--- title: "NIS2 Incident Notification: Operating Model" description: "NIS2 incident notification obligations are now live. Operating model for the 9-month transition: early warning, CSIRT reporting, and compliance workflow." canonical: https://www.aegister.com/en/cms/insights/nis2-incident-notification-live-operating-model/ url: /en/cms/insights/nis2-incident-notification-live-operating-model/ lang: en --- ![](/static/images/header-contact.webp) # NIS2 incident-notification obligations are live: operating model after the 9-month deadline --- ![NIS2 incident-notification obligations are live: operating model after the 9-month deadline](/static/images/cms/nis2-requisiti-di-base.webp) ## NIS2 incident-notification obligations are live: operating model after the 9-month deadline February 09, 2026 [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) [CSIRT](/en/cms/keyword/csirt/) +5 ACN implementation guidance for first application sets the 9-month incident-notification milestone in January 2026. that deadline is past and the incident-notification obligation is live. Organizations should now focus on execution reliability for 24h/72h reporting and sustained governance oversight. ## Key takeaways - ACN’s first-application timeline places the 9-month notification milestone in January 2026. - incident-notification obligations are already in force. - Notification workflow must support pre-notification (24h), notification (72h), and follow-up reporting obligations. - Legal timing depends on incident evidence acquisition, not on root-cause completion. - Role governance, procedures, and evidence traceability are required for stable live operations. ## Post-deadline operating model (live obligation) ### Phase 1 (Immediate): governance and role confirmation Confirm Point of Contact / CSIRT interface responsibilities, escalation ownership, and duty coverage. ### Phase 2 (Days 15–45): process hardening and evidence quality Harden notification workflow, evidence-timestamp capture, and reporting templates for mandatory submission steps. ### Phase 3 (Days 46–75): simulation and defect fixing Run simulations for 24h/72h obligations, identify bottlenecks, and fix process/control defects. ### Phase 4 (Ongoing): live-readiness assurance Run monthly validation on role availability, contact channels, submission quality, and management oversight records. ## Control points for live-notification reliability | Control | Objective | Evidence | | --- | --- | --- | | Trigger clarity | Start timing from evidence acquisition | Incident evidence log | | Role coverage | Ensure always-available submission ownership | Duty matrix and substitutes | | Procedure quality | Enforce 24h/72h and follow-up sequence | Notification SOP and checklists | | Simulation maturity | Test deadline execution under stress | Drill reports and remediation log | ## Conclusion and next steps Since the first-application 9-month deadline is already past, the priority is now live-operability discipline. The fastest path to confidence is to combine role governance, simulation cycles, and documented corrective actions with continuous 24h/72h performance tracking. ## FAQ ### Is the 9-month notification milestone still upcoming? No. ACN first-application timeline places it in January 2026; the obligation is already live. ### Can investigation be completed before first notification? Not required. Initial submissions are time-bound and can be updated as investigation progresses. ### What if key data is missing at 24h? Details are defined in the official call documentation and incident-notification guidance. ## Related reading - [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/) - [NIS2 Article 25 in Practice: Incident Notification Obligations and Operating Timeline](/en/cms/insights/nis2-article-25-incident-notification/) - [NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/) - [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/) ## Official sources - [ACN – Incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) - [ACN – Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) - [ACN – Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) - [Gazzetta Ufficiale – Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) Share this post ## Related News [![New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/static/images/cms/nis-registrazione-2026-scadenza.webp)](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/) [New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/) [The ACN 2026 timing determination sets a distinct implementation path for entities first listed in the Italian NIS perimeter during 2026: significant-incident notification starts on 1 January 2027 and baseline security measures must be adopted by 31 July 2027.](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) +8 [![ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/static/images/cms/nis2-basic-measures-acn.webp)](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [ACN's April 2026 package sets new NIS deadlines for subjects listed for the first time in 2026 (incident notification from 1 January 2027, baseline measures by 31 July 2027) and updates the platform operating rules for registration, annual and continuous updates, relevant suppliers, and categorization.](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +8 [![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)