Skip to content
rPResiliencePilot
← All resources
NIS25 min read·10 June 2026

NIS2 incident reporting: the timelines that catch teams out

A clear walk-through of NIS2's staged incident-reporting obligations (the early warning, the notification and the final report) and how to be ready for each.

Under NIS2, reporting a significant incident isn't a single email; it's a staged process on a clock. Teams that haven't rehearsed it tend to lose time at exactly the moment they can least afford to.

Who this applies to

NIS2 covers essential and important entities across a widened set of sectors. The supervisory regime differs between the two, but the incident-reporting discipline is similar: when an incident is significant, the reporting obligations begin.

The stages

NIS2 structures notification in steps, each with its own purpose and timing:

  1. Early warning: a fast initial flag that a significant incident has occurred, including whether it may be malicious or could have cross-border impact.
  2. Incident notification: a fuller update with an initial assessment of severity, impact and indicators of compromise.
  3. Final report: a detailed account once you understand the incident, covering root cause, mitigations applied, and any cross-border effects.

(Some situations also call for an intermediate update on request.)

The exact hours are set in the regulation and national transpositions; the point for resilience teams is that the clock starts at detection, not when you've finished investigating.

Why teams get caught out

  • The incident record lives in one tool, the regulatory narrative in another
  • Severity isn't classified consistently, so the "is this significant?" call is slow
  • The early warning, notification and final report are written from scratch each time
  • No single owner for the regulatory clock

Being ready

The fix is to make reporting a continuation of incident management, not a separate exercise:

  • Classify severity consistently so the "significant?" decision is fast
  • Capture the incident once and draft each stage from the same record
  • Keep an audit trail of what was reported, when
  • Let AI shape the regulatory narrative against the timelines, with a human approving

In ResiliencePilot, you capture the incident once and draft the early warning, notification and final report from it, with rAIley shaping the wording and your team submitting. See the NIS2 solution and how it compares with DORA.

See ResiliencePilot in action.

See it on your own data and frameworks, with your security and data-residency questions answered.

Book a demoContact sales