Art. 23(4)(a) NIS 2 + §32 BSIG + §121 BGB

What 'without undue delay' really means on the NIS 2 24-hour clock

Art. 23(4)(a) NIS 2 has two timers, not one. Knowing the difference is the difference between defending a timely early warning and facing an avoidable §65 BSIG fine.

Simon OrzelSimon Orzel·

Why the wording matters

Art. 23(4)(a) NIS 2 says the early warning is due 'without undue delay and in any event within 24 hours' of becoming aware of a significant incident. Two timers, not one. The 24-hour figure is a hard cap; the operative duty is the first phrase.

In practice this means: a notification that arrives at hour 23 can still be late if the entity could reasonably have submitted it at hour 4. 'Reasonably' is what auditors test in retrospect.

First-time readers fixate on the 24-hour number and miss the legal structure. Understanding both clocks is the cheapest defence you can prepare in advance of an incident.

Where the structure lives
One operative article, one transposition, one recital.

Art. 23(4)(a) NIS 2

Where applicable, an early warning, which, without undue delay and in any event within 24 hours of becoming aware of the significant incident, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.

Two timers explicitly named in the same sentence. 'Without undue delay' is the operative duty; '24 hours' is the outer limit. Awareness, not detection, is the trigger.

§32(1) Nr. 1 BSIG

Wesentliche und wichtige Einrichtungen melden dem Bundesamt erhebliche Sicherheitsvorfälle unverzüglich, spätestens innerhalb von 24 Stunden nach Kenntniserlangung als frühe Erstmeldung.

The German transposition uses 'unverzüglich' for 'without undue delay'. 'Unverzüglich' is a defined legal term in §121(1) BGB, namely 'ohne schuldhaftes Zögern', without culpable delay. That definition imports a full body of German case law into the NIS 2 reporting duty.

Recital 102 NIS 2 (background)

In order to determine the reporting obligations, the timeline of the notification and the format of the notification, the assessment of the impact of the incident should be considered.

Recital 102 is the interpretive hint: the notification timing is not divorced from the entity's reasonable assessment. You are not expected to file before you have the information; you are expected to file as soon as you reasonably could.

The two clocks, in plain language
Both start at the moment of awareness. Both must be respected. They are not alternatives.

Clock 1: without undue delay

The operative duty. The entity must notify as soon as it reasonably can after becoming aware. 'Reasonable' allows time to confirm the facts and escalate internally; it does not allow batching for convenience or waiting for the workday to start.

Clock 2: in any event within 24 hours

The hard cap. No matter what 'reasonable' meant in the case, the early warning cannot be later than 24 hours after awareness. Past that, the entity is in breach even with a perfect justification.

Trigger: awareness

Not technical detection. Awareness in legal terms is when the entity, acting reasonably, knew or should have known. A SIEM alert sitting unread in a queue may already count as awareness for the entity if a reasonably operating SOC would have read it.

What 'without undue delay' allows and does not allow
Three rules drawn from German case law on 'unverzüglich' and from ENISA TIG guidance.

Allowed: time to confirm

You do not have to file before you have meaningful information. A few hours to triage, confirm scope, and rule out false positives are reasonable. The directive does not penalise responsible verification.

Allowed: time to escalate

Internal escalation through the incident response chain, with the designated reporting officer signing off, is part of normal due process. A two-hour escalation in working hours is reasonable; a 20-hour wait for the CEO to land from holiday is not.

Not allowed: convenience batching

Waiting to combine multiple suspected incidents, waiting for office hours when the incident occurred at 22:00, waiting for a press strategy to coalesce. None of these are reasons that survive an audit. 'Unverzüglich' tolerates verification, not delay for the entity's own convenience.

Worked example: ransomware payload at 14:00
Walking through when each clock starts and what reasonable means in a concrete case.

14:00: SOC detects encryption activity on file server

Technical detection. Not yet legal awareness if the SOC is investigating. The entity is on notice but has not formed a view that an incident is significant.

15:30: incident confirmed as ransomware, scope partially clear

Awareness arises now at the latest. Both clocks start. The 24-hour outer limit ends 15:30 next day. The 'without undue delay' duty engages immediately.

16:45: early warning sent

75 minutes after confirmation. Defensible 'without undue delay' if the entity used the time to verify and to escalate internally to the designated reporting officer. Notification includes the two mandatory Art. 23(4)(a) content items: suspected malicious cause and cross-border impact assessment.

What auditors look for in your timeline log

When the BSI or a national competent authority audits an incident retrospectively, the document of interest is the entity's own timeline log. Three columns are expected: time of event, what was known at that point, what action was taken.

The audit asks one question: at each point in the timeline, was the next step reasonable given what was known. A clean log with conservative actions defends the notification timing. A sparse log invites the auditor to assume the worst.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Art. 23(4)(a), Recital 102, www.eur-lex.europa.eu
  • Act on the Federal Office for Information Security (BSIG), §32, www.gesetze-im-internet.de
  • Bürgerliches Gesetzbuch (BGB), §121(1): definition of 'unverzüglich'
  • ENISA Technical Implementation Guidance v1.0 (June 2025), §5 on incident timeline documentation

This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, BGB, ENISA TIG). It does not constitute legal advice within the meaning of §2 RDG. Whether a specific delay is 'undue' in a particular case is a legal question for an admitted lawyer. As at 2026-06-04.

Practise the timeline before an incident
The platform's incident module records timeline events with timestamps and decision sign-offs, so the audit log writes itself.