Cornerstone · Article 23

NIS2 Incident Response — the 24h / 72h / 1-month chain

NIS2 Article 23 obliges every in-scope entity to notify a significant incident in three stages: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. This page explains exactly what each stage contains, when each clock starts, and where to file in Germany — plus the templates and the external-posture evidence the BSI auditor expects alongside the filings.

Get the incident-response template Scan your posture (60s, free)

When is an incident "significant"?

Article 23(3) — an incident triggers the reporting chain if any one of these three conditions is met (or could be met):

Has caused or is capable of causing severe operational disruption of the services
Has caused or is capable of causing financial loss to the affected entity
Has affected or is capable of affecting other natural or legal persons by causing material or non-material damage

Commission Implementing Regulation (EU) 2024/2690 adds quantitative sectoral thresholds (downtime hours, affected-user counts, financial-loss bands). When in doubt, file — the early warning is short by design and the cost of over-filing is far lower than the cost of missing the 24h clock.

The three-stage Article 23 chain

Within 24 hours ·
Early warning

A short flash notification to the competent authority and the national CSIRT that a significant incident has occurred or is likely to. Optimised for speed, not completeness.

What to send
- Suspected unlawful or malicious cause (yes / no / unknown)
- Suspected cross-border impact (yes / no)
- A short factual description (one to three sentences)
Destination

BSI Meldeportal (Germany) or your member-state CSIRT. The 24h clock starts at "awareness" — the moment a person inside the organisation has reasonable cause to consider the incident significant.
Within 72 hours ·
Incident notification

A fuller report updating the early warning with an initial assessment of severity, impact, and any preliminary indicators of compromise.

What to send
- Updated severity and impact assessment
- Indicators of compromise (IOCs) where known
- Affected systems, services, and approximate user count
- Initial cross-border impact assessment
Destination

Same channel as the early warning. Updates the previous filing; does NOT restart the clock.
Within 1 month ·
Final report

A complete post-incident report covering root cause, mitigation, cross-border impact, and the corrective measures implemented.

What to send
- Detailed root-cause analysis
- Type of threat / vulnerability exploited
- Mitigation and remediation steps already applied
- Lessons learned and changes to risk-management measures
- Final cross-border impact statement
Destination

Same channel. If the incident is ongoing at the 1-month mark, an interim report is filed and a final report follows once it concludes.

External posture evidence the BSI auditor will ask for alongside the filing

An Art. 23 filing is rarely standalone. The BSI almost always follows up asking for evidence that the entity had its NIS2 Art. 21(2) measures in place at the time of the incident. SaaSFort produces that external-posture evidence in 60 seconds — an A–F grade mapped to Art. 21, with a downloadable auditor-addressed PDF.

Run a free posture scan (60s) See the audit-pack

Frequently asked questions

When does the NIS2 24-hour clock start?

At the moment of awareness — defined as the first time a person inside the entity has reasonable cause to consider the incident significant under Article 23(3) criteria. It is not the moment of attack, the moment of detection by tooling, or the moment of management escalation. Inside the entity, you should document the awareness timestamp in your incident log immediately.

What counts as a significant NIS2 incident?

An incident is significant under Art. 23(3) when it has caused (or is capable of causing) severe operational disruption of the service or financial loss to the entity, OR has affected (or is capable of affecting) other natural or legal persons by causing material or non-material damage. The Commission Implementing Regulation 2024/2690 sets quantified sectoral thresholds (downtime hours, affected user counts, financial-loss bands).

What information goes in the 24-hour early warning?

Only three things: (1) whether an unlawful or malicious cause is suspected, (2) whether cross-border impact is suspected, (3) a one-to-three-sentence factual description. The early warning is deliberately short — it is meant to trigger the CSIRT / authority, not to contain full forensic detail. The 72-hour notification is where the depth comes in.

Where do German entities file the NIS2 incident report?

The BSI Meldeportal — Germany's federal mandatory-notification portal. Registration in the Meldeportal closed 6 March 2026; entities that missed registration are now actively non-compliant and must register on first opportunity before filing. The same portal handles the 24h, 72h and 1-month filings as updates to a single incident record.

What happens if I miss the 24-hour clock?

You are non-compliant with Art. 23 and exposed to fines (up to €10M / 2% of global turnover for essential entities under §41 BSIG) and to potential management-body liability under §38 BSIG. File late immediately with a documented reason; the lateness itself is a fact the authority will assess. Do not let the lateness compound into a missed 72-hour deadline.

Templates and deeper guides

→ NIS2 incident-response template — the ready-to-use document teams keep on hand for stage 1 / 2 / 3 drafting.
→ 24-hour BSI notification template — guide
→ NIS2 incident-reporting setup for SaaS vendors
→ Art. 23 field map — BSI Meldeportal × SaaSFort scan × template
→ BSI Prüfungsanordnung — 72-hour response plan
→ Open-source NIS2 control library (MIT) — JSON / YAML mapping including Art. 23 fields.