NIS2 Art.23.4a: Early Warning Notification (24 Hours)
What This Control Requires
For the purposes of the notification under paragraph 1, the entities concerned shall submit to the CSIRT or the competent authority: (a) without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
In Plain Language
You have 24 hours from the moment you become aware of a significant incident to file an early warning with your CSIRT or competent authority. This is the first step in the NIS2 reporting timeline, and it does not need to be a comprehensive analysis - just the basic facts. The clock starts when your organisation recognises that an incident meeting the significance threshold has occurred or is in progress. That is not when the incident technically began, but when you first understood what was happening. This makes timely detection and assessment capabilities essential. Even with limited information, the early warning has a vital role. It lets CSIRTs spot emerging threats, coordinate cross-border responses, and warn other entities that might be affected. Speed matters more than completeness at this stage.
How to Implement
Design a streamlined early warning submission process that works under the pressure of an active incident. Keep bureaucratic overhead to a minimum - when things are on fire, your team needs a clear, fast path to submission. Prepare an early warning template capturing the essentials: date and time of awareness, brief incident description, whether a malicious or unlawful cause is suspected (yes/no/unknown), potential cross-border impact (yes/no/unknown), affected systems and services at a high level, and initial severity assessment. Designate a primary and backup contact authorised and trained to submit early warnings. These people need 24/7 availability, so set up an on-call rotation. Build the 24-hour deadline into your incident response procedures as a mandatory checkpoint. The incident commander should track this timeline from the moment awareness is established. Test the process regularly through exercises and drills, including off-hours, weekends, and holidays. A process nobody has practised is a process that will fail when it matters. Get connected to your CSIRT's reporting platform before anything happens. Most CSIRTs offer online portals, secure email, or API-based reporting. Test these channels and make sure your team knows how to use them. Record the exact time of incident awareness and early warning submission for every significant incident. This documentation is your proof of compliance with the 24-hour requirement.
Evidence Your Auditor Will Request
- Early warning template aligned with NIS2 requirements
- Defined roles and 24/7 contact information for early warning submission
- Documented process for establishing and recording time of incident awareness
- Records of actual early warning submissions with timestamps
- Exercise records demonstrating ability to meet 24-hour deadline
Common Mistakes
- Incident response team debates whether the incident is 'significant' and misses the 24-hour window
- No designated person authorised to submit early warnings, causing delays in approval chains
- CSIRT reporting platform access not set up in advance; first attempt during live incident
- Time of 'awareness' not documented, making it impossible to prove timely notification
- Early warning process not tested; team unfamiliar with submission procedure during real incident
Related Controls Across Frameworks
Frequently Asked Questions
When does the 24-hour clock start?
What if we are not sure the incident is significant within 24 hours?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment