NIS2 Incident Reporting: The 24-Hour Rule Most SMBs Aren't Ready For
NIS2 Incident Reporting: The 24-Hour Rule Most SMBs Aren't Ready For
You get a call at 6 AM on a Tuesday. Your office manager can't log in. Files are encrypted. Customers can't access your portal. The clock starts now - and under NIS2, you have exactly 24 hours to submit an early warning to your national authority. Not 24 hours to fix the problem. Not 24 hours to call your IT guy. Twenty-four hours to file a structured report with a government body most SMB owners have never spoken to. If you don't have a documented process for this right now, you're not alone. But NIS2 probably applies to your business whether you've prepared or not. And "we didn't know" won't reduce the fine.
What Exactly Does NIS2 Require When Something Goes Wrong?
NIS2 introduced a three-stage incident reporting obligation for entities in scope. Stage one: an early warning within 24 hours of becoming aware of a significant incident. Stage two: an incident notification within 72 hours with an initial assessment of severity, impact, and indicators of compromise. Stage three: a final report within one month detailing root cause, mitigation measures, and cross-border impact. A "significant incident" is one that causes substantial operational disruption or financial loss, or could affect other natural or legal persons. For an SMB running cloud-based operations, a ransomware attack that locks customer data qualifies. A phishing breach that exposes client records qualifies. The bar is lower than most owners assume. NIS2 affects 28,700 additional companies in Germany alone - including 6,200 micro and small enterprises who never expected to deal with EU-level cybersecurity regulation.
Do You Even Know Who to Call in the First 24 Hours?
Here's the reality check. It's not about whether you can detect an incident - it's whether your team knows the next five steps when they do. Most SMBs have no incident response playbook. No assigned roles. No pre-drafted notification template. No idea which national CSIRT to contact. And 64% of French SMBs don't even know what NIS2 is, let alone what it requires. So when the breach happens, the first hours are wasted on panic, not process. Meanwhile, the 24-hour window is ticking. Consider this: 1 in 3 SMBs were hit by a cyberattack in 2024 (BizTech Magazine). The question isn't if you'll face an incident - it's whether you'll be able to respond in time when you do. If you haven't already, run through our incident response checklist to see where the gaps are.
Photo by Rodolfo Gaion on Pexels
What Happens If You Miss the 24-Hour Window?
NIS2 isn't advisory. Member states are implementing enforcement regimes with real teeth. For essential entities, fines can reach €10 million or 2% of global annual turnover - whichever is higher. Important entities face up to €7 million or 1.4% of turnover. But fines aren't the only cost. The average cyber claim now runs $345,000 (Atlantic Digital). That's before regulatory penalties, before reputational damage, before lost contracts. And here's the number that should concern you most: 67% of vendors lost contracts in 2024 because they couldn't prove compliance to their customers or partners (Marsh McLennan). Missing a reporting deadline doesn't just trigger a fine - it signals to your supply chain partners that you're a liability. For a deeper look at what non-compliance actually costs in practice, read the real cost of not having compliance.
What Does a Practical 24-Hour Playbook Actually Look Like?
You don't need a security operations centre. You need a laminated card on the wall and people who know their role. Here's a stripped-down playbook any SMB can implement this week:
Hour 0–1: Detect and Confirm. Whoever discovers the incident escalates immediately to the designated incident lead. Not IT. A named person. Confirm it meets the "significant incident" threshold.
Hour 1–4: Contain and Assess. Isolate affected systems. Document what you know: type of incident, systems affected, estimated impact. Take screenshots. Preserve logs.
Hour 4–12: Draft the Early Warning. Use a pre-filled template with your company details, CSIRT contact information, and incident classification fields already completed. Fill in the specifics.
Hour 12–24: Submit and Communicate. File the early warning with your national CSIRT. Notify your management body - NIS2 requires board-level awareness. Brief affected staff.
Who in Your Team Owns This Process?
This is where most plans fall apart. NIS2 requires that management bodies - meaning directors, owners, or board members - are directly responsible for approving and overseeing cybersecurity risk management measures. You can't delegate this entirely to an external contractor and walk away. Somebody inside your organisation must be the named incident lead. Somebody must have the authority to isolate a system at 2 AM without waiting for approval. And 77% of IT admins already describe their job as stressful (JumpCloud) - adding regulatory reporting to their plate without structure or support is how you lose good people. The playbook only works if roles are assigned before the incident, not during. Write down three names: incident lead, technical responder, communications contact. If you can't fill all three, that tells you something about your readiness. Our cybersecurity checklist for SMBs walks through these role assignments step by step.
Photo by Boys in Bristol Photography on Pexels
Can You Afford to Build This Capability Alone?
Let's talk numbers. A traditional managed service provider charges 100–250 EUR per user per month. For a 30-person company, that's 3,000–7,500 EUR monthly - and most MSPs don't include NIS2 reporting workflows, incident documentation, or compliance evidence collection. Standalone compliance platforms like Vanta or Drata run 7,500–50,000 EUR per year, but they don't manage your IT. They generate checklists. You still need someone to execute. So you end up paying twice: once for IT management, once for compliance tooling, and still stitching the two together yourself.
| Traditional MSP | Compliance Platform (Vanta/Drata) | Fusion AI | |
|---|---|---|---|
| IT operations management | ✅ | ❌ | ✅ |
| Incident response playbook | ❌ (usually) | Partial (templates) | ✅ |
| NIS2 reporting templates | ❌ | Partial | ✅ |
| Continuous compliance evidence | ❌ | ✅ | ✅ |
| 24-hour early warning support | ❌ | ❌ | ✅ |
| Cost (30 users) | 3,000–7,500 EUR/mo | 625–4,167 EUR/mo | See pricing |
The whole point is this: your compliance is the natural byproduct of good IT management. You shouldn't need two separate vendors and a spreadsheet to prove you can respond to an incident within 24 hours.
What Does "NIS2-Ready" Actually Mean for an SMB?
It doesn't mean you've hired a CISO. It doesn't mean you've spent six months on documentation. It means you have four things in place: a documented risk management process, an incident response plan that maps to the 24/72-hour/1-month reporting timeline, evidence that your management body has been trained and is involved, and continuous monitoring that proves these controls are working - not just that they existed once. With Fusion AI, the first security scan takes 45 minutes to connect. You get your first compliance report in 48 hours. Full NIS2 readiness in 30 days. Not because we cut corners, but because when IT management and compliance share the same platform, evidence generates itself. Policies map to controls. Controls map to incidents. And when something goes wrong at 6 AM on a Tuesday, the playbook is already loaded, the templates are pre-filled, and the right people get notified automatically.
Are You Ready for the Incident That's Already Coming?
One in three SMBs got hit last year. Cyberattacks are up 49% in the first half of 2025 (Identity Week). And 41% of cyber insurance applications are denied on first submission (MoneyGeek) - often because the applicant can't demonstrate a documented incident response process. NIS2 isn't asking you to become a cybersecurity company. It's asking you to have a plan, know your roles, and be able to report within 24 hours. That's a reasonable bar. But meeting it requires preparation, not improvisation. If you don't know where you stand today, start with the free security scan. It takes 45 minutes to connect, costs nothing, and gives you a clear picture of your current gaps - including whether your incident response capability would survive a real NIS2 reporting scenario.
You can also test your cybersecurity readiness in under five minutes. Either way, the point is the same: find out now, not during the incident.