Overview
NIS2 Article 23 imposes strict, time-boxed reporting obligations on essential and important entities: an early warning to the national CSIRT within 24 hours of detection, a full incident notification within 72 hours, and a final report within one month of resolution. Missing any deadline exposes the organization to supervisory action and potential fines under Art. 34 — and during an active incident, the reporting team is already stretched thin.
This skill handles the entire Art. 23 reporting lifecycle. It classifies whether an incident meets the significance threshold, tracks every deadline down to the hour, drafts each report type from structured templates, and validates completeness against the directive’s requirements before submission. The result is a set of CSIRT-ready notifications produced under pressure without guesswork about what the directive demands.
What It Covers
- Significance classification — evaluates operational disruption, financial loss, affected users, cross-border impact, and data breach status against Art. 23(3) criteria
- 24-hour early warning — nature of incident, suspected cause, cross-border flag, suspected malicious or unlawful act
- 72-hour incident notification — severity and impact assessment, indicators of compromise, initial scope
- One-month final report — detailed description, root cause analysis, mitigation measures, cross-border impact, lessons learned
- Deadline tracking — calculates all three deadlines from detection time, flags overdue items, shows remaining hours for pending reports
- Completeness validation — checks each drafted report against Art. 23(4) required elements before submission
Example Conversation
You: We detected a ransomware attack about 6 hours ago. It encrypted our customer database and has disrupted our cloud platform for roughly 2,000 users across Germany, the Netherlands, and Belgium. We need to get the early warning out to our CSIRT. Where do we start?
Agent: A ransomware attack with cross-border impact and 2,000 affected users — that almost certainly qualifies as significant under Art. 23(3). Let me confirm. Running
incident_significance_classifier…Classification: SIGNIFICANT (score: 14/16)
Factor Present Detail Operational disruption Yes Severity “severe” — significant service impact (Art. 23(3)(a)) Financial loss Yes Estimated loss EUR 800,000 exceeds significance threshold Affected users Yes 2,000 affected persons — capable of causing considerable damage (Art. 23(3)(b)) Cross-border impact Yes Impact across three EU member states — may trigger multi-CSIRT notification Personal data breach Yes Customer database encrypted — triggers GDPR Art. 33/34 obligations Recommendation: This incident must be reported to your national CSIRT or competent authority under NIS2 Art. 23.
The incident is clearly significant. Now let me check your timeline. Running
timeline_validator…Timeline Compliance Check
Report Deadline Status Early Warning (24h) 2026-04-03 02:00 UTC PENDING — 18h remaining Incident Notification (72h) 2026-04-05 02:00 UTC PENDING — 66h remaining Final Report (1 month) 2026-05-02 08:00 UTC PENDING — 30d remaining You have 18 hours remaining for the early warning. I’ll draft it now using the Art. 23(4)(a) template. I need a few details:
- Do you suspect a specific threat actor or attack vector (phishing, exploited vulnerability, supply chain)?
- Have you contained the attack or is it still spreading?
- Is law enforcement already notified?
You: Our IR team believes it entered through a phishing email with a malicious attachment targeting our finance team. We’ve isolated the affected database servers and blocked lateral movement, but we’re still assessing whether backups are clean. No law enforcement contact yet.
Agent: Thank you. I’m drafting the early warning now.
(Drafts
output/NIS2-Early-Warning.mdfrom the Art. 23(4)(a) template, covering: nature of incident, suspected phishing vector, cross-border impact flag for DE/NL/BE, and suspected criminal act indicator.)Let me validate the draft. Running
report_completeness_checkerforearly_warning…Completeness Check — Early Warning
Required Element Status Nature of incident PASS Cross-border impact assessment PASS Suspected malicious/unlawful act PASS Initial cause assessment PASS RESULT: All required elements are present.
The early warning is ready for submission to your national CSIRT. I’ve also flagged that the personal data breach triggers a parallel GDPR Art. 33 notification to your supervisory authority within 72 hours. Shall I draft that as well, or should we focus on preparing the 72-hour incident notification next?
You: Let’s prepare the 72-hour notification now while the details are fresh.
Agent: Good idea. For the incident notification I need more detail on impact and indicators of compromise. Specifically:
- What is the severity assessment from your IR team — how many systems are affected?
- Do you have any IOCs (file hashes, IP addresses, ransom note identifiers)?
- What is the current scope — which services remain degraded?
(Conversation continues through the 72-hour notification and, after incident resolution, the final report.)
Sample Output Excerpt
Below is a representative excerpt from a generated early warning notification.
NIS2 Early Warning Notification — Art. 23(4)(a)
Reporting Entity: Acme Cloud Services GmbH (Essential Entity — Digital Infrastructure) National CSIRT: BSI (Germany) Incident Reference: NIS2-EW-2026-0402-001 Date of Detection: 2026-04-02 08:00 UTC Date of Submission: 2026-04-02 14:30 UTC (within 24h deadline)
1. Nature of Incident
Ransomware attack resulting in encryption of the primary customer database (PostgreSQL cluster, 3 nodes) and disruption of the Acme Cloud Platform SaaS service. The attack rendered the customer-facing application unavailable and affected data integrity for stored customer records.
Incident type: Ransomware / Data integrity compromise Services affected: Acme Cloud Platform (SaaS), customer data storage, API gateway
2. Cross-Border Impact Assessment
The incident affects users and operations in three EU member states:
| Member State | Affected Users | Impact |
|---|---|---|
| Germany (DE) | 1,200 | Primary operations — service fully disrupted |
| Netherlands (NL) | 520 | Service disrupted, data potentially compromised |
| Belgium (BE) | 280 | Service disrupted, data potentially compromised |
Cross-border notification to NL and BE CSIRTs is being coordinated through BSI.
3. Suspected Malicious or Unlawful Act
Yes — suspected criminal act. The incident bears characteristics of a targeted ransomware campaign. A ransom note was discovered on affected systems demanding payment in cryptocurrency. The attack is being treated as a criminal matter, and law enforcement notification is in progress.
4. Initial Cause Assessment
Preliminary analysis indicates the attack vector was a spear-phishing email with a malicious attachment targeting the finance department. The attachment exploited a document macro to deploy the initial payload, which then moved laterally to the database servers via compromised service account credentials.
Containment status: Affected database servers have been isolated. Lateral movement has been blocked. Backup integrity assessment is in progress.
Extension Tools
incident_significance_classifier
Determines whether a cybersecurity incident meets NIS2 Art. 23(3) significance criteria. Evaluates five weighted factors and returns SIGNIFICANT or NOT SIGNIFICANT with a numeric score and detailed rationale per factor.
| Parameter | Type | Required | Description |
|---|---|---|---|
incident_description | string | Yes | Brief description of the incident |
operational_disruption | enum | Yes | Level of disruption: none, minor, major, or severe |
financial_loss_eur | number | No | Estimated financial loss in EUR — threshold is EUR 500,000 |
affected_users | number | No | Number of affected users or customers — threshold is 1,000 |
cross_border | boolean | Yes | Whether the incident has or may have cross-border impact |
data_breach | boolean | Yes | Whether the incident involves a personal data breach |
Scoring model: Each factor carries a weight (0–5). The incident is classified as SIGNIFICANT when the total score reaches 5 or above (max 16). Factors flagged as present are marked [+] in the output; those below threshold are marked [-].
Use this tool first in every workflow to confirm the incident is reportable before drafting any notification.
timeline_validator
Calculates all three Art. 23 deadlines from the incident detection timestamp and checks whether each report has been submitted on time. Flags overdue items with exact hours/days overdue and shows remaining time for pending reports.
| Parameter | Type | Required | Description |
|---|---|---|---|
incident_detected_at | string (ISO 8601) | Yes | When the incident was first detected |
early_warning_sent_at | string (ISO 8601) | No | When the early warning was submitted |
notification_sent_at | string (ISO 8601) | No | When the incident notification was submitted |
final_report_sent_at | string (ISO 8601) | No | When the final report was submitted |
incident_resolved_at | string (ISO 8601) | No | When the incident was resolved — shifts the final report deadline to one month after resolution |
Deadlines calculated: Early warning = detection + 24h. Incident notification = detection + 72h. Final report = resolution + 1 month (or detection + 1 month if unresolved). Each report shows ON TIME, OVERDUE, or PENDING with time remaining.
Use at the start of the workflow to understand deadline pressure and again before each submission to confirm compliance.
report_completeness_checker
Validates that a drafted NIS2 incident report contains all required content elements per Art. 23(4) for its report type. Returns a checklist with PASS or FAIL per required element.
| Parameter | Type | Required | Description |
|---|---|---|---|
report_type | enum | Yes | early_warning, notification, or final_report |
report_content | string | Yes | The full text content of the drafted report |
Required elements by report type:
| Report Type | Required Elements |
|---|---|
| Early warning | Nature of incident, cross-border impact assessment, suspected malicious/unlawful act, initial cause assessment |
| Notification | Severity assessment, impact assessment, indicators of compromise, initial scope |
| Final report | Detailed incident description, root cause analysis, mitigation measures, cross-border impact, lessons learned |
Use after drafting or editing any report to catch missing elements before submission.
Getting Started
Before activating the skill, gather the following incident details:
- Detection timestamp — exact date and time the incident was first detected (the entire timeline depends on this)
- Incident description — what happened, what type of attack or event, what systems are affected
- Impact assessment — estimated number of affected users, financial loss estimate, which services are disrupted
- Cross-border reach — whether the incident affects users, operations, or data in other EU member states
- Data breach status — whether personal data was compromised, accessed, or exfiltrated
- Containment status — what actions the incident response team has already taken
Install the NIS2 Incident Reporting skill from the skill library, then start a new session. Tell the agent what happened — the classification, timeline check, drafting, and validation flow from there. The agent will ask clarifying questions for any details it needs to complete the reports.
If the Organization Profile skill is already installed with your entity type, member state, and sector classification, the agent uses that context to tailor the notification (essential vs. important entity, correct national CSIRT, sector-specific considerations).