Mandatory incident reporting refers to the legal obligation to notify relevant authorities of certain security incidents within defined timeframes. Under the GDPR, personal data breaches must be reported within 72 hours of becoming aware of the incident (Art. 33 GDPR). NIS2 introduces tiered deadlines: an early warning within 24 hours and a full report within 72 hours. Your incident response process should include clear escalation paths so that responsible individuals can meet these deadlines reliably. Make sure to also document the notification itself, as this serves as evidence of compliance during regulatory reviews.