NIS2 Incident Reporting: What to Do When a Cyber Event Occurs.

When a cyber event hits, NIS2 demands fast action. This step-by-step guide covers what Irish SMEs must do from detection to final report.

NIS2 Incident Reporting: What to Do When a Cyber Event Occurs

When a Donegal healthcare supplier detected unusual activity on its network in early 2026, the management team had no incident response plan and no idea who to call. By the time they contacted the NCSC Ireland, the 24-hour NIS2 reporting window had already closed. The NIS2 Directive places a strong emphasis on timely and effective incident reporting — for Irish Small and Medium-sized Enterprises (SMEs) falling within its scope, having a clear plan before a cyber event occurs is not optional. Failure to comply with NIS2 incident reporting obligations can lead to significant penalties and reputational damage.

Understanding NIS2 Incident Reporting Requirements

NIS2 mandates a multi-stage incident reporting process designed to ensure that relevant authorities are informed promptly and comprehensively. The directive distinguishes between a "significant incident" – one that causes or is capable of causing severe operational disruption or financial loss, or affects other natural or legal persons – and other cyber events [1].

Key Reporting Timelines:

  1. Early Warning (within 24 hours): Entities must submit an early warning to the relevant Computer Security Incident Response Team (CSIRT) or competent authority (e.g., the National Cyber Security Centre in Ireland) within 24 hours of becoming aware of a significant incident. This initial notification should indicate whether the incident is suspected of being caused by unlawful or malicious acts and, if applicable, whether it has a potential cross-border impact.
  2. Incident Notification (within 72 hours): A more detailed incident notification must be submitted within 72 hours of becoming aware of the significant incident. This notification should update the information provided in the early warning and include an initial assessment of the incident, its severity and impact, and any compromise indicators.
  3. Final Report (within one month): A final report must be submitted no later than one month after the submission of the detailed incident notification. This report should include a detailed description of the incident, its root cause, the mitigation measures applied, and the cross-border impact, if any. It should also detail the impact on the services provided and the measures taken to prevent similar incidents in the future.

What Constitutes a "Significant Incident"?

NIS2 defines a significant incident as one that:

  • Has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned.
  • Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage [1].

It is crucial for Irish SMEs to establish clear internal criteria for identifying such incidents to ensure timely reporting.

Step-by-Step Guide: What to Do When a Cyber Event Occurs

Having a pre-defined incident response plan is critical. Here’s a step-by-step guide for Irish SMEs to follow:

Step 1: Detection and Initial Assessment

Be vigilant for signs of a cyber event — unusual system behaviour, unauthorised access alerts, or user reports. Quickly triage the nature and potential scope: is it a data breach, a ransomware attack, or a service disruption? Assemble your designated incident response team immediately (internal or external, such as your vCISO).

Step 2: Containment

Isolate affected systems by disconnecting them from the network to prevent further spread. Simultaneously, preserve all logs, system images, and relevant data for forensic analysis — evidence is critical for both investigation and regulatory reporting.

Is your business ready to respond within 24 hours of a significant incident? Book a free 20-minute strategy call — we'll help you build the plan before you need it.

Step 3: Early Warning (within 24 hours)

If the incident is deemed significant, submit an early warning to the National Cyber Security Centre (NCSC) in Ireland within 24 hours of becoming aware. This can be brief — you are not expected to have all the answers yet. Simultaneously, inform relevant internal stakeholders: management, legal, and communications [^1].

Step 4: Eradication and Recovery

Eliminate the cause of the incident — remove malware, patch vulnerabilities — then restore affected systems from secure backups. Verify the integrity of restored data. Monitor continuously to ensure the threat is fully eradicated.

Step 5: Detailed Incident Notification (within 72 hours)

Provide a more detailed notification to the NCSC within 72 hours, including an initial assessment of the incident, its severity, impact, and any compromise indicators. If personal data is involved, note that GDPR also mandates a 72-hour breach notification to the Data Protection Commission (DPC) [^3]. Coordinate both notifications so the reporting effort is efficient.

Step 6: Post-Incident Review and Final Report (within one month)

Conduct a thorough post-incident analysis to understand the root cause, identify areas for improvement, and update your incident response plan. Then submit the NCSC's comprehensive final report within one month, detailing the incident, its impact, the measures taken, and recommendations to prevent recurrence. Act on the lessons learned.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

The Role of a vCISO in Incident Reporting

A Virtual CISO (vCISO) can be an invaluable asset for Irish SMEs navigating NIS2 incident reporting. A vCISO helps create and regularly test a robust incident response plan aligned with NIS2 requirements, provides expert guidance during an active incident, coordinates timely and accurate notifications to the NCSC and DPC, and leads the post-incident review to identify root causes and implement preventative measures.

Conclusion

NIS2 incident reporting is a critical obligation for many Irish SMEs, demanding a proactive and well-prepared approach. By understanding the timelines, defining "significant incidents," and having a clear step-by-step plan, businesses can effectively manage cyber events and meet their regulatory duties. Engaging with expert cybersecurity support, such as a vCISO, can significantly enhance your incident response capabilities and ensure compliance, safeguarding your business from the severe consequences of cyber threats.

References:

[1] European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555 [2] National Cyber Security Centre Ireland. (n.d.). NIS2 Directive. https://www.ncsc.gov.ie/advice-for-organisations/nis2-directive/ [3] European Parliament and Council. (2016). Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

How compliant is your business? Check your compliance readiness with our free Compliance Checker.

Related Reading

[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland: https://www.dataprotection.ie

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.