Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

NIS2: what exactly does the 24/72-hour reporting duty involve?

Adopted 2026-06-14 · ≈ 1 min read · Dirk Baaijen

For a significant incident, NIS2 sets tight deadlines: an early warning within 24 hours, a formal notification within 72 hours and a final report within a month — to the national authority/CSIRT. What counts as significant, and how to set yourself up for it.

NIS2 has a phased reporting duty for significant incidents. The deadlines are short, so you must have them arranged in advance.

The three steps

  1. Within 24 hours — early warning. An initial notification to the national

authority or CSIRT that a significant incident is under way (suspected malicious cause, cross-border effect).

  1. Within 72 hours — incident notification. A substantive update: severity,

impact, indicators of compromise.

  1. Within one month — final report. A closing report with root cause,

measures and consequences.

What is "significant"?

Broadly: an incident causing serious operational disruption or financial loss, or that may significantly affect other parties. The exact thresholds are in the implementing rules and national law.

What to do

  • Document the process before anything happens: who reports, via which

channel, within which deadline.

  • Practise it — 24 hours is short; improvising during an incident costs you

the deadline.

  • Connect it to your suppliers — an incident at a supplier may also trigger

your reporting duty.

Read the main file: NIS2: cybersecurity as a board responsibility. Or take the Transport & Logistics scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): phased reporting duty for significant incidents (early warning, notification, final report).
  2. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission — NIS2: incident reporting and supervision.

Share on LinkedIn

Read next

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

U

The Dutch Cybersecurity Act: how NIS2 becomes law in the Netherlands

The Cybersecurity Act transposes NIS2 into Dutch law: a duty of care, a reporting duty and management liability. The bill is still pending and is expected to enter into force later than the EU deadline.

A

DORA or NIS2: which one applies to my (logistics) organisation?

A logistics organisation generally falls under NIS2 (transport is an essential sector), not DORA. DORA applies to financial entities. If you are both, DORA takes precedence as lex specialis.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted — with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.