EU NIS2 Significant Incident Notification
Detects NIS2 Article 23 significant-incident notifications from essential and important entities — the 24-hour early warning, 72-hour incident notification, intermediate report, final report, and progress report submitted to the CSIRT or competent authority. These filings contain live compromise details, indicators of compromise, and impact assessments; disclosure aids attackers and breaches supervisory confidentiality.
- Type
- keyword_proximity
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: honest topic matcher. 'Significant incident' is the Article 23 defined trigger term and the only primary; the stage names 'early warning' and 'incident notification' are ubiquitous outside NIS2 (meteorology, PagerDuty-style ops tooling) so they corroborate but never fire alone. 'Significant incident' still occurs in generic incident-management prose at the 75/65 tiers; the 85 tier, which requires NIS2-specific vocabulary (CSIRT, Directive (EU) 2022/2555, severe operational disruption, indicators of compromise), approaches document-class precision.
- Jurisdictions
- eu
- Regulations
- Directive (EU) 2022/2555 (NIS2)
- Frameworks
- ISO 27001
- Data categories
- security, governance
- Scope
- wide
- Risk rating
- 8
Pattern
(?i)\bsignificant\s+incident\b
Corroborative evidence keywords
CSIRT, computer security incident response team, competent authority, Directive (EU) 2022/2555, NIS2, NIS 2, severe operational disruption, indicators of compromise, cross-border impact, early warning, incident notification, intermediate report, final report, progress report, essential entity, important entity, without undue delay, SCADA, [object Object], [object Object] (+19 more)
Proximity: 300 characters
Should match
EARLY WARNING — significant incident under Article 23(4)(a) of Directive (EU) 2022/2555 (NIS2). Submitted to the national CSIRT within 24 hours of becoming aware of the significant incident. Entity: GridWorks Energy AS — essential entity, energy sector. Suspected cause: unlawful or malicious acts (ransomware deployment on the SCADA historian). Cross-border impact: possible — interconnector scheduling systems degraded.— 24-hour early warning to the national CSIRT from an essential entityIncident notification — significant incident ref NIS-2026-0118, updating the early warning of 05/07/2026. Initial assessment: severity high; severe operational disruption of DNS resolution services affecting approximately 214,000 recipients of services. Indicators of compromise attached for CSIRT correlation. Submitted within 72 hours of becoming aware.— 72-hour incident notification with severity assessment and IoCsFinal report to the competent authority under Article 23(4)(d) of Directive (EU) 2022/2555: detailed description of the significant incident, including its severity and impact; the type of threat and root cause that triggered the incident (compromised supplier VPN account); applied and ongoing mitigation measures; assessment of cross-border impact with the Baltic CSIRTs network.— One-month final report with root cause and mitigation measures
Should not match
Law-firm newsletter: NIS2 is here — essential and important entities must file an early warning of a significant incident within 24 hours and an incident notification within 72 hours. Contact our cyber practice for a readiness explainer.— Law-firm newsletter summarising Article 23 deadlinesVendor webinar: automate your NIS2 incident notification workflow and never miss the 24-hour early warning deadline again. Demo of our compliance dashboard included.— Vendor webinar marketing an incident-reporting productThe university's incident-response course tutorial has students draft a mock early warning and a sample incident notification for a fictional significant incident at a water utility.— Academic tutorial with mock notification exercise
Known false positives
- Generic incident-management, emergency-management, and meteorological content using 'early warning', 'incident notification', or 'significant incident' Mitigation: 'Early warning' and 'incident notification' are corroborative-only and never fire alone at any tier. 'Significant incident' remains a genuine collision at the 75 and 65 tiers (generic incident-management prose without noise terms); the 85 tier requires NIS2-specific vocabulary (CSIRT, Directive (EU) 2022/2555, severe operational disruption) in proximity
- News, law-firm alerts, and vendor marketing about NIS2 reporting obligations Mitigation: Negative keyword exclusion: 'newsletter', 'webinar', 'explainer', 'press release', 'blog post'. Advisory content reuses the directive's vocabulary; residual matches are expected for a topic classifier.
- Collision with DORA Article 19 incident reports and national CSIRT advisories that share report-stage vocabulary Mitigation: DORA documents anchor on 'major ICT-related incident'; NIS2 notifications anchor on 'significant incident' and CSIRT terms — overlap is acknowledged and both classes are typically sensitive
- Training exercises and tabletop scenarios drafting mock notifications Mitigation: Shared template-exclusion dictionary (mock, sample, tutorial, training exercise) as NOT evidence on every tier