72 hours to the supervisory authority.
From the moment of awareness. The notification describes the breach, the affected categories, the consequences and the measures already taken or planned.
SERVICE PRACTICE · INCIDENT RESPONSE
Incident response and breach reporting.
We run breach triage, regulator filings, forensics coordination and board comms when the incident hits. 24/7 retainer for organisations that cannot afford to learn the playbook on the day of the call.
RESPONSE.DESK · LAST 12 MONTHS● LIVE
Incidents triaged118
Regulator notifications filed63
Ransomware engagements22
Median time to triage call42 min
Post-incident reviews delivered47
Tabletop exercises run31
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / PRIMER
Notification timelines.
24h warning, 72h update, 30d final report.
Early warning, incident notification and final report. The supervisor expects intermediate updates whenever the situation materially changes.
Notify affected individuals without undue delay.
Where the breach is likely to result in a high risk to rights and freedoms of individuals. Direct, clear language. Not a marketing email.
REGULATORY FINES
Up to €20M or 4% of turnover
GDPR Article 83 maximums apply to breach notification failures and inadequate technical and organisational measures.
NIS2 PENALTIES
Up to €10M or 2% of turnover
Plus management board members named personally where breaches of duty are established under the implementing law.
§ 02 / THE CLOCK
Response timeline.
TIMER. WHO IS WAITING
T+0hInternal triageConfirm the incident, isolate scope, freeze evidence, open the incident log. Call the on-call team.
T+24hNIS2 early warningInitial notification to the national CSIRT and the competent authority where applicable. Brief facts only.
T+72hGDPR Article 33 filingNotification to the supervisory authority with current facts, scope, consequences and mitigation.
T+30dNIS2 final reportDetailed description, severity, impact, root cause, cross-border effects and mitigation taken.
TIMER. WHO IS WAITING
T+0hCrisis team activationLegal, IT, communications, exec sponsor, third-party forensics, breach counsel, insurer.
T+12hBoard / management noticeFirst written brief to the board or management. Decision points with summarised facts.
T+48hCustomer / staff communicationsDrafted, legally reviewed, channel-matched. Customer service trained, FAQ ready.
T+90dPost-incident reviewRoot cause, control gaps, lessons learned, regulator commitments, tracker for remediations.
§ 03 / ENGAGEMENT MODELS
Engagement models.
MODEL ARETAINER
24/7 response retainer
Guaranteed pickup, named incident lead, annual tabletop, runbook on file, regulator templates ready.
- →Named incident lead and deputy
- →Annual tabletop exercise
- →Pre-drafted regulator templates
- →Quarterly playbook review
MODEL BACTIVE
Breach response squad
Fixed-fee deployment on an active incident: triage, regulator filings, forensics liaison, comms, post-mortem.
- →Senior incident lead on the call
- →GDPR / NIS2 / DORA notifications
- →Forensics and counsel coordination
- →Board, customer and staff communications
MODEL CREVIEW
Post-incident review
Independent post-mortem after an incident has closed. Root cause, gap analysis, remediation tracker, board paper.
- →Root-cause analysis
- →Control gap inventory
- →Remediation roadmap with owners
- →Board paper and regulator follow-up
§ 04 / SCOPE
Scope of work.
01 / 04
Triage & containment
- Scoping the incident across systems
- Evidence preservation and chain of custody
- Containment decisions, isolate vs observe
- Internal incident log and timeline
02 / 04
Regulator notifications
- GDPR Article 33 and 34 filings
- NIS2 early warning, notification and final report
- DORA major incident reporting
- Sector-specific filings (HNB, HANFA, BaFin, ENISA)
03 / 04
Forensics & legal
- Forensics vendor selection and oversight
- Counsel coordination on privileged work
- Insurance carrier engagement
- Law enforcement liaison where required
04 / 04
Communications
- Board and management briefings
- Customer and data subject notifications
- Employee communications and FAQs
- Media holding statements and Q&A
§ 05 / IN PRACTICEBrief us now30 MIN
Pre-built response framework.
Retainer clients have the runbook, regulator templates, evidence-preservation checklist and comms tree on file. Day one of an incident is execution against a pre-built framework.
Median time to triage call
42 min
Regulator filings inside 72h
100%
Tabletop frequency for retainer clients
Annual
Post-incident review delivery
30 days
RETAILER · INCIDENT CHRONOLOGYQ1 2026
Awareness to triage call38 min
Containment confirmedT+4h
GDPR filingT+47h
Customer noticeT+52h
Final report to AZOPT+28d
Vision Compliance · response desk
§ 06 / SELECTED WORK
See all case studies →Recent engagements.
IR-31RETAIL
Ransomware contained inside 8 hours; regulator filed at 47.
38 min
TRIAGE
T+47h
FILING
0
DATA LOSS
SCOPETriage, forensics, GDPR filing, customer comms, board paper
IR-27HEALTHCARE
Phishing-driven exfiltration closed without media spread.
2,400
AFFECTED
T+60h
FILING
Contained
MEDIA
SCOPEGDPR Art. 34 notification, AZOP liaison, board briefing
IR-22TELCO
NIS2 incident: 24h early warning, 30d final report.
T+19h
WARNING
T+29d
FINAL
Closed
REGULATOR
SCOPENIS2 reporting cycle, CERT liaison, post-mortem
§ 07 / LANDSCAPE
Response landscape.
11,876
GDPR breach notifications across the EU in 2024
62%
of regulator filings exceed the 72h window
€1.2M
average cost of a breach in EU mid-market
24h
NIS2 early-warning duty starts
TREND 01
Regulators publish faster
AZOP, BaFin and Italy's Garante publish breach decisions within months. The window for a quiet resolution is closing.
TREND 02
Three regulators on one incident
A single incident may trigger GDPR, NIS2 and DORA filings in parallel. The notifications must be consistent.
TREND 03
Boards are now in the chain
NIS2 places the management body in the line of duty. Board-level evidence of decisions has become part of the regulator file.
§ 08 / FAQ
Common questions.
01Can you respond if we do not have a retainer with you?+
Yes. We accept active incident engagements without a prior retainer when capacity allows. The model is a fixed-fee breach-response squad with a senior incident lead on the call within 60 minutes. Retainer clients have guaranteed pickup and a runbook on file, which is the operational difference.
02How do you work with our existing forensics or legal counsel?+
We coordinate with your existing partners. Most incidents already have a forensics vendor (Mandiant, NCC, Group-IB or similar) and external counsel. We run the regulator clock, the comms and the board interface; the forensics and privilege work stays with your chosen firms.
03Do you handle the regulator filings yourselves?+
We draft, you sign. The GDPR Article 33 filing, NIS2 notifications and DORA major incident reports are drafted in your name and submitted under your authority. We keep the audit trail of versions and approvals so the file holds up later.
04Can you run tabletops before something happens?+
Yes. Tabletops are how a retainer pays for itself. We run scenario-based exercises with the crisis team, board observer and counsel, plus a written readiness report and remediation tracker.
05What if we are not sure it is a breach yet?+
Call early. Triage is faster than the regulator clock. We help you confirm whether it is a notifiable incident before the 72-hour window starts running, and we document the assessment either way.
06Are your communications HR-mother-tongue capable for Croatia and Germany?+
Yes. We draft AZOP filings and Croatian customer communications in native Croatian; BSI / BaFin filings and German communications in native German. No machine translation on regulator-facing documents.
§ 09 / RESOURCES
Runbooks and templates.
TEMPLATE8 PAGES
GDPR Article 33 notification draft
Pre-built notification template aligned with AZOP, BaFin, the CNIL and the Italian Garante forms.
Open ↓PDF / TEMPLATE
RUNBOOK14 PAGES
First-hour incident runbook
Roles, decisions, evidence checklist and escalation tree for the first 60 minutes of a confirmed incident.
Open ↓PDF / TEMPLATE
GUIDE22 PAGES
Tabletop exercise pack
Three scenarios, facilitator notes, observation grid and readiness report template.
Open ↓PDF / TEMPLATE
§ 10 / RELATED
Related practices.
Cybersecurity & DORA
ICT risk management, ISMS, vulnerability programmes and the controls that prevent the next incident.
Open practice →Data Protection (DPO)
Records of processing, DPIAs, data subject rights, the documentation a regulator opens after a breach.
Open practice →NIS2 Compliance
Scoping, governance, reporting obligations and supervisory readiness for essential and important entities.
Open practice →11 / GET STARTED
Active incident? Get in touch.
Retainer clients have the on-call number. For new requests, the urgent form opens the response line within 30 minutes.