Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

NIS2 Compliance Reporting

Meet Article 23 incident reporting deadlines with automated evidence

What NIS2 Requires

The NIS2 Directive (Directive (EU) 2022/2555) requires covered entities across 18 sectors to report significant incidents to their national CSIRT or competent authority within strict deadlines. DDoS attacks that cause service disruption typically meet the "significant incident" threshold.

Reporting Deadlines

ReportDeadlineContent
Early Warning24 hoursWhether the incident is suspected malicious, whether it could have cross-border impact
Incident Notification72 hoursInitial assessment: severity, impact, IOCs, affected services, mitigation actions
Intermediate ReportOn requestStatus update with updated technical assessment and impact evaluation
Final Report1 monthDetailed description, root cause, mitigation measures, cross-border impact, lessons learned

How Flowtriq Helps

Every field required by Article 23 is captured automatically the moment an incident is detected:

  • Detection timestamp (starts the reporting clock)
  • Attack classification (family, subtype, multi-vector)
  • Peak traffic volumes (PPS and BPS, continuously updated)
  • Source analysis (IP count, geographic distribution, spoofing indicators)
  • Protocol breakdown (TCP/UDP/ICMP percentages)
  • IOC matches (botnet signatures, payload patterns)
  • Mitigation actions (firewall rules, BGP FlowSpec, scrubbing activations with timestamps)
  • Duration and resolution time

Generating NIS2 Incident Reports

Flowtriq provides a free NIS2 Incident Report Generator that produces all four Article 23 notification stages. The tool generates structured templates with fields pre-mapped to what national CSIRTs expect.

Report Stages Generated

  1. Early Warning (24h) - Includes incident identification, suspected malicious intent, cross-border impact assessment, affected services, and current status
  2. Incident Notification (72h) - Adds severity assessment, technical details (attack vector, peak volume, source analysis, protocol breakdown), IOCs, and mitigation measures
  3. Intermediate Report - Status update with evolving technical assessment, updated impact, and mitigation effectiveness
  4. Final Report (1 month) - Complete description, root cause analysis, timeline of events, lessons learned, and long-term remediation

Using the Generator

Navigate to Tools → NIS2 Incident Report or visit flowtriq.com/tools/nis2-incident-report. Enter the incident details in the sidebar form. The tool generates all four reports in tabbed output. Click Copy to copy plain text or Download PDF to export a branded PDF with all stages.

24-Hour Early Warning Template

The early warning is the most time-critical report. It must be filed within 24 hours of becoming aware of the incident. The template includes:

  • Incident reference number (NIS2-[STATE]-[YEAR]-[REF])
  • Date/time of awareness (detection timestamp from Flowtriq)
  • Whether the incident is suspected to be unlawful or malicious (auto-determined from DDoS classification)
  • Potential cross-border impact (auto-assessed from source country analysis)
  • Affected services and current status
  • Contact information fields

Cross-Border Incident Flags

The generator automatically flags potential cross-border impact when:

  • Attack sources originate from multiple countries (geographic diversity in source IPs)
  • Source IP count exceeds 1,000 (high distribution across jurisdictions)

Cross-border incidents may require notification to multiple national CSIRTs. The tool provides the competent authority name for each EU member state (BSI for Germany, ANSSI for France, NCSC-NL for Netherlands, etc.).

National CSIRT Directory

The report generator includes a built-in directory of national CSIRTs across 16 EU/EEA member states:

StateAuthority
GermanyBSI (Bundesamt fur Sicherheit in der Informationstechnik)
FranceANSSI (Agence nationale de la securite des systemes d'information)
NetherlandsNCSC-NL (Nationaal Cyber Security Centrum)
BelgiumCCB (Centre for Cybersecurity Belgium)
ItalyACN (Agenzia per la Cybersicurezza Nazionale)
SpainCCN-CERT (Centro Criptologico Nacional)
IrelandNCSC-IE (National Cyber Security Centre Ireland)
PolandCSIRT GOV / CSIRT NASK
Czech RepublicNUKIB (National Cyber and Information Security Agency)

Exporting for Regulatory Submission

Reports can be exported in two formats:

  • Plain text (Copy button): Paste into your national CSIRT's submission portal or email
  • PDF (Download PDF): Branded A4 document with all four stages, deadline countdown, and Flowtriq header. Each stage starts on a new page for clean separation.

The PDF includes a deadline bar showing the exact due dates for each stage based on your detection timestamp:

  • 24h early warning due: [detection + 24h]
  • 72h notification due: [detection + 72h]
  • Final report due: [detection + 30 days]

Evidence Retention

NIS2's final report (due within 1 month) requires detailed evidence including logs, traffic analysis, and mitigation records. Flowtriq retains:

  • Full incident timeline with all updates and status changes
  • PCAP packet captures (when enabled) for forensic analysis
  • Traffic velocity curves showing the attack profile over time
  • Source IP analysis with per-IP confidence scores
  • Mitigation log with timestamped rule deployments and withdrawals
  • Audit trail of all user and system actions during the incident
Important: This tool generates reporting templates based on your inputs. It does not constitute legal advice. NIS2 obligations depend on national transposition law in each EU member state. Always verify the submission format and requirements with your national CSIRT or competent authority before filing.
ESC