NIS2 Incident Reporting: What, Who, How (24/72/30)

1. Detection and crisis-team activation

Triggers: SOC alert, IT failure, supplier notice, end-user report. Activate the crisis team within 30 minutes. Assign an incident commander, a communications lead, and a legal contact. Start the timeline log; everything that follows is evidence.

2. The 24-hour early warning to BSI

Submit via the BSI portal: bsi.bund.de/meldungen. Required content: timestamp of detection, incident type (ransomware, DDoS, data breach, etc.), preliminary damage estimate, immediate measures taken, and the contact person reachable around the clock.

3. The 72-hour update

Detailed damage assessment, technical indicators of compromise (IOCs), identified vulnerabilities and exploitation path, additional containment and eradication measures, and updated stakeholder communications.

4. The 30-day final report

Root-cause analysis, lessons learned, corrective and preventive action plan, and an avoidance strategy. The report must demonstrate that systemic gaps are being closed, not just symptoms patched.

5. Parallel GDPR Art. 33 notification

If personal data is affected, a separate 72-hour notification to the data-protection authority is required. NIS2 and GDPR run in parallel, not sequentially. Use a unified incident form internally to avoid contradictions across the two notifications.

6. Supplier escalation

If the affected data sits with a supplier, the notification obligation still applies, even when you are not the primary controller. Contracts should give you the right to receive supplier-incident details fast enough to meet your own 24-hour deadline.

Summary

Reporting cadence is the single most-tested NIS2 obligation in audits. The fix is rehearsal: tabletop exercises that walk the 24/72/30 cadence end-to-end, with a templated notification form and a tested call tree.

View NIS2 Kit →