Skip to content
RPResiliencePilot
← All resources
NIS25 min read·10 June 2026

NIS2 incident reporting: the timelines that catch teams out

A clear walk-through of NIS2's staged incident-reporting obligations — the early warning, the notification and the final report — and how to be ready for each.

Under NIS2, reporting a significant incident isn't a single email — it's a staged process on a clock. Teams that haven't rehearsed it tend to lose time at exactly the moment they can least afford to.

Who this applies to

NIS2 covers essential and important entities across a widened set of sectors. The supervisory regime differs between the two, but the incident-reporting discipline is similar: when an incident is significant, the reporting obligations begin.

The stages

NIS2 structures notification in steps, each with its own purpose and timing:

  1. Early warning — a fast initial flag that a significant incident has occurred, including whether it may be malicious or could have cross-border impact.
  2. Incident notification — a fuller update with an initial assessment of severity, impact and indicators of compromise.
  3. Final report — a detailed account once you understand the incident: root cause, mitigations applied, and any cross-border effects.

(Some situations also call for an intermediate update on request.)

The exact hours are set in the regulation and national transpositions — the point for resilience teams is that the clock starts at detection, not when you've finished investigating.

Why teams get caught out

  • The incident record lives in one tool, the regulatory narrative in another
  • Severity isn't classified consistently, so the "is this significant?" call is slow
  • The early warning, notification and final report are written from scratch each time
  • No single owner for the regulatory clock

Being ready

The fix is to make reporting a continuation of incident management, not a separate exercise:

  • Classify severity consistently so the "significant?" decision is fast
  • Capture the incident once and draft each stage from the same record
  • Keep an audit trail of what was reported, when
  • Let AI shape the regulatory narrative against the timelines, with a human approving

In ResiliencePilot, you capture the incident once and draft the early warning, notification and final report from it — with rAIley shaping the wording and your team submitting. See the NIS2 solution and how it compares with DORA.

See ResiliencePilot in action.

A 30-minute walkthrough mapped to your framework and your team. Pricing is tailored — talk to us about what you need.

Book a demoContact sales