NIS2 incident reporting timelines — how do you map the 24h/72h clock to real on-call rotation?

NIS2 Directive (EU) 2022/2555 requires 'early warning' within 24 hours and a full incident notification within 72 hours for essential and important entities. In practice, the 24h clock starts when you become aware of a 'significant' incident — but determining significance takes time itself. Specific questions: 1. How did your team map the NIS2 24h early-warning requirement to an actual on-call escalation path? Do you use automated triage or require human sign-off before the clock starts? 2. The 72h full report requires initial assessment, indicators of compromise, and impact estimation. Has anyone built a template that auto-populates from SIEM/SOAR data? 3. How do you handle the overlap with GDPR Art. 33 (72h breach notification to supervisory authority)? Are you running parallel processes or a unified workflow? 4. For cross-border operators — do you report to each national CSIRT separately or is there a lead authority mechanism similar to GDPR's one-stop-shop?