three-tier reporting timeline — 24 hours, 72 hours, and 30 days — requires organisations to have mature detection capabilities, clear escalation procedures, and pre-prepared notification templates ready before an incident occurs.

The Three-Tier Reporting Timeline

NIS2 establishes a structured reporting process with three distinct deadlines, each requiring a different level of detail.

The clock starts from the moment you become aware of a significant incident — not when you confirm all the details. This distinction is critical: you do not need certainty to file the 24-hour early warning, only reasonable grounds to believe a significant incident has occurred.

What Qualifies as a "Significant Incident"?

Not every security event triggers NIS2 reporting obligations. A significant incident is one that:

• Has caused or is capable of causing severe operational disruption to your services
• Has caused or is capable of causing significant financial loss to your organisation
• Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

The ENISA guidelines provide further criteria, including the number of users affected, the duration of the disruption, and the geographic spread of the impact. When in doubt, err on the side of reporting — the consequences of under-reporting are significantly worse than over-reporting.

The 24-Hour Early Warning

The early warning is a brief, initial notification. You are not expected to have full details at this stage. The notification should include:

• Confirmation that a significant incident has occurred or is suspected
• Whether the incident appears to be caused by unlawful or malicious action
• Whether the incident has or may have cross-border impact

In Ireland, notifications are made to the National Cyber Security Centre (NCSC) or the relevant sectoral authority (e.g., the Central Bank for financial services, the HSE for healthcare). Your organisation should have the relevant contact details and a pre-drafted early warning template ready before an incident occurs.

---

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

---

The 72-Hour Incident Notification

The 72-hour notification requires a more substantive assessment. By this point, your incident response team should have:

• Contained the immediate threat (or be actively doing so)
• Identified the likely scope and nature of the incident
• Begun forensic investigation to determine root cause

The notification should include an initial severity assessment, the services and systems affected, any indicators of compromise identified, and the measures taken or planned. If you have not yet determined the root cause, state this clearly — regulators understand that investigations take time.

The 30-Day Final Report

The final report is a comprehensive account of the incident. It should cover:

• A full technical description of the incident, including timeline
• The root cause analysis
• The impact on services, users, and third parties
• The remediation actions taken
• Lessons learned and improvements to prevent recurrence

This report forms the basis of any regulatory review and may be shared with other EU member states if the incident has cross-border implications. It is also the document most likely to be scrutinised in any enforcement action.

What This Means for Your Business

The NIS2 reporting timeline demands that you have your incident response infrastructure in place before an incident occurs. Organisations that attempt to build their response capability in the middle of an active attack will almost certainly miss the 24-hour deadline — and face regulatory scrutiny as a result.

Key preparation steps include: designating a named individual responsible for regulatory notifications; pre-drafting early warning and incident notification templates; establishing a clear internal escalation path from detection to decision; and ensuring your incident response plan explicitly addresses the NIS2 reporting timeline.

A vCISO can help you build and test this capability, ensuring your organisation is ready to meet its NIS2 compliance obligations when it matters most.

Ready to Strengthen Your Security Posture?

Pragmatic Security works with Irish SMEs to build practical, proportionate cybersecurity programmes that protect your business, satisfy regulators, and give you confidence. Whether you need NIS2 compliance support, a vCISO on retainer, or a one-off security assessment, we're here to help.

Book a free 20-minute strategy call today — no jargon, no hard sell, just practical advice from an experienced Irish cybersecurity professional.

Or contact us at [email protected] or call +353 870 515 776.

---

Take the Next Step

If your NIS2 compliance obligations is something you're thinking about, the best starting point is a structured conversation.

Book a free 20-minute call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no scare tactics, just clear advice on what to do next.

Book Your Free 20-Minute Call →