The reporting obligations under NIS2 Art. 23 are one of the sharpest aspects of the directive: significant security incidents must be reported to the competent authority within 24 hours — with clear follow-up deadlines and threatened fines for violations.
The three reporting deadlines at a glance
NIS2 Art. 23 defines a three-stage reporting system: (1) early warning within 24 hours — first notification of the competent authority about a significant incident. (2) notification within 72 hours — full initial report with incident classification, first assessment of severity and possible cross-border impacts. (3) final report within one month — complete description, root cause analysis, measures taken and prevention measures.
Die 24-Stunden-Frist für die NIS2-Frühwarnung ist extrem kurz. Unternehmen brauchen fertige Incident-Response-Prozesse und Meldevorlagen — bevor ein Vorfall eintritt.
What is a significant security incident?
An incident is significant if it: (a) has caused or may cause serious operational disruption or financial loss, or (b) has affected or may affect other natural or legal persons by causing considerable material or non-material damage. Examples: ransomware attacks, DDoS attacks on critical services, data breaches with sensitive data, outages of critical systems beyond a threshold.
360TPRM erkennt Sicherheitsvorfälle bei Lieferanten sofort — und liefert die Datengrundlage für NIS2-konforme Meldungen.
FAQ
Prepare incident response
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo →