Skip to content
AuditFront
Art.23.11 NIS2

NIS2 Art.23.11: Incident Reporting Procedures and Technical Means

What This Control Requires

The Commission may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraph 1, and of a communication submitted pursuant to paragraph 2. The Commission shall adopt, by 17 October 2024, implementing acts in respect of the types of entities for which the notification requirements set out in this Article apply.

In Plain Language

Meeting incident reporting deadlines is only half the battle - you also need to report in the right format, through the right channels, with the right information. The European Commission can (and will) specify exactly what data, format, and procedure your notifications must follow through implementing acts.

Your organisation needs the technical infrastructure to comply with whatever specific requirements emerge. That means portal access, secure communication channels, the ability to produce structured data formats like STIX/TAXII if required, and enough automation to populate reports quickly under pressure.

Just as importantly, your internal procedures need to match the required workflows. Clear roles, pre-approved templates, secure comms tools, and tested processes are what turn a 24-hour deadline from a panic into a routine operation.

How to Implement

Keep a close eye on NIS2 implementing acts as they are published. Track requirements from the European Commission, ENISA guidance, your national competent authority, and any sector-specific regulators.

Set up the technical infrastructure for reporting. At minimum, this means access to your national CSIRT's reporting portal, secure email capabilities (S/MIME or PGP), structured data formats for incident information (be ready for STIX, TAXII, or IODEF), automated data collection from your security tools to pre-populate notification fields, and a document management approach for keeping notification records.

Create and maintain notification templates that meet the specified format requirements. Version-control them and update whenever regulatory requirements change. Every mandatory data field should be present, with clear guidance on how to complete each one.

Build a notification workflow that covers the full lifecycle: incident detection triggers the process, deadlines are automatically calculated and tracked, templates are pre-populated with available data, review and approval happen within defined SLAs, submission goes through approved channels, acknowledgements are tracked, and follow-up updates are managed.

Test the whole chain regularly. Run end-to-end drills from incident detection through to notification submission and verify you can hit the required timelines using your actual tools and procedures.

Maintain a complete audit trail: drafts, approvals, submission confirmations, and CSIRT responses. If a regulator asks whether you reported on time, you want to show them the evidence immediately.

Plan for failure. If your primary reporting channel goes down (portal outage, for instance), have a backup method ready - phone, encrypted email, whatever your CSIRT accepts. Technical problems are not an acceptable excuse for late notification.

Evidence Your Auditor Will Request

  • Technical infrastructure for incident reporting (portal access, secure channels)
  • Notification templates compliant with implementing act requirements
  • Notification workflow documentation with roles and SLAs
  • End-to-end test records for reporting procedures
  • Complete audit trail of all notifications submitted

Common Mistakes

  • Reporting procedures not updated when implementing acts specify new requirements
  • No redundant reporting channels; portal outage prevents timely notification
  • Notification templates do not include all mandatory data fields
  • No end-to-end testing of the reporting process
  • Audit trail is incomplete; unable to demonstrate compliance with timelines

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.24 Related
SOC 2 CC7.3 Related

Frequently Asked Questions

What format should incident notifications be in?
It depends on the implementing acts and your national requirements. Most CSIRTs currently accept structured web forms through their portals and encrypted email. Check with your national CSIRT for their preferred format, and be ready to adopt standardised formats like IODEF or STIX if future implementing acts require them.
Do we need to automate incident reporting?
Full automation is not required yet, but semi-automation is strongly recommended. Automatically pulling data from security tools into notification templates, tracking deadlines, and sending reminders will save critical time during an incident. As reporting requirements mature, greater automation will likely become a practical necessity.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment