← All posts

NIS2 Incident Reporting: The 24-Hour Notification Guide for Irish SMEs

The moment you become aware of a significant cyber incident under NIS2, a clock starts running. Not when you've confirmed it. Not when you've contained it. The moment you're aware.

You have 24 hours to submit an early warning to your competent authority. 72 hours for a detailed incident report. 30 days for a final assessment.

Most Irish organisations subject to NIS2 have no formal process for any of this. If you're unsure whether NIS2 applies to your business, start with our NIS2 compliance checklist — this guide assumes you're in scope and focuses specifically on what happens when an incident occurs.

What Is a "Significant Incident" Under NIS2?

Not every security event triggers NIS2 notification obligations. The regulation applies to "significant" incidents — defined by their impact on the availability, integrity, authenticity, or confidentiality of services or data.

An incident is considered significant if it causes or may cause:

  • Severe operational disruption to services the organisation provides
  • Financial losses to the organisation itself
  • Damage to other natural or legal persons — including economic, material, or non-material harm

In practice, any incident that meaningfully affects your ability to deliver services, or that exposes personal or operational data, should be assessed against these criteria immediately — not after you've fully scoped the impact.

The Three-Stage Reporting Timeline

NIS2 Article 23 sets out three distinct reporting obligations:

Stage 1: Early Warning — Within 24 Hours

Purpose: notify your competent authority that a significant incident has occurred.

Your early warning must include: - Confirmation that a significant incident has occurred or is suspected - Whether cross-border impact is possible - Whether criminal activity is suspected

This is a notification, not a comprehensive report. The key requirement is timeliness.

Stage 2: Incident Notification — Within 72 Hours

Purpose: provide a more detailed update.

Your 72-hour report should include: - Initial assessment of severity and impact - Whether cross-border impact is suspected - Indicators of compromise where known - Steps taken or in progress to mitigate

This requires what you know at the time — not a completed investigation.

Stage 3: Final Report — Within One Month

Purpose: comprehensive account once investigation and remediation are complete.

Your final report must include: - A detailed description of the incident including its full impact - The type of threat or root cause most likely responsible - All mitigation and remediation measures applied - Cross-border impact where applicable

Who Do You Notify in Ireland?

In Ireland, the primary competent national authority for NIS2 is the National Cyber Security Centre (NCSC), operating under the Department of the Environment, Climate and Communications.

Sector-specific competent authorities also apply: - Financial services — Central Bank of Ireland - Health — Health Information and Quality Authority (HIQA) - Energy — Commission for Regulation of Utilities (CRU)

Locate the NCSC reporting portal and emergency contact line now — before you need them.

Penalties for Late or Missed Notifications

  • Essential entities: fines up to €10 million or 2% of global annual turnover
  • Important entities: fines up to €7 million or 1.4% of global turnover

Late notification is a breach of Article 23 and can be penalised independently from the underlying incident.

Building a Process Before an Incident Occurs

You need five things in place before an incident happens:

  1. Incident classification criteria — a written definition of what constitutes "significant" in your context
  2. Pre-approved notification contacts — NCSC details saved and accessible to whoever manages the response
  3. Notification templates — pre-drafted early warning and detailed report templates with fields to complete quickly
  4. A clear escalation path — who can approve and submit the notification without a committee discussion
  5. A tested process — exercised through tabletop simulation at least annually

How ShieldIQ Supports NIS2 Incident Reporting

ShieldIQ's incident management module tracks the 24-hour and 72-hour clocks automatically when you log an incident. The AI drafts the initial notification based on your entries. The tamper-evident activity trail provides an auditable record for the final report.

Run a free NIS2 assessment to see your current incident response posture →