---
title: "NIS2 Article 25: Incident Notification"
description: "NIS2 Article 25 explained: incident notification obligations, timelines (24h early warning, 72h report), and CSIRT communication requirements."
canonical: https://www.aegister.com/en/cms/insights/nis2-article-25-incident-notification/
url: /en/cms/insights/nis2-article-25-incident-notification/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Article 25 in Practice: Incident Notification Obligations and Operating Timeline

---

![NIS2 Article 25 in Practice: Incident Notification Obligations and Operating Timeline](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Article 25 in Practice: Incident Notification Obligations and Operating Timeline

January 29, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[cybersecurity](/en/cms/keyword/cybersecurity/)
+6

Article 25 of Legislative Decree 138/2024 requires NIS entities to notify significant incidents to CSIRT Italia. The operating model should combine incident qualification, notification timing, and assigned accountability, with a documented process that can be executed under pressure.

Sources: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [NIS baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Key takeaways

- Article 25 applies to significant incidents as defined in the NIS baseline framework.
- Notification timing is structured: pre-notification within 24 hours and notification within 72 hours from awareness of the significant incident.
- Follow-up reporting includes intermediate updates (on request), final report, and monthly progress updates when final closure is not yet possible.
- The CSIRT contact role should be formally designated with named substitutes and clear procedures.

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

## Notification sequence to operationalize

### 1. Qualification and evidence of significant incident

The organization should identify whether the incident meets the baseline significant-incident criteria and record the point of awareness used to start timing obligations.

### 2. Pre-notification within 24 hours

Without undue delay and in any case within 24 hours from awareness, the entity transmits the pre-notification through the official channel.

### 3. Notification within 72 hours

Without undue delay and in any case within 72 hours from awareness, the entity transmits the incident notification with initial assessment details and updates to the pre-notification information.

### 4. Intermediate and final reporting

On CSIRT request, the entity provides intermediate reporting. A final report is due within one month from the notification; if incident handling is still open, monthly progress reporting applies and final reporting is due within one month from closure.

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

## Roles and evidence requirements

| Element | Practical requirement | Typical evidence |
| --- | --- | --- |
| CSIRT interface accountability | Designated CSIRT contact and substitutes | Formal appointment records, role matrix |
| Notification procedure | Documented flow for 24h/72h and follow-up obligations | Incident notification SOP, escalation procedure |
| Traceable timing | Recorded timestamps from awareness to submissions | Incident logs, ticket timeline, transmission records |
| Governance oversight | Management visibility on notifiable incidents and reporting status | Management briefings, decision records |

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [NIS baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## 90-day execution checklist

1. Formalize CSIRT contact governance, including backup roles and availability model.
2. Validate incident classification criteria for significant incidents against baseline definitions.
3. Test a 24h/72h notification drill with legal, cyber, and operations stakeholders.
4. Ensure tooling captures awareness timestamp and notification evidence end-to-end.
5. Align incident-response procedure with mandatory follow-up reporting obligations.

## FAQ

### Does notification require full root-cause analysis before 24h/72h submissions?

No. The sequence is time-based from awareness of a significant incident. Initial submissions can be updated as investigation progresses. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

### Who is expected to submit notifications to CSIRT Italia?

The designated CSIRT contact role is responsible for interfacing with CSIRT Italia and handling mandatory notifications, with substitutes where defined. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

### If the incident is not closed within one month, what changes?

The entity submits monthly progress reporting and then sends the final report within one month from incident management closure. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

### Related guides in this series

- [incident typology model](/en/cms/insights/nis2-incident-typology-model/)
- [confidentiality loss incidents](/en/cms/insights/nis2-significant-incident-is-1-confidentiality-loss/)
- [integrity loss incidents](/en/cms/insights/nis2-significant-incident-is-2-integrity-loss/)
- [service level violations](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/)
- [point of contact and CSIRT accountability](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 incident-notification obligations are live: operating model after the 9-month deadline](/en/cms/insights/nis2-incident-notification-live-operating-model/)
- [NIS2 Response Controls (RS): Signaling and Investigation Operating Model](/en/cms/insights/nis2-response-rs-signaling-investigation/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)

## Official sources

- [Gazzetta Ufficiale - Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)
- [ACN - Incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)
- [ACN - Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

Share this post

## Related News

[![ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/static/images/cms/nis2-basic-measures-acn.webp)](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/)

[ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/)

[ACN's April 2026 package sets new NIS deadlines for subjects listed for the first time in 2026 (incident notification from 1 January 2027, baseline measures by 31 July 2027) and updates the platform operating rules for registration, annual and continuous updates, relevant suppliers, and categorization.](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+8

[![NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-baseline-obligations-master-overview/)

[NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)

[A structured operational overview of Italy’s NIS2 baseline obligations: governance (Art. 23), risk management (Art. 24), and incident notification (Art. 25). Incident notification is already live; baseline measures are due by October 2026.](/en/cms/insights/nis2-baseline-obligations-master-overview/)

[NIS2](/en/cms/keyword/nis2/)
[October 2026](/en/cms/keyword/october-2026/)
+8

[![New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/static/images/cms/nis-registrazione-2026-scadenza.webp)](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/)

[New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/)

[The ACN 2026 timing determination sets a distinct implementation path for entities first listed in the Italian NIS perimeter during 2026: significant-incident notification starts on 1 January 2027 and baseline security measures must be adopted by 31 July 2027.](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/)

[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
+8

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)