Ga naar inhoud

NIS2 ·

NIS2 incident notification: practical timelines and evidence in 2026

June 2026. Under NIS2 and national cybersecurity law, in-scope organisations must report significant incidents to competent authorities — often within 24 hours for an early warning and within 72 hours for a fuller report. In practice failure happens on two points: starting triage too late and insufficient evidence of decision-making.

When is notification mandatory?

Not every security incident is a NIS2 notification. Yes when there is significant impact on services, chain partners or society — or when supervisors interpret it that way. Always document your assessment: why notify or not, who decided, when.

  • early warning: first signs of serious incident (within 24 hours where required);
  • follow-up: impact, root cause, measures (within 72 hours or per national rules);
  • chain: inform critical customers/vendors per contract and law;
  • GDPR: parallel duty for personal data — separate file, same timeline discipline.

Playbook that works under pressure

  1. Detection → triage: SOC, IT or user reports; CISO/DPO involved within 30 minutes.
  2. Classification: impact on services, data, chain; legal/supervisory advice.
  3. Communication: internal (board), external (supervisor, chain), press if needed.
  4. Recording: timestamps, decisions, attachments — ISO 27001 incident register.

Link with ISO 27001

ISO 27001 does not require NIS2 notification but does require incident recording and follow-up. Use one register tagged NIS2/GDPR/ISO. Link to NIS2 hub, incident management and ISMS.

In 2026 chain partners explicitly ask for evidence that you tested notification processes — not only a PDF procedure. Plan a tabletop with ransomware + SaaS outage scenarios. Record lessons in management review.

Leadership must mandate who notifies on behalf of the organisation. CISO alone is insufficient without board decision on timing and content. Put notification duties on the annual board cyber agenda.

For SME vendors in vital chains: even outside formal NIS2 scope contracts may impose notification timelines. Align contract SLAs with your playbook so you do not maintain two different speeds.

Documentation supervisors expect

Keep per incident a file with timeline, classification, legal assessment, draft notification and final notification or justified non-notification. Ticket and email thread screenshots beat verbal handover. Link the file to your ISO 27001 CAP process when structural measures are needed.

Exercise with a scenario where initial impact is unclear — more realistic than a textbook breach. Also train communication to chain partners: many contracts require notification within 24 hours regardless of national NIS2 timelines.

Leadership must mandate who communicates externally. One spokesperson prevents contradictory messages to supervisors, press and customers. Record roles in the ISMS and review annually.

Next steps in your ISMS

Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.

Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.

Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.

What to do this week

Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.

Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.

Evidence and governance

Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.

Chain and contracts

Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.

Deep dive in the knowledge base

Run the NIS2 readiness scan

Align NIS2 expectations with your existing management system.

Start NIS2 scan

← Back to overview