The Incident Readiness module helps your organisation prepare for the strict incident notification requirements under NIS2 Article 23. Rather than tracking live incidents (which is handled by the shared Incidents module), this module focuses on ensuring your organisation is ready to detect, classify, and report significant incidents within the mandated timeframes.

Article 23 Notification Requirements

NIS2 imposes a tiered notification regime for significant incidents. Your organisation must notify the relevant CSIRT or competent authority within the following deadlines:

Notification Timeline

DeadlineNotification TypeContent Requirements
24 hoursEarly WarningWithout undue delay and within 24 hours of becoming aware of the significant incident. Must indicate: (a) whether the incident is suspected of being caused by unlawful or malicious acts, and (b) whether it could have a cross-border impact.
72 hoursIncident NotificationWithout undue delay and within 72 hours of becoming aware. Must update the early warning and provide: (a) an initial assessment of the incident including its severity and impact, and (b) indicators of compromise where applicable.
1 monthFinal ReportNo later than one month after the incident notification submission. Must include: (a) detailed description of the incident including severity and impact, (b) the type of threat or root cause that likely triggered the incident, (c) applied and ongoing mitigation measures, and (d) where applicable, the cross-border impact.
⚠️
The 24-hour early warning deadline is extremely tight. Organisations must have pre-established procedures, templates, and contact information ready before an incident occurs. Delays in notification can result in enforcement action and fines.

What Constitutes a "Significant Incident"

An incident is considered significant if it:

  • Has caused or is capable of causing severe operational disruption of the services or financial loss for the entity
  • Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Incident Readiness Checklist

The module provides an interactive readiness checklist to ensure your organisation has all necessary preparations in place. Each item can be marked as Complete, In Progress, or Not Started:

Checklist CategoryItems
Governance
  • Incident response policy approved by management body
  • Incident response team formally designated with roles and responsibilities
  • Escalation matrix defined (technical, management, legal, communications)
  • Management body notification procedure documented
Detection
  • 24/7 monitoring capability or defined on-call procedures
  • Incident detection tools deployed (SIEM, IDS/IPS, EDR)
  • Log collection and retention policy implemented
  • Alert triage and classification procedures documented
Classification
  • Incident severity matrix defined (Critical/High/Medium/Low)
  • "Significant incident" criteria mapped to NIS2 thresholds
  • Decision tree for determining notification obligations
  • Cross-border impact assessment criteria defined
Notification
  • CSIRT/competent authority contact details recorded and current
  • Early warning template (24h) prepared
  • Incident notification template (72h) prepared
  • Final report template (30 days) prepared
  • Backup communication channels identified (if primary unavailable)
Response
  • Incident response playbooks for common scenarios
  • Forensic investigation capability (internal or contracted)
  • Evidence preservation procedures documented
  • Business continuity activation procedures linked
Testing
  • Tabletop exercises conducted (at least annually)
  • Notification dry-run performed with competent authority contact details
  • Lessons learned from previous exercises incorporated
  • Post-incident review process documented

Notification Templates

Venvera provides pre-built notification templates aligned with the content requirements specified in Art. 23. These templates can be customised for your organisation:

Early Warning Template (24 hours)

The early warning template captures the minimum information required:

  • Reporting entity details (name, NIS2 registration, sector)
  • Date and time the incident was detected
  • Preliminary description of the incident
  • Whether unlawful or malicious action is suspected (Yes / No / Unknown)
  • Potential cross-border impact (Yes / No / Unknown)
  • Contact person for follow-up

Incident Notification Template (72 hours)

The incident notification template expands on the early warning with:

  • Reference to the prior early warning
  • Updated description with additional details
  • Initial severity and impact assessment
  • Affected services and estimated number of affected users
  • Indicators of compromise (IoCs) if available
  • Mitigation measures taken so far

Final Report Template (30 days)

The final report template covers the full analysis:

  • Comprehensive incident description and timeline
  • Root cause analysis and threat type classification
  • Total impact assessment (operational, financial, reputational)
  • All mitigation and remediation measures applied
  • Cross-border impact details (if applicable)
  • Lessons learned and preventive measures implemented

Authority Contact Information

The module includes a section to manage contact details for relevant authorities. You can record:

FieldDescription
Authority NameName of the national CSIRT or competent authority
CountryEU Member State
Primary Contact EmailOfficial notification email address
Primary Contact PhoneEmergency or out-of-hours contact number
Notification Portal URLLink to the online notification portal (if applicable)
Alternative ContactBackup contact details
NotesSpecific instructions, reference numbers, or other details
💡
Review and update authority contact information at least quarterly. National CSIRTs may change contact details, portal URLs, or submission procedures. Out-of-date contact information during a live incident can cause critical delays in meeting the 24-hour early warning deadline.

Cross-Reference with Incidents Module

The Incident Readiness module focuses on preparation. When an actual incident occurs, use the shared Incidents module (accessible from the main sidebar) to log, track, and manage the incident lifecycle. The Incidents module provides:

  • Incident creation and classification
  • Timeline tracking and status updates
  • NIS2 notification deadline tracking with countdown timers
  • Document attachments for evidence and reports
  • Post-incident review workflows

Readiness Assessment Scoring

Your overall incident readiness score is calculated based on the checklist completion status:

  • Complete items contribute full points toward the category score
  • In Progress items contribute half points
  • Not Started items contribute zero points

The overall readiness score is displayed as a percentage and feeds into the NIS2 dashboard compliance ring chart. Aim for a readiness score of at least 80% before considering your organisation prepared for NIS2 incident obligations.

ℹ️
Art. 23(11) allows the Commission to adopt implementing acts specifying the exact format and procedures for notifications. Check the Regulatory Updates module in Venvera for any new implementing acts that may affect notification requirements.