NIS2 Compliance Reporting
Meet Article 23 incident reporting deadlines with automated evidence
What NIS2 Requires
The NIS2 Directive (Directive (EU) 2022/2555) requires covered entities across 18 sectors to report significant incidents to their national CSIRT or competent authority within strict deadlines. DDoS attacks that cause service disruption typically meet the "significant incident" threshold.
Reporting Deadlines
| Report | Deadline | Content |
|---|---|---|
| Early Warning | 24 hours | Whether the incident is suspected malicious, whether it could have cross-border impact |
| Incident Notification | 72 hours | Initial assessment: severity, impact, IOCs, affected services, mitigation actions |
| Intermediate Report | On request | Status update with updated technical assessment and impact evaluation |
| Final Report | 1 month | Detailed description, root cause, mitigation measures, cross-border impact, lessons learned |
How Flowtriq Helps
Every field required by Article 23 is captured automatically the moment an incident is detected:
- Detection timestamp (starts the reporting clock)
- Attack classification (family, subtype, multi-vector)
- Peak traffic volumes (PPS and BPS, continuously updated)
- Source analysis (IP count, geographic distribution, spoofing indicators)
- Protocol breakdown (TCP/UDP/ICMP percentages)
- IOC matches (botnet signatures, payload patterns)
- Mitigation actions (firewall rules, BGP FlowSpec, scrubbing activations with timestamps)
- Duration and resolution time
Generating NIS2 Incident Reports
Flowtriq provides a free NIS2 Incident Report Generator that produces all four Article 23 notification stages. The tool generates structured templates with fields pre-mapped to what national CSIRTs expect.
Report Stages Generated
- Early Warning (24h) - Includes incident identification, suspected malicious intent, cross-border impact assessment, affected services, and current status
- Incident Notification (72h) - Adds severity assessment, technical details (attack vector, peak volume, source analysis, protocol breakdown), IOCs, and mitigation measures
- Intermediate Report - Status update with evolving technical assessment, updated impact, and mitigation effectiveness
- Final Report (1 month) - Complete description, root cause analysis, timeline of events, lessons learned, and long-term remediation
Using the Generator
Navigate to Tools → NIS2 Incident Report or visit flowtriq.com/tools/nis2-incident-report. Enter the incident details in the sidebar form. The tool generates all four reports in tabbed output. Click Copy to copy plain text or Download PDF to export a branded PDF with all stages.
24-Hour Early Warning Template
The early warning is the most time-critical report. It must be filed within 24 hours of becoming aware of the incident. The template includes:
- Incident reference number (NIS2-[STATE]-[YEAR]-[REF])
- Date/time of awareness (detection timestamp from Flowtriq)
- Whether the incident is suspected to be unlawful or malicious (auto-determined from DDoS classification)
- Potential cross-border impact (auto-assessed from source country analysis)
- Affected services and current status
- Contact information fields
Cross-Border Incident Flags
The generator automatically flags potential cross-border impact when:
- Attack sources originate from multiple countries (geographic diversity in source IPs)
- Source IP count exceeds 1,000 (high distribution across jurisdictions)
Cross-border incidents may require notification to multiple national CSIRTs. The tool provides the competent authority name for each EU member state (BSI for Germany, ANSSI for France, NCSC-NL for Netherlands, etc.).
National CSIRT Directory
The report generator includes a built-in directory of national CSIRTs across 16 EU/EEA member states:
| State | Authority |
|---|---|
| Germany | BSI (Bundesamt fur Sicherheit in der Informationstechnik) |
| France | ANSSI (Agence nationale de la securite des systemes d'information) |
| Netherlands | NCSC-NL (Nationaal Cyber Security Centrum) |
| Belgium | CCB (Centre for Cybersecurity Belgium) |
| Italy | ACN (Agenzia per la Cybersicurezza Nazionale) |
| Spain | CCN-CERT (Centro Criptologico Nacional) |
| Ireland | NCSC-IE (National Cyber Security Centre Ireland) |
| Poland | CSIRT GOV / CSIRT NASK |
| Czech Republic | NUKIB (National Cyber and Information Security Agency) |
Exporting for Regulatory Submission
Reports can be exported in two formats:
- Plain text (Copy button): Paste into your national CSIRT's submission portal or email
- PDF (Download PDF): Branded A4 document with all four stages, deadline countdown, and Flowtriq header. Each stage starts on a new page for clean separation.
The PDF includes a deadline bar showing the exact due dates for each stage based on your detection timestamp:
- 24h early warning due: [detection + 24h]
- 72h notification due: [detection + 72h]
- Final report due: [detection + 30 days]
Evidence Retention
NIS2's final report (due within 1 month) requires detailed evidence including logs, traffic analysis, and mitigation records. Flowtriq retains:
- Full incident timeline with all updates and status changes
- PCAP packet captures (when enabled) for forensic analysis
- Traffic velocity curves showing the attack profile over time
- Source IP analysis with per-IP confidence scores
- Mitigation log with timestamped rule deployments and withdrawals
- Audit trail of all user and system actions during the incident