NIS2 Art.23.4c: Intermediate Report on CSIRT Request
What This Control Requires
For the purposes of the notification under paragraph 1, the entities concerned shall submit to the CSIRT or the competent authority: (c) upon the request of the CSIRT or the competent authority, an intermediate report on relevant status updates.
In Plain Language
Between the 72-hour notification and the one-month final report, your CSIRT or competent authority can ask for status updates at any time. Unlike the fixed-deadline reports, this one is demand-driven - you produce it when they ask for it. Expect requests when incidents are complex, long-running, or have cross-border implications. The CSIRT may want updates as new information emerges, the situation escalates, cross-entity coordination is needed, or they need to assess whether additional support is required. Treat these requests as high priority. Failing to respond promptly looks like non-cooperation with supervisory activities, which carries its own enforcement consequences under Articles 32-34 of NIS2. Your ability to produce timely, accurate intermediate reports is a direct reflection of how mature your incident management processes really are.
How to Implement
Prepare an intermediate report template that can be filled in quickly with current incident data. Cover current status (contained, ongoing, escalating), updated severity and impact assessment, new indicators of compromise since the last report, remediation actions and their effectiveness, revised resolution and recovery timeline, any changes to the scope of affected systems or data, cross-border or cascading effects, and resources deployed. Set up a rapid-response process for CSIRT requests. Designate someone to monitor CSIRT communications and mobilise the IR team to compile the required information. Set an internal target of four to eight hours from request to delivery. Keep a continuously updated incident log capturing all significant developments, decisions, and actions throughout the incident. This becomes your primary data source for intermediate reports and means you are not reconstructing events from memory under pressure. Connect your incident tracking to your SIEM, ticketing, and forensic tools. Being able to extract technical data - IoCs, affected systems, containment status - programmatically rather than manually makes a huge difference to report turnaround time. Run exercises that include simulated CSIRT requests for intermediate reports. Test whether the team can produce accurate, comprehensive updates under time pressure and identify process gaps before a real incident forces you to find them. Review every intermediate report for accuracy and appropriate classification before submission. Flag preliminary or unconfirmed information clearly, and separate confirmed facts from assessments based on incomplete data.
Evidence Your Auditor Will Request
- Intermediate report template aligned with CSIRT/authority requirements
- Internal process documentation for handling CSIRT report requests
- Incident log procedures showing continuous status tracking
- Records of intermediate reports submitted in response to authority requests
- Exercise records demonstrating intermediate reporting capability
Common Mistakes
- No process for handling ad-hoc CSIRT report requests; team scrambles to compile information
- Incident log not maintained in real-time, leading to inaccurate or incomplete intermediate reports
- Intermediate reports are copy-pastes of previous notifications without meaningful updates
- Response time to CSIRT requests is too slow due to unclear internal responsibilities
- No designated contact monitors CSIRT communications, causing delayed awareness of requests
Related Controls Across Frameworks
Frequently Asked Questions
How quickly must we respond to a CSIRT intermediate report request?
Can we refuse an intermediate report request if it is burdensome during active incident response?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment