NIS2
Europe's cybersecurity directive. When a significant incident happens you have 24 hours for an early warning, 72 hours for an incident notification with an initial assessment, and one month for the full report with root cause. All three pull from the same gateway audit stream, queried at different points in time, so there is no scrambling across siloed systems while the clock runs. The table below maps each Article 23(4) reporting obligation to the gateway output.
Obligation to evidence
| Obligation | IntentGate output |
|---|---|
| Art. 23(4)(a) — early warning within 24h of becoming aware | Webhook fan-out (Slack, Teams, PagerDuty) on configurable refusal events; auto-creates the 24h ticket |
| Art. 23(4)(b) — incident notification within 72h with initial assessment | Signed audit export of the affected window with per-call attribution |
| Art. 23(4)(c) — intermediate report on request from the authority | Same chain, queryable repeatedly without re-correlation |
| Art. 23(4)(d) — final report within 1 month with root cause | Decision-path field per row identifies which rule fired and why |
| Art. 21(2)(h) — basic cyber hygiene practices and training | Operator console plus per-decision evidence to brief and train staff against |
The 24-hour window is where most organisations fail. The chronology has to exist before the incident, not be reconstructed after. The audit chain is that chronology.
Want the mapping for your specific audit?
Each organisation has a different combination of regulations and a different audit cycle. We can walk through your specific obligations in a 30-minute call.
Start the conversation