Incident Command Platform
← Home

NIS2 Incident Reporting Software

For essential and important entities under Directive (EU) 2022/2555. IR-OS runs the NIS2 three-stage clock - 24-hour early warning, 72-hour notification with initial assessment, one-month final report - from a single incident record. Counsel of record reviews each draft. Submissions to the national CSIRT or competent authority are captured back in the hash-chained ledger. Cross-border notification supported. Built from 150+ real C-Suite tabletop exercises with EU-regulated entities.

Start your 7-day free trial See every clock we track

5-minute setup. 30-day money-back guarantee. Card required.

NIS2 is a three-stage clock. A single notification at 72 hours is not enough. The directive requires an early warning at 24 hours, an incident notification with initial assessment at 72 hours, and a final report at one month. Each stage has different content requirements. Treating it as a single submission is the most common cause of incomplete reporting.

The NIS2 three-stage clock

01

24-hour early warning

Initial notification to the CSIRT or competent authority that a significant incident has occurred. Cross-border or malicious-cause indication if known.

02

72-hour notification

Updated notification with initial assessment, severity, impact, and indicators of compromise. Counsel-reviewed under privilege before submission.

03

One-month final report

Detailed description of the incident, severity and impact, threat type, mitigation measures applied and ongoing, and cross-border impact assessment.

04

Significance threshold

Article 23 inputs surfaced for legal assessment: operational disruption, financial loss, affected natural and legal persons. Determination captured with rationale.

05

Cross-border fan-out

Multi-jurisdiction notification for incidents affecting more than one Member State. Each authority captured as a separate submission target.

06

Parallel regulatory clocks

NIS2 alongside GDPR Article 33 (72 hours), DORA, sector regulators, cyber insurance first-notice. Each from its own trigger event.

IR-OS dashboard with NIS2 three-stage clock and parallel GDPR and DORA clocks

The reporting workflow

The hard part of NIS2 is not the 24-hour or 72-hour stage in isolation. The hard part is running the three stages alongside GDPR Article 33 for personal-data aspects, DORA for financial entities, sector regulators for critical infrastructure, and the cyber insurance carrier first-notice - all while the technical investigation is still in progress. IR-OS captures each stage's start event separately, surfaces the content requirements at draft time, runs the clocks in parallel without dependency between them, and captures every submission and confirmation in the hash-chained record. The audit trail is exportable for the competent authority, the cooperation group, or the management body's audit committee.

DORA Major ICT Incident ReportingThe DORA reporting clock for financial entities (4 hours, 72 hours, 30 days). Cyber Breach Reporting SoftwareMulti-jurisdiction reporting with parallel regulatory clocks across GDPR, HIPAA, NY DFS, SEC, and more. Cyber Incident Reporting PlatformThe umbrella reporting workflow connecting internal escalation, regulators, insurers, and the board.

Common questions

What does NIS2 require for incident reporting?

NIS2 (Directive (EU) 2022/2555) requires essential and important entities to notify their national CSIRT or competent authority on a three-stage clock for significant incidents: a 24-hour early warning, a 72-hour incident notification with initial assessment, and a one-month final report with detailed findings and remediation. IR-OS runs all three clocks from the same source-of-truth incident record and produces drafts at each stage for counsel review.

What counts as a significant incident under NIS2?

NIS2 Article 23 defines a significant incident as one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The threshold is jurisdiction-specific - each Member State's transposition adds quantitative criteria. IR-OS surfaces the threshold inputs (impact, scope, duration, affected parties) for the legal team to assess and captures the determination event with rationale.

Does NIS2 reporting integrate with our other regulatory clocks?

Yes. The same incident record runs the NIS2 three-stage clock alongside GDPR Article 33 (72 hours, supervisory authority), HIPAA, SEC Item 1.05, NY DFS, DORA major ICT, state breach laws, and cyber insurance first-notice. Each clock starts from its own trigger event. The platform makes the parallel clocks impossible to forget; the most common cause of missed obligations is treating the regulators as a single workflow.

Who in our org submits the NIS2 notification?

NIS2 places the obligation on the entity, with the management body responsible. In practice, the GC or DPO drafts in the Legal Liaison role, counsel of record reviews under privilege, and the CISO or designated single point of contact submits to the national CSIRT or competent authority through the prescribed channel. IR-OS captures the submission event and the regulator confirmation back into the incident record.

What if our org operates across multiple Member States?

Each Member State designates its own competent authority and CSIRT. Cross-border incidents may require notification to multiple authorities under the cooperation mechanisms in the directive. IR-OS supports multi-jurisdiction notification by fanning the affected-population and notification artifacts across the relevant authorities, with each submission captured separately in the record.

Run the NIS2 three-stage clock from a single record

24 hours, 72 hours, one month. Counsel-reviewed drafts at each stage. Cross-border submissions captured.

Start your 7-day free trial