NIS2 Article 23 imposes a 24-hour early-warning notification obligation for significant incidents, followed by a 72-hour notification with substantive content and a final notification after the incident is concluded. The 24-hour clock starts at "becoming aware" of the incident.
The definition of "becoming aware" has substantial interpretation latitude. It is a high-stakes question to test in a real incident.
Consider a representative scenario: the SOC observes anomalous outbound traffic from an internal endpoint at 02:00. The on-call analyst investigates, suspects a compromise by 03:30, escalates to the incident-management team at 04:00. The incident-management team confirms the compromise and assesses scope at 09:00. The legal team is briefed at 10:00. The CISO is briefed at 11:00. When did the organisation become aware?
Depending on how the obligation is interpreted, the 24-hour clock may have started at 02:00, at 03:30, at 04:00, or at 09:00. The difference between 02:00 and 09:00 is seven hours — meaningful, in a 24-hour window.
Our experience of tabletop exercises and live incidents indicates that organisations consistently anchor the awareness moment to a senior-level confirmation rather than to a SOC-level suspicion. This is defensible — the regulation talks about awareness by the organisation, not by an individual analyst — but it can be argued the other way, and a supervisor reviewing the incident after the fact may take a different view.
Our practical recommendation: define "becoming aware" in your incident-management procedure explicitly and consistently. The most defensible definition is normally "the point at which the security incident management process has been formally invoked". Document the trigger criteria for invocation, document the timestamping convention, and rehearse the workflow.
The 24-hour clock is short enough that organisations without an established communication path to the relevant supervisor will struggle to meet it under live-incident pressure. We strongly recommend establishing the supervisor-contact relationship in peacetime — find the point of contact, establish the secure-communication channel, exchange the relevant test credentials. The supervisor's incident-handling team will appreciate the proactive contact; the alternative is finding the right path during the 24-hour window.