Article 23 of the NIS 2 Directive introduces a strict incident reporting timeline that catches many organizations off guard. When a significant cybersecurity incident occurs, you must:
- Submit an early warning within 24 hours
- Submit an incident notification within 72 hours
- Submit a final report within 1 month
Why Most Organizations Fail at This
The 24-hour clock doesn't start when you've fully investigated the incident — it starts when you become aware of it. Most organizations fail because:
- They don't have detection mechanisms that surface incidents quickly
- There's no clear internal escalation path
- Nobody knows who the NCA is or how to contact them
- The early warning template isn't prepared in advance
Building Your Pipeline
A functional incident reporting pipeline has four layers:
- Detection: Automated monitoring + human reporting channels. Every employee should know how to flag a potential incident.
- Triage: A documented severity classification that determines whether the NCA needs to be notified. NIS 2 defines "significant" incidents based on operational disruption, number of affected users, and potential financial impact.
- Escalation: Clear roles — who writes the early warning, who approves it, who submits it. This should be documented and rehearsed.
- Reporting: Pre-built templates aligned with your NCA's requirements. Different member states have different submission portals and formats.
The ShieldBase Approach
ShieldBase includes a built-in incident management module with NCA deadline tracking, severity classification aligned to the NIS 2 definition, and pre-built reporting workflows. When you log an incident, the system calculates your reporting deadlines and guides you through each milestone.