What Article 23 actually requires
Article 23 applies to essential and important entities under NIS2. It requires reporting significant incidents to the relevant authority or Computer Security Incident Response Team (CSIRT). Reporting is done in stages: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. (European Union, 2022).
The point is not that you must foresee everything. The point is to have a process that enables you to communicate three things at the right time: what has happened, how serious it is, and what you are doing about it. The staged model is clever: it accepts that you won't know everything after two hours but requires you to signal early and update as the picture becomes clearer. (European Union, 2022).
Article 23 also includes a coordination logic: a single point of contact (SPOC) may need to forward reports to other affected member states and provide aggregated summaries to the European Union Agency for Cybersecurity (ENISA). (European Union, 2022).
Swedish implementation: this is no longer just "EU theory"
In Sweden, NIS2 is implemented through the Cybersecurity Act (2025:1506), which came into force on 15 January 2026, and the Cybersecurity Ordinance (2025:1507). (Swedish Parliament, 2025a; Swedish Parliament, 2025b).
The Swedish Civil Contingencies Agency (MSB) has also published guidance on incident reporting under the Cybersecurity Act, including how the commencement changes who must report and practical deadlines. (MSB, 2026).
The Cybersecurity Ordinance establishes that MSB is the single point of contact under NIS2. (Swedish Parliament, 2025b).
The most common pitfall I see: the alert chain is "someone else's job"
Many organisations reflexively treat incident reporting as a matter for the "security function". But Article 23 doesn't care how you organise yourself. It cares that someone actually calls in time.
And here's the uncomfortable truth: the alert chain almost never fails because of technology. It fails due to everyday logic.
No one knows who is authorised to press the "this is an incident" button.
Contact lists are out of date.
Legal, communications and technical teams sit in different rooms waiting on each other.
The supplier owns the logs, so you can't even describe the situation without permission.
Then deadlines don't matter. You have a fire alarm with no battery.
What makes Article 23 modern
I find Article 23 one of the most "mature" parts of NIS2. It doesn't assume life is perfect. It assumes incidents are unclear at first, but that critical services must still be able to signal and coordinate.
That's also why Article 23 can't stand alone. It needs support from Article 21: risk management and measures that help you detect, isolate and recover faster. ENISA has published technical guidance to help certain sectors interpret how NIS2 measures can be applied in practice. (ENISA, 2025).
My conclusion
If you want to understand Article 23 without reading another paragraph, think like this: it's the alert chain that must withstand stress.
When you can call early, provide factual updates, and finish with a credible final report, you have something far greater than "compliance". You have an organisation that can handle reality without losing control.
And in a digital society, that is often the most tangible form of security we have.
References
ENISA. (2025). NIS2 Technical Implementation Guidance. European Union Agency for Cybersecurity.
European Union. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union, L 333.
Swedish Civil Contingencies Agency. (2026). Incident reporting under the Cybersecurity Act.
Swedish Parliament. (2025a). Cybersecurity Act (2025:1506). Swedish Code of Statutes.
Swedish Parliament. (2025b). Cybersecurity Ordinance (2025:1507). Swedish Code of Statutes.
