The three clocks that now run concurrently.
Three statutory or supervisory notification obligations have a seventy-two hour element. They are sometimes confused as one. They are not.
UK GDPR Article 33. Personal data breach notification to the Information Commissioner's Office. "Where feasible, not later than seventy-two hours after having become aware of it."
DORA Article 19. Major ICT-related incident notification by financial entities to the competent authority, with initial notification within hours and intermediate report within seventy-two hours of incident classification.
NIS 2 Article 23. Significant incident notification to the CSIRT or competent authority by essential and important entities, with early warning within twenty-four hours, incident notification within seventy-two hours, and a final report within one month.
A UK firm that processes personal data, is in financial services, and falls within NIS 2 scope (via EU subsidiary or supply-chain exposure) is on all three clocks at once. The clocks do not interact. Each runs on its own facts.
When each clock starts.
The starting trigger is different for each. Misreading the trigger is the most common mistake at the start of an incident.
Article 33 (UK GDPR) starts when the controller becomes aware of a personal data breach. "Aware" in EDPB guidance, which the ICO follows, means having a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. Awareness is a factual question, not a legal one, and it can be earlier than the firm would prefer.
DORA Article 19 starts when the firm classifies the incident as major. Classification is against the RTS criteria: clients affected, data losses, geographical spread, economic impact, reputational impact, duration and service downtime, criticality of services. The clock does not start at detection. It starts at classification, which can be later, but firms cannot indefinitely delay classification.
NIS 2 Article 23 starts when the firm becomes aware of a significant incident. "Significant" is defined in the directive: capable of causing severe operational disruption or financial loss, or capable of affecting natural or legal persons through considerable material or non-material damage. Awareness has the same factual character as Article 33.
Where the three clocks pull in different directions.
The three obligations look similar on the page. In practice, in the first hours of an incident, they pull the response team in three different directions.
Article 33 is satisfied by a narrative report describing the breach and the data affected. Internal counsel will want the report tight and factual to avoid creating admissions before the investigation is complete. The ICO accepts initial reports that are partial and updated as facts emerge.
DORA Article 19 requires structured reporting against the RTS template, with specific data fields the firm must populate. The template forces commitments to numbers (impact, duration, clients affected) before those numbers are fully known. Internal counsel will resist. The regulation does not permit the resistance.
NIS 2 Article 23 sits between the two. An early warning at twenty-four hours that is short and qualitative, followed by a notification at seventy-two hours that is more structured. The format expectations vary by Member State CSIRT and by sector competent authority.
The conflict point is clear. Article 33 favours tight narrative. DORA Article 19 forces structured numbers. NIS 2 Article 23 expects both, sequentially. The drafting team is asked to write three different reports about one incident inside seventy-two hours, while the incident is still live.
Three different reports about one incident, inside seventy-two hours, while the incident is still live. This is not a paperwork exercise.
The drafting move that satisfies all three.
The reconciling move is to write one master incident narrative, then derive the three notifications from it. The master narrative is structured to surface every fact each of the three regulations needs, in a fixed order, so the derivations are mechanical.
The master narrative has eight sections. Detection facts (time, source, signal). Initial classification (data subjects affected, services affected, criticality). Containment actions taken. Investigation findings to date, with confidence level on each. Affected populations: individuals, clients, regulators, other. Notification decisions taken and rationale. Open questions and next update time. Owner and version.
Each notification draws from the master. The Article 33 notification draws from sections one, two, four and five. The DORA Article 19 notification draws from sections one, two, three and six. The NIS 2 early warning draws from sections one and two. The NIS 2 notification draws from sections one to six. Each is signed off by internal counsel against the master, not against the regulation, which keeps counsel comfortable that the firm is consistent across the three submissions.
The master is updated every four hours during the incident and every twenty-four hours for the first week after closure. Versions are retained. The audit trail satisfies the supervisory dialogue that follows almost every notified incident.
Seventy-two hours sounds generous when read in a policy document. It is short when read against the clock. The firms that handle the period well have rehearsed the drafting move before the incident. The firms that handle it poorly are reading the regulation for the first time at hour one.
