NIS2 Directive incident reporting timelines: 24h early warning vs 72h full notification — what triggers which?

The EU NIS2 Directive (Directive (EU) 2022/2555) introduced a two-tier incident reporting system: - 24 hours: early warning to CSIRT with initial assessment - 72 hours: full notification with severity assessment and indicators of compromise The practical ambiguity: what exactly triggers the 24h clock vs when can you wait for the 72h full report? Our incident response team is struggling with: - Ransomware discovery at 3am on Saturday: does the clock start at detection, or when the IR team confirms it's a 'significant incident'? - Supply chain compromise detected via vendor notification: is that our incident or theirs for reporting purposes? - Near-miss incidents that were blocked by controls: do these need any reporting at all? For those who have already implemented NIS2-aligned IR procedures (especially in DE/NL where enforcement is strict): how are you defining the 'significant incident' threshold internally? Are you using ENISA's guidance or national implementations? The transposition deadline was October 2024, so most member states should have national laws in force by now. But the practical guidance is still catching up.