Under NIS2, You Have 24 Hours to Report a Significant Incident. Does Your Business Know What That Means?
At 3am on a Tuesday, your IT provider calls. Something is wrong with your systems. Files are inaccessible. There is unusual network activity. By 7am, it is clear you have had a significant incident.
Under NIS2, your 24-hour clock to notify the NCSC Ireland started four hours ago.
Most Irish businesses in scope for NIS2 do not have an incident response plan that includes a regulatory notification step. Many do not know where to report. Some are not certain whether their specific incident meets the threshold that triggers the obligation. All of this needs to be worked out in the first hours of a crisis — which is precisely the wrong time to work it out for the first time.
What Is the NIS2 Incident Reporting Requirement?
Under NIS2, transposed into Irish law, organisations classified as essential or important entities must notify the NCSC Ireland of any significant incident within 24 hours of becoming aware of it, with a fuller report due within 72 hours and a final report within one month.
The 24-hour notification is an early warning — it does not need to be a complete account. But it must happen within 24 hours. The clock starts from when your organisation became aware that a significant incident had occurred, not when the incident began.
What Qualifies as Significant
This is the question most Irish organisations cannot currently answer with confidence. NIS2 defines a significant incident as one that causes, or is capable of causing, severe operational disruption or financial losses — or that affects other natural or legal persons through substantial material or non-material damage.
In practice this includes: ransomware encrypting business systems, a data breach affecting customer or employee personal data, a sustained denial-of-service attack disrupting operations, or a supply chain compromise affecting your ability to deliver services. The NCSC Ireland has indicated it prefers organisations to over-report rather than under-report — an early notification subsequently found not to meet the threshold carries no penalty [^1].
Does your business have a documented process for identifying a significant incident and notifying the NCSC Ireland within 24 hours? If not, that gap is a regulatory exposure today. Book a free 20-minute strategy call — we can help you build a notification-ready incident response plan.
The Three-Stage Reporting Process
The NIS2 timeline has three stages, each with different requirements.
The early warning within 24 hours is a brief notification — the nature of the incident and whether it may have cross-border impact. The purpose is to alert the NCSC Ireland so it can mobilise support if needed.
The incident notification within 72 hours updates with more detail — severity, likely cause if known, mitigation actions taken, and whether cross-border impact has been confirmed.
The final report within one month provides a full account — root cause, impact, remediation completed, and lessons learned.
For a Donegal or Sligo business in scope, meeting these deadlines under pressure requires preparation that cannot be done during the incident. You need to know who is responsible for the notification, where the NCSC notification portal is, what information you will need, and how you will document the timeline from the moment you became aware.
Why Most Irish SMEs Are Not Ready
The 24-hour requirement is the hardest to meet because incidents typically begin as ambiguous situations. Exactly what happened, how serious it is, and exactly when the organisation first became aware are not immediately clear. Establishing those facts while simultaneously managing the incident response is genuinely demanding.
Organisations that have not practised this through tabletop exercises consistently struggle. The NCSC Ireland noted in its 2024 annual report that notification delays were among the most common compliance gaps observed in incidents affecting Irish organisations that year.
A failure to notify within the required timeframes is itself a compliance breach, separate from the underlying incident. The supervisory authority can issue sanctions for notification failures regardless of how well the incident itself was managed. An organisation that handles an incident effectively but fails to notify on time is still exposed to enforcement action.
What Next
Identify your reporting obligation. Confirm whether your business is an essential or important entity under NIS2. If your sector is healthcare, energy, transport, water, digital infrastructure, financial services, or food production — or if you supply those sectors — you are likely in scope.
Establish your notification contacts. Identify who in your organisation makes NIS2 notifications, who their backup is, and where the NCSC Ireland reporting portal is. Write it down. Make sure more than one person knows it.
Run a tabletop exercise. Simulate a significant incident. Walk through detection, containment, 24-hour notification, 72-hour notification. Identify the gaps. Fix them before an actual incident reveals them for you.
Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.
Related Reading
- NIS2 and GDPR: How the Two Regulations Work Together
- NIS2 Director Personal Liability: What Irish Directors Need to Know
- Business Continuity Plan for a Cyber Incident
[^1]: NCSC Ireland — NIS2 Guidance [^2]: ENISA — NIS2 Implementation [^3]: Data Protection Commission Ireland
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.
