NIS2 incident notification
Log a significant cyber incident and OnTrackio computes the three NIS2 Article 23 deadlines for you — a 24-hour early warning, a 72-hour CSIRT notification, and a 30-day final report — then walks the incident through notify → file → close with a timestamp on every step. The incident register lives under Admin → Compliance → NIS2 incidents.
:::note Before you begin
- You have an admin role (
admin,it-admin, orsuper-admin). The register sits in the admin console. - Set your national CSIRT email in Settings → Compliance before you send a notification. Without it, OnTrackio blocks the send. Examples: Lithuania
cert@nksc.lt, Germanycert-bund@bsi.bund.de. - Outbound email must be working, since the notification is sent as a real email to the CSIRT address. :::
This screen tracks and evidences your reporting deadlines — it does not decide whether an incident is reportable. Whether a given incident meets the NIS2 Article 23 "significant incident" threshold is your assessment to make. Log the ones that qualify.
How the deadlines work
The moment you save an incident, OnTrackio reads its detected at time and computes three fixed deadlines from it. You don't enter them; they're derived.
| Deadline | Computed as | Article 23 stage |
|---|---|---|
| Early warning | detected at + 24 hours | Initial early warning to the CSIRT |
| CSIRT notification | detected at + 72 hours | Incident notification |
| Final report | detected at + 30 days | Final report |
The detail page shows a Next NIS2 Article 23 deadline banner that surfaces whichever deadline is most urgent and still pending:
| State | Banner shows | Colour cue |
|---|---|---|
| Not yet notified, within 24h | Early warning (24h) countdown | Sky, or amber when 6 hours or fewer remain |
| Not yet notified, 24h passed | CSIRT notification (72h) countdown | Sky, or amber when 6 hours or fewer remain |
| Any pending deadline passed | The deadline marked OVERDUE | Rose |
| CSIRT notified, report pending | Final report (30 days) countdown | Sky, amber, or rose by urgency |
| Final report filed or closed | No banner — nothing is pending | — |
Detected at is the clock's start, so set it accurately. If detection happened earlier than you're logging the incident, enter the real detection time — every deadline shifts with it. Use Occurred at to record when the incident actually began, if that differs from detection.
Step 1 — Log the incident
- Open Compliance → NIS2 incidents in the sidebar, then select Log incident.
- Complete the form. Required fields are marked below.
- Select Log incident & start timers.
OnTrackio saves the incident with status Open / under investigation, computes the three deadlines, and opens the detail page. A confirmation reminds you to send the CSIRT notification before the 72-hour deadline.
| Field | Required | Notes |
|---|---|---|
| Title | Yes | Up to 255 characters, e.g. Ransomware attack on file server FS-03. |
| Classification | Yes | One of Cyber attack, Service outage, Data breach, or Other significant incident. |
| Severity | Yes | One of Low, Medium, High, or Critical. |
| Detected at | No | Defaults to now. All three Article 23 deadlines compute from this moment. |
| Occurred at | No | When the incident actually started, if known. Must be on or before Detected at. |
| Narrative | Yes | Plain-language account, at least 20 characters. The CSIRT submission includes this verbatim. |
| Affected systems | No | Asset tags, hostnames, or service names that were impacted. |
| Impact assessment | No | User impact, data-loss or exfiltration scope, and business-continuity impact. |
Write the Narrative for the regulator, not for internal notes — it is sent to the CSIRT exactly as you enter it. Keep it factual and self-contained.
Step 2 — Notify the CSIRT
To send the Article 23 notification once the incident is logged:
- Open the incident from the register.
- In the deadline banner, select Send notification to CSIRT.
OnTrackio emails your configured national CSIRT address, sets the status to CSIRT
notified, stamps the notification time, and records the recipient address. A copy is sent
to your platform privacy contact and to your own email for your records. The action is written
to the audit log as CSIRT notification sent (NIS2 Article 23).
The send is one-time and idempotent. Once an incident is notified, the button disappears and OnTrackio refuses to send a second notification for it. If the mail send fails, the incident state is left unchanged so you can fix the cause and retry — nothing is half-sent.
Step 3 — File the final report
The final-report form appears only after the CSIRT has been notified.
- Open the notified incident.
- In File final report, enter lessons learned (at least 20 characters): what you learned, what you changed, and what you'd do differently.
- Select File final report.
OnTrackio sets the status to Final report filed, stamps the filing time, and logs Final NIS2 Article 23 report filed. The incident stays visible in the register until you close it.
Step 4 — Close the incident
The close action appears only after the final report is filed.
- Open the incident.
- In Close incident, select Mark closed.
The status becomes Closed, the close time is stamped, and Incident closed is written to
the audit log. Closed incidents remain in the register as evidence.
Status lifecycle
An incident moves through four statuses in order. Each transition is gated, so you can't skip a step.
| Status | Meaning | How it's reached |
|---|---|---|
| Open / under investigation | Logged; timers running | Set automatically when you log the incident |
| CSIRT notified | Article 23 notification sent | Send notification to CSIRT |
| Final report filed | Lessons learned recorded | File final report (requires notified) |
| Closed | No further obligation | Mark closed (requires final report filed) |
Track deadlines across the register
The register lists incidents newest-first by detection time and shows each one's Next deadline at a glance — the countdown in hours, or OVERDUE in red once a pending deadline has passed. Filter the list with the status chips above the table (All, Open / under investigation, CSIRT notified, Final report filed, Closed) to focus on incidents that still need action.
Verify
- After logging, the detail page shows the three computed deadlines (24h, 72h, 30d) under Article 23 timeline, derived from Detected at.
- After notifying, the status badge reads CSIRT notified, the timeline shows CSIRT
notified at with the recipient address, and the audit log carries
CSIRT notification sent (NIS2 Article 23). - After filing, the status reads Final report filed and the Close incident card appears.
Troubleshooting
| Symptom | What to do |
|---|---|
| Send notification to CSIRT returns an error about the email address | No CSIRT email is set. Add your national CSIRT address in Settings → Compliance, then retry. |
| The banner warns the CSIRT email isn't set | Same fix — set compliance.csirt_email in Settings → Compliance. The notification button stays blocked until it's a valid address. |
| The send failed with a mail error | The incident state is unchanged. Resolve the mail problem and select Send notification to CSIRT again. |
| The notify button is gone | The incident is already notified. OnTrackio sends only one notification per incident; check CSIRT notified at on the timeline. |
| No File final report card | File the report only after notifying the CSIRT. Send the notification first. |
| A deadline shows OVERDUE | The pending deadline has passed. Complete the outstanding step now; the overdue marker is part of the evidence trail and stays in the record. |
| You can't reach the NIS2 incidents page | The register requires an admin role and an active subscription. If your network uses an IP allowlist, confirm you're on an allowed address. |