The bottom line: The NIS2 Directive requires operators of critical infrastructure as of 31 July 2024 to report security incidents to authorities within 24 hours.
The NIS2 Directive requires operators of critical infrastructure, starting 31 July 2024, to report cybersecurity incidents to the competent authorities within 24 hours. This is one of the core requirements of the revised EU Directive on Network and Information Security.
As of 31 July 2024, significant reporting obligations of the NIS2 Directive enter into force. Operators of systems necessary for maintaining critical infrastructure – including energy, transport, water, health, financial services and digital infrastructure – must report security incidents from now on within 24 hours of detection to the competent authority.
This reporting deadline replaces the previous longer timeframes and thereby sets a new standard in EU-wide cybersecurity governance. Large companies in other sectors that are classified as “important entities” are also affected. The report must contain material information about the incident and enables authorities to respond more quickly to threats and initiate coordinated defensive measures.
For CISOs, this represents a significant tightening of compliance requirements: incident response processes must be designed to ensure incident analysis and escalation within 24 hours. Organizations should review their detection, investigation and reporting workflows and ensure that coordination between incident response teams, legal departments and management supports this tighter timeframe.
Source: news.google.com · Published 7 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.