Skip to main content
← All controls
NIS2 Art. 23 / ISO/IEC 27001:2022 A.5.24 / NIST SP 800-61r3 IR-6 NIS2 Directive (EU) 2022/2555 NIS2

Are you ready to file an early warning to the CSIRT/competent authority within 24 hours of a significant incident (Art 23)?

Demonstrate that the organization possesses documented, tested, and operationally ready procedures to identify significant incidents and submit early warning notifications to the CSIRT or competent authority within 24 hours of incident awareness.

Description

What this control does

This control ensures the organization has established and is prepared to execute an early warning notification process to report significant cybersecurity incidents to the designated Computer Security Incident Response Team (CSIRT) or competent national authority within 24 hours of becoming aware of the incident, as mandated by Article 23 of the NIS2 Directive. The process includes pre-defined incident classification criteria to determine significance, escalation workflows, pre-authorized communication channels, contact details for relevant authorities, and a notification template containing required information elements. Readiness is demonstrated through documented procedures, trained personnel, tested communication paths, and evidence of capability to meet the strict 24-hour timeline under operational stress.

Control objective

What auditing this proves

Demonstrate that the organization possesses documented, tested, and operationally ready procedures to identify significant incidents and submit early warning notifications to the CSIRT or competent authority within 24 hours of incident awareness.

Associated risks

Risks this control addresses

  • Failure to notify authorities within the mandated 24-hour window resulting in regulatory penalties, fines, or enforcement actions under NIS2
  • Delayed incident escalation preventing timely national-level coordination and cross-sector threat intelligence sharing that could limit broader impact
  • Lack of pre-defined significance criteria causing ambiguity during incidents, leading to delayed determination of notification obligations
  • Unavailable or outdated contact information for CSIRT or competent authority preventing timely notification during actual incidents
  • Untrained incident response personnel failing to recognize notification triggers or execute reporting procedures under time pressure
  • Absence of secure, reliable communication channels causing notification delivery failures or unauthorized disclosure of sensitive incident details
  • Incomplete or inaccurate early warning reports causing regulatory non-compliance and reducing the value of shared threat intelligence to the national cybersecurity ecosystem

Testing procedure

How an auditor verifies this control

  1. Obtain and review the documented incident notification procedure including incident classification criteria defining 'significant incidents' under NIS2 Article 23, escalation workflows, roles and responsibilities, and notification timeline requirements.
  2. Verify the procedure contains current contact information for the designated CSIRT or competent national authority including primary and backup contacts, secure communication channels, and authentication mechanisms.
  3. Review the early warning notification template or form to confirm it includes all required data elements specified in NIS2 implementing regulations (incident description, affected services, technical indicators, estimated impact, preliminary assessment).
  4. Interview incident response personnel to assess their knowledge of significance criteria, notification triggers, escalation paths, and the 24-hour reporting obligation under Article 23.
  5. Examine records of incident response training sessions, tabletop exercises, or simulations conducted within the past 12 months that included practicing the early warning notification process to CSIRT or competent authority.
  6. Request evidence of successful test notifications or real incident notifications submitted to the CSIRT or competent authority, reviewing submission timestamps to verify adherence to the 24-hour requirement.
  7. Assess the availability and security of communication channels designated for incident reporting (secure portal, encrypted email, dedicated hotline) through access verification or connectivity testing.
  8. Review integration between incident detection/logging systems and the notification workflow to confirm automated alerting or workflow triggers support timely human decision-making and reporting within 24 hours.
Evidence required The auditor collects the incident notification procedure document with version history, CSIRT/competent authority contact list with last verification date, completed early warning notification template, training attendance records and exercise after-action reports from the past 12 months, timestamps and confirmation receipts from test or actual notifications, screenshots or access logs demonstrating availability of secure communication channels, and configuration exports or workflow diagrams showing integration between incident detection systems and notification processes.
Pass criteria The control passes if documented procedures clearly define significant incidents per NIS2 criteria, contain current CSIRT/competent authority contacts and secure communication channels, personnel demonstrate knowledge of the 24-hour notification requirement, and evidence from exercises or actual incidents confirms the organization can consistently execute early warning notifications within the mandated timeline.