← All articles

consultant

ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver

In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.

Excerpt. In June 2026, the ILR published a “NIS 2 incident notification” guide detailing early warning within 24h, formal notification at 72h, and a final report within 1 month. Here is the SIEM/SOC stack to achieve this without panic.

Key facts

In Luxembourg, the law of 5 May 2026 transposing NIS 2 entered into force on 10 May 2026. Shortly after, the Institut Luxembourgeois de Régulation (ILR) released an operational guide on incident notification specifying a three-step process: early warning “without undue delay and at the latest within 24 hours” after detection, formal notification at 72 hours, then a final report no later than one month after the notification (with the possibility of a one-month extension if the incident is not closed). The ILR’s NIS 2 site also reminds that essential and important entities must report via the central SERIMA portal and clearly distinguishes between “detection” and “becoming aware” of a significant incident (ILR – Incident notification; ILR – NIS 2 FAQ). For local framework and supervisory expectations, see NIS 2 in Luxembourg.

Why is this critical now? Because reality shows that major incidents unfold in hours, not weeks. The ransomware attack against CDK Global crippled thousands of car dealerships in North America starting 18–19 June 2024, with massive operational impact and opportunistic vishing attempts — a scenario that, in Europe, would trigger the NIS 2 24h/72h/1-month cycle (BleepingComputer; TechCrunch).

The applicable legal framework

Article 23 of the Directive (EU) 2022/2555 (NIS 2) requires:

  • Early warning within 24h after becoming “aware” of a significant incident, even if impact is not fully qualified yet;
  • Notification within 72h updating severity, impact and, if available, IoCs;
  • Final report within 1 month (or an interim report if the incident is ongoing).

The ILR translated these requirements into practical expectations and channels (SERIMA), while emphasizing the key distinction between the technical occurrence and the moment of awareness that starts the regulatory clock (ILR – Incident notification; ILR – NIS 2 Act).

The technical solution to deploy

To meet the 24-hour mark, you need two things: see fast and assemble actionable evidence. Concretely:

  • Managed SIEM + sensors: real-time aggregation of logs/events (EDR, firewalls, VPN, AD/Entra, SaaS, IaaS), correlation and detections via rules and behavioral models. Standards: ISO/IEC 27001:2022 Annex A 8.15 (logging), A 8.16 (monitoring), A 5.23 (incident management); NIST CSF 2.0: Detect/DE.AE, Respond/RS.AN; CIS Controls 8: 8.2, 8.3, 17.4.
  • Integrated NIS 2 runbooks: playbooks that automatically extract, upon qualification as “significant,” the fields required for early warning: context, suspected unlawful act, potential cross-border impact, affected scope. Then a second set for “72h” (severity, IoC availability, mitigation) and a third for “1 month” (timeline, root causes, lessons). Mapping must fit the SERIMA/ILR form (ILR – Incident notification).
  • 24/7 monitoring: without on-call coverage, the deadline may land on a weekend. A managed SOC triggers early warning in the right time zone and secures the decision chain.
  • Evidence management: immutable log retention (WORM), time-stamping, export hashing, preservation of forensic artefacts to support notification, investigation, and the final report (ISO 27001 A 8.12, A 8.13).
  • “Significance” catalogue: documented criteria to quickly decide if the incident is “significant” under NIS 2 (operational/financial impact, harm to third parties, cross-border effects). The ILR FAQs explain how to anchor the clock to conscious detection of this state (ILR – FAQ).

How Luxgap delivers this

  • Our 24/7 managed SOC: integration of your sources (EDR/XDR, cloud, network, IAM, SaaS), correlation in a reference SIEM, and rotating French-speaking watch officers. We configure NIS 2 Art. 23-aligned use cases and escalation timers (T0 = “became aware”), with timestamped documentation for the ILR.
  • Our ISO 27001 governance: our lead implementers structure your 24h/72h/1-month alert procedures, your “significance” criteria, early warning and final report templates, and the RACI chain up to the executive committee.
  • Our outsourced DPO/CISO consultants: coordination between NIS 2 and other frameworks (e.g., GDPR Art. 33: 72h to the data protection authority, DORA for financial entities) to avoid timing and content inconsistencies. For operational leadership, our outsourced CISO aligns security with reporting requirements.

Real-world case in Luxembourg or the EU

A digital infrastructure company operating in Luxembourg (a NIS 2 “important” entity) engaged us after an authentication incident degraded a critical customer service on a Saturday evening. In six weeks, we:

  1. deployed SIEM collectors and integrated VPN/SSO, firewall, SaaS and EDR logs;
  2. configured NIS 2 Art. 23 use cases and “24h / 72h / 1-month” playbooks;
  3. established 24/7 SOC on-call and an ILR (SERIMA) early warning procedure;
  4. ran an exercise covering detection → “significant” qualification → 24h alert with required minimal content, then 72h notification with IoCs.

Result: during a subsequent real incident (cloud account compromised on a Sunday), early warning was sent at H+6 via the SOC, the “72h” notification consolidated IoCs and remediation actions, and the final report (D+30) aligned root causes and corrective measures, matching the ILR template point by point.

First concrete steps

  • Map your signals: this week, identify the 10 authoritative event sources (EDR, SSO, VPN, firewalls, M365/Entra, Google Workspace, AWS/Azure/GCP, ERP/CRM, IDS, DLP) and connect them to the SIEM.
  • Decide the time anchor: put in writing what triggers T0 (“became aware” of a significant incident) and who has authority to qualify “significant.” Align with ILR FAQ on detection vs awareness.
  • Pre-fill ILR templates: create early warning, 72h notification and final report models mapped to SERIMA fields, and integrate them into your playbooks.
  • Test on a weekend: run a Saturday drill: in < 12 hours, the SOC must trigger the alert, aggregate minimal elements (scope, suspected maliciousness, potential cross-border effects) and submit a draft to management.
  • Secure evidence: enable WORM retention on critical logs and document chain of custody to support the 1-month final report.

Official sources

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →