When a data breach or cyberattack hits, every minute costs money and reputation. GDPR requires notification within 72 hours, NIS2 demands early warning within 24 hours. Your team needs to know exactly what to do — before an incident happens. We deliver hands-on training with tabletop exercises, crisis simulations, and breach notification drills that prepare your people for real-world scenarios.
How to recognize indicators of compromise, classify incidents by severity, and initiate the response process within critical first minutes.
Incident categorization frameworks, escalation matrices, decision trees for involving management, legal, and external parties.
The 72-hour notification process step-by-step: assessing risk to individuals, documenting the breach, notifying the DPA, and communicating with affected data subjects.
The three-stage NIS2 reporting timeline: 24-hour early warning, 72-hour incident notification, and one-month final report to the national CSIRT.
Digital forensics basics: preserving logs, securing affected systems, chain of custody, and working with external forensic investigators.
Internal and external communication during a crisis: stakeholder messaging, media handling, customer notifications, and reputation management.
Realistic scenario-based exercises: ransomware attack, data exfiltration, insider threat, and supply chain compromise — practiced in a safe environment.
Effective incident response requires coordinated action across departments. Everyone in the response chain needs to know their role before a crisis hits.
Technical detection, containment, eradication, and recovery procedures for cybersecurity incidents.
First responders who triage alerts, coordinate response activities, and manage the incident lifecycle.
Decision-making during crises: resource allocation, regulatory notification decisions, and strategic communication.
Regulatory notification obligations, liability assessment, evidence preservation requirements, and regulator engagement.
Crisis communication plans, media statements, customer notifications, and reputation management strategies.
GDPR breach assessment, risk-to-rights evaluation, DPA notification, and data subject communication.
Multiple EU regulations mandate documented incident response capabilities and regular testing through exercises and drills.
Free 30-minute consultation — assess your team's readiness, plan tabletop exercises, get a proposal
A tabletop exercise is a facilitated discussion-based simulation where team members walk through a realistic incident scenario step-by-step. Participants practice decision-making, communication, and coordination without the pressure of a live event. Scenarios typically include ransomware attacks, data breaches, supply chain compromises, and insider threats. These exercises expose gaps in procedures and build team confidence for real incidents.
Best practice is at least one tabletop exercise per quarter for the core response team, annual full-scale exercises involving all stakeholders, and refresher training after every real incident. NIS2 and DORA both emphasize regular testing of incident response capabilities. Organizations in critical sectors should conduct exercises more frequently.
At minimum: IT security, incident handlers, management representatives, legal/compliance, DPO, and communications. Effective response requires cross-functional coordination — an exercise limited to IT alone misses critical notification, decision-making, and communication steps that determine the outcome of real incidents.
After each exercise, document: scenario description, participant list, timeline of decisions and actions, gaps identified, lessons learned, and improvement actions with owners and deadlines. This documentation serves as evidence for regulatory audits and demonstrates continuous improvement of your incident response capability.
Upon detecting a potential breach: (1) assess whether personal data is affected, (2) document the breach in your internal register, (3) evaluate risk to data subjects, (4) if risk exists, notify the supervisory authority within 72 hours using their standard form, (5) if high risk, notify affected individuals. The 72-hour clock starts when you become 'aware' of the breach — which is why detection speed matters.
GDPR focuses on personal data breaches and notification to the data protection authority (AZOP). NIS2 covers all significant cybersecurity incidents (not just data breaches) and requires reporting to the national CSIRT (CERT.hr). NIS2 has a faster initial deadline (24h early warning vs GDPR's 72h). A single incident may trigger both obligations simultaneously if it involves personal data and significant service disruption.
A rehearsed team responds in minutes. An unprepared team scrambles for days. Start with a tabletop exercise to test your current readiness and identify gaps.