Documentation
NIS2Shield
Automated NIS2 Article 23 incident reporting for Jira Cloud
Contents
1. Overview
NIS2Shield is an Atlassian Forge app that automates NIS2 Directive Article 23 incident reporting inside Jira Cloud. It helps EU organisations comply with mandatory cybersecurity incident notification requirements by providing:
- Structured incident reporting with all NIS2-required classification fields
- Automated deadline tracking for the 24-hour, 72-hour, and 30-day reporting cascade
- Pre-formatted CSIRT templates for Early Warning, Incident Notification, and Final Report submissions
- Automated escalation via Jira issue comments when deadlines approach or pass
- Full audit trail for compliance evidence and regulatory audits
2. Getting Started
Installation
- Install NIS2Shield from the Atlassian Marketplace
- A Jira administrator must grant the required permissions during installation
- Once installed, NIS2Shield appears as a global page in your Jira navigation (Apps → NIS2Shield)
- An issue panel is also added to all Jira issues for linking incidents
Initial Configuration
Before reporting your first incident, configure your organisation settings:
- Open NIS2Shield from the Jira navigation menu
- Click Settings in the top-right corner
- Enter your organisation name (used in CSIRT templates)
- Select your primary sector from the 18 NIS2 sectors
- Choose your national CSIRT authority
- Add a contact email for CSIRT communications
- Configure notification thresholds (default: 75%, 90%, and 100% of deadline)
3. Incident Command Center
The dashboard provides a real-time overview of all NIS2 incidents across your organisation:
- Summary cards — Total incidents, overdue count, critical/high count, and resolved count
- Incident list — Each incident shows title, status, sector, severity badge, current reporting phase, and countdown timer
- Colour-coded timers — Green (on track), amber (approaching deadline), red (overdue)
Click any incident to open its detail view with full reporting timeline, incident information, and audit trail.
4. Reporting an Incident
Click + Report Incident from the dashboard to create a new NIS2 incident. Required fields:
| Field | Description |
|---|---|
| Incident Title | Brief description of the incident |
| Description | Detailed account of what occurred |
| Severity | Critical, High, Medium, or Low |
| Classification | Significant or non-significant incident per NIS2 criteria |
| Sector | One of 18 NIS2 critical sectors (energy, health, transport, digital infrastructure, etc.) |
| Affected Services | Systems, platforms, or services impacted |
| Users Affected | Estimated number and type of affected users |
| Geographic Scope | Local, national, EU single state, or EU multi-state |
| Cross-Border Impact | Whether the incident affects other EU member states |
| Suspected Malicious | Whether the incident is suspected to be of unlawful or malicious origin |
Once submitted, NIS2Shield automatically starts the Article 23 reporting cascade with deadline timers.
5. Deadline Tracking & Escalation
NIS2 Article 23 requires a three-phase notification cascade to your national CSIRT:
| Phase | Deadline | Article | Purpose |
|---|---|---|---|
| Early Warning | 24 hours | 23(4)(a) | Notify CSIRT of the incident; indicate if suspected malicious and/or cross-border |
| Incident Notification | 72 hours | 23(4)(b) | Submit severity assessment, impact analysis, and indicators of compromise |
| Final Report | 30 days | 23(4)(d) | Detailed root cause analysis, mitigation measures taken, and cross-border impact assessment |
Automated Escalation
NIS2Shield runs an hourly deadline checker that monitors all active incidents. When a deadline threshold is reached, the app:
- Posts a WARNING, URGENT, or OVERDUE comment on the linked Jira issue
- Includes the phase name, severity, deadline timestamp, and a link to the NIS2Shield dashboard
- Escalation thresholds are configurable in Settings (default: 75%, 90%, 100%)
6. CSIRT Notification Templates
NIS2Shield generates pre-formatted notification templates for each reporting phase. From any incident detail view:
- Click Generate CSIRT Templates
- Select the template type (Early Warning, Incident Notification, or Final Report)
- The template is auto-populated with your incident data and organisation details
- Use Copy to Clipboard or Download .txt to export
Templates follow the structure recommended by ENISA and include:
- Reporting entity and national CSIRT identification
- Incident summary with classification and severity
- Initial assessment (malicious cause, cross-border impact)
- Impact scope (affected services, estimated users, geographic scope)
- Next steps and contact information
7. Jira Issue Integration
NIS2Shield integrates directly into your Jira workflow through two touchpoints:
Issue Panel
Every Jira issue displays an NIS2 Incident panel in the sidebar. From here you can:
- Link an existing NIS2 incident to the Jira issue
- View the linked incident's severity, current phase, and countdown timer
- See key details: sector, cross-border impact, malicious indicator
- Navigate directly to the full incident view in the dashboard
Automated Comments
When a deadline threshold is reached, NIS2Shield posts a comment directly on the linked Jira issue with the alert level (WARNING, URGENT, or OVERDUE), phase details, and a link to take action in the dashboard. This ensures your incident response team is notified within their existing Jira workflow.
8. Settings & Configuration
Access settings from the dashboard by clicking the Settings button. Configuration is divided into three sections:
Organisation
- Organisation Name — Used in CSIRT notification templates
- Primary Sector — Your NIS2 sector classification (determines which CSIRT to notify)
CSIRT & Contacts
- National CSIRT — Your designated national Computer Security Incident Response Team
- Contact Email — Primary contact for CSIRT communications
Deadline Notifications
- Warning Threshold — First alert when this percentage of the deadline has elapsed (default: 75%)
- Urgent Threshold — Escalated alert at this percentage (default: 90%)
- Overdue Threshold — Final alert when the deadline has passed (100%)
9. Audit Trail
Every incident maintains a complete audit trail for compliance evidence. Tracked events include:
- Incident created — With creation timestamp and creator
- Phase submitted — When a reporting phase is marked as submitted to CSIRT
- Incident updated — Any field changes with before/after values
- Issue linked — When a Jira issue is linked to the incident
- Escalation sent — When automated deadline notifications are posted
- Incident resolved — When the incident is marked as closed
The audit trail is visible in the incident detail view and provides the timestamped evidence trail required for NIS2 compliance audits.
10. NIS2 Article 23 Reference
NIS2Shield implements the reporting obligations defined in Article 23 of Directive (EU) 2022/2555 (the NIS2 Directive). Key provisions:
- Article 23(1) — Entities must notify their CSIRT of any significant incident without undue delay
- Article 23(3) — Defines what constitutes a "significant" incident (significant impact on service provision)
- Article 23(4)(a) — Early Warning within 24 hours of becoming aware of the incident
- Article 23(4)(b) — Incident Notification within 72 hours with severity assessment and indicators of compromise
- Article 23(4)(d) — Final Report within one month with root cause analysis and mitigation measures
Penalties for non-compliance: Up to €10,000,000 or 2% of global annual turnover, whichever is higher. Member states may also impose personal liability on senior management.
NIS2Shield does not provide legal advice. Users are responsible for verifying compliance with their specific national transposition of the NIS2 Directive.
11. FAQ
Does NIS2Shield send notifications directly to my CSIRT?
No. NIS2Shield generates pre-formatted templates that you review and submit to your CSIRT through their designated submission channel. Each EU member state's CSIRT has different submission methods (email, web portal, etc.), so we provide the content rather than automating the delivery.
Where is my data stored?
All data is stored exclusively within Atlassian Forge Storage, scoped to your Jira Cloud instance. No data is transmitted to external servers. IronClad Forge does not have access to your incident data.
Which NIS2 sectors are supported?
All 18 sectors defined in NIS2 Annexes I and II: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space, postal and courier services, waste management, manufacturing, chemicals, food production and distribution, digital providers, and research.
Does NIS2Shield work with Jira Service Management?
Yes. NIS2Shield is compatible with both Jira Software and Jira Service Management. The issue panel and automated comments work with any Jira issue type.
Can I use NIS2Shield for DORA incident reporting?
NIS2Shield is designed specifically for NIS2 Article 23 obligations. For DORA (Digital Operational Resilience Act) incident reporting, see DORAShield, our dedicated Forge app for financial sector ICT incident reporting under DORA Article 19.
What permissions does NIS2Shield require?
NIS2Shield requires: storage:app (to store incident data), read:jira-work and write:jira-work (to read issue data and post escalation comments), and read:jira-user (to attribute audit trail entries).
12. Support
Need help? Reach out through any of these channels:
- Email: support@ironclad-forge.com
- Atlassian Community: Ask questions or browse answers on the NIS2Shield community page
- Response time: We aim to respond to all support requests within 24 hours on business days