NIS2 Article 23 requires an early warning within 24 hours of becoming aware of a significant incident, a detailed notification within 72 hours, and a final report within one month. Each of those artifacts is currently authored in prose. The audit milestones now in force across Member States, with 30 June 2026 the most prominent, are the first occasions on which that prose faces systematic scrutiny.
What the Regime Asks For
NIS2 covers 18 sectors of essential and important entities. Article 21 sets 10 minimum cybersecurity risk-management measures. Article 23 sets the reporting cascade: a 24-hour early warning indicating awareness and cross-border impact, a 72-hour detailed notification with severity assessment and indicators of compromise, an interim report at the CSIRT’s request, and a final report within one month of the incident notification.
Article 20 places board and senior-management accountability on the cybersecurity programme. Article 34 backs the regime with fines reaching €10 million or 2% of global turnover for essential entities. The cascade is a temporal discipline: each artifact has a deadline, and each deadline has a fine schedule.
Where the Existing Stack Falls Short
The 24-hour early warning is currently a triage decision. The CISO or duty SOC manager looks at SIEM alerts, EDR severity scores, and analyst judgement, and produces a textual claim about whether a significant incident is in progress. The decision is defensible. The decision is also dependent on which analyst happens to be on shift.
The 72-hour detailed notification is currently a reconstruction. The SOC walks back through the alert chain, pattern-matches against an attack framework, and produces a narrative with indicators of compromise. The indicators come from the existing SIEM/EDR. The structural reading is absent from the data.
The one-month final report compiles forensic conclusions, root cause, and mitigation. The root cause section is the most contested artifact. Two incident response firms working the same engagement can produce different root-cause narratives, both defensible, neither replayable.
A CSIRT receiving the three artifacts evaluates them as authored claims. The cascade depends on trust in the operator’s narrative discipline.
What KAIROS Adds to the Cascade
24-hour early warning. The Mythos-shaped sandbox-escape fixture in the cyber smoke corpus walks through the kill-chain sequence: privilege pressure rises first, segmentation collapses next, exfiltration arrives after. The zone reaches ActiveIntrusion before the exfiltration jump, because the structural margin is already compressed. The 24-hour clock starts when a defended zone’s stability score crosses the policy threshold. The trigger is structural.
72-hour detailed notification. The notification carries a replay package: the calibration artifact, the deployment policy version, the per-zone snapshots across the incident window, and the resulting envelopes. The indicators of compromise are augmented by the structural reading. The CSIRT can re-execute the operator’s evidence and compute the same gate verdicts the operator submitted.
One-month final report. The forensic timeline is hash-bound. Each CyberSignalEnvelope carries the SHA-256 of the calibration document, the OCSF schema pin, the canonical-JSON event budgets, and the per-zone snapshot NDJSON. The root cause section refers to the zone, the tick, and the Kairos margin K_gate = gamma − gamma_floor at which the structural break occurred. Disagreement on the root cause collapses to disagreement on inputs.
Article 21 risk-management measures. The first measure (policies on risk analysis) acquires a numeric trajectory. The sixth measure (assessing the effectiveness of cybersecurity risk-management measures) acquires a measurable structural reading. The second measure (incident handling) acquires the replay-deterministic envelope as a runtime artifact.
The CSIRT as a Replayer
The shift in the CSIRT’s reception of an incident report mirrors the shift the notified body experiences under the EU AI Act. The CSIRT has traditionally read incident reports. With a KAIROS-equipped operator, the CSIRT re-executes the operator’s deployment on the supplied calibration artifact and deployment policy, and verifies the gate verdicts bit-for-bit against the operator’s submitted envelopes. The determinism tolerance is ε = 10⁻⁶.
The supervisory consequence is procedural. A CSIRT that doubts an operator’s narrative under the existing regime has to demand additional documentation, additional interviews, and additional forensic engagement. A CSIRT receiving a deterministic envelope corpus runs the replay and forms its own structural reading. The supervisory loop tightens by an order of magnitude.
Article 32 enforcement powers operate against a corpus of replayable artifacts. On-site inspections, security audits, requests for evidence, and designation of monitoring officers each acquire a numeric anchor.
What Essential Entities Preparing Now Should Include
The 30 June 2026 audit milestone is approximately seven weeks away. For essential entities building the NIS2 evidence package now, three additions raise the incident-handling evidence to measurement standard:
- A deterministic envelope archive covering the audit window, hash-bound to the deployed calibration artifact and policy version at each tick.
- A replay harness scoped to the regulator’s likely inquiry depth, with a documented procedure for re-executing a flagged incident window on demand.
- An incident-reporting workflow that emits the calibration and policy version alongside the Article 23 prose notification, so the CSIRT can re-execute on request.
The archive is generated as a by-product of normal KAIROS operation. The harness is a packaging exercise. The workflow change is a single field added to the existing incident-reporting templates.
Limits Worth Stating
The deterministic envelope does not adjudicate whether an incident meets the Article 23 significance threshold. That determination remains a judgement call by the entity, against the criteria the CSIRT publishes for the sector. The envelope evidences the structural reading that informed the judgement. The threshold decision is procedural.
The envelope does not replace the supply-chain security obligations under Article 21’s fourth measure. Third-party dependencies remain a contractual and process discipline. The runtime measurement layer covers the systems the entity operates.
Article 23’s interim and final reporting timelines remain operational deadlines. The deterministic envelope reduces the disagreement on what happened. The procedural discipline of meeting the deadlines remains the operator’s responsibility.
What the envelope eliminates is interpretive drift on the structural facts of the incident. The CSIRT verifies the same gate verdicts the operator submitted. The supervisory question moves from “do the reviewers agree on the report” to “do the inputs justify the report the operator filed.”
Direct Next Steps
Read the foundational claim that grounds this article: Auditability as a Measurement.
Read the calibration debrief that backs the cyber adapter’s structural readings: Calibrating the Cybersecurity Adapter.
The next article in this series addresses the analogous evidence shift under DORA, the lex specialis regime for financial entities.