Incident Response & Breach Management Services
GDPR requires breach notification to the DPA within 72 hours. NIS2 requires early warning to CERT within 24 hours. We prepare procedures, report templates, and coordinate with regulators — so you're ready when an incident occurs.
Our Incident Response Services
72-Hour GDPR Breach Reporting
Preparation of breach notifications for the DPA and affected individuals, severity assessment, and DPO coordination.
24-Hour NIS2 Early Warning
Early warning to national CERT, 72-hour detailed notification, and final report within one month.
Incident Response Plan Development
Complete plan: detection procedures, escalation paths, communication protocols, and recovery steps tailored to your organization.
Crisis Coordination
Crisis team management, coordination with internal IT, the DPA, CERT, and external advisors during live incidents.
Documentation & Templates
Templates for DPA notifications, CERT reports, internal incident logs, affected individual communications, and final reports.
Post-Incident Analysis
Root cause analysis, lessons learned, improvement recommendations, and corrective measures to reduce future risk.
What Happens Without an Incident Response Plan?
Organizations without incident preparation face severe consequences when breaches occur:
GDPR Fines Up to €10M
Unreported data breaches: fines up to €10M or 2% of global turnover (Art. 83(4)). DPAs can also penalize late or incomplete notifications.
NIS2 Management Liability
Board members are personally liable for failures in cyber incident management. Fines up to €10M or 2% of turnover.
Operational Downtime
A cyber incident without a recovery plan can halt operations for days. Average downtime cost for large enterprises exceeds €9,000 per minute.
Loss of Client Trust
Delayed or poorly coordinated incident response erodes trust. GDPR's obligation to notify affected individuals amplifies reputational damage.
Reporting Deadlines & Obligations
GDPR and NIS2 prescribe different deadlines and procedures for different types of incidents. These are the key obligations.
GDPR — Personal Data Breach
- Notification to DPA within 72 hours of awareness
- Notification to affected individuals without delay (high risk)
- Internal documentation of all breaches (including unreported ones)
- Assessment of likely risk to individuals' rights and freedoms
NIS2 — Cyber Incident
- Early warning to CERT within 24 hours
- Incident notification with assessment within 72 hours
- Final report with root cause analysis within one month
- Coordination with the competent authority for your sector
DORA — ICT Incident (Financial)
- Initial notification to the financial regulator about significant ICT incidents
- Intermediate report with updated information
- Final report with root cause analysis and corrective measures
- Incident classification per DORA regulation criteria
How We Prepare Incident Response
Readiness Assessment & Gap Analysis
We analyze your current procedures, identify gaps against GDPR, NIS2, and DORA requirements. We map critical systems, data flows, and communication channels.
Incident Response Plan Development
We develop a complete plan: detection and classification procedures, escalation paths, communication templates for DPA and CERT, crisis team roles and responsibilities.
Documentation & Templates
We prepare templates for DPA breach notifications (Art. 33), CERT early warnings, internal incident logs, affected individual communications, and final reports.
Testing & Simulation
We conduct tabletop exercises simulating real scenarios — ransomware attacks, personal data breaches, DDoS incidents. We test team response and reporting timelines.
Frequently Asked Questions About Incident Response
A security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Examples: ransomware attack, lost device with data, email sent to wrong recipient, unauthorized database access.
No. GDPR requires notification to the DPA only if the breach is likely to result in a risk to individuals' rights and freedoms. However, all breaches must be documented internally — including facts, effects, and measures taken. The DPA can request access to your breach register.
GDPR allows phased notification if all information isn't available within 72 hours. The key is to report the incident on time with available information and supplement later. Delays must be justified and documented — the DPA can impose fines for unjustified delays.
At minimum: DPO or CISO, IT/security lead, legal counsel, communications lead, and the business owner of the affected system. For larger organizations, we recommend external specialists as well. Roles and responsibilities must be defined in advance.
A document that defines procedures for detecting, classifying, escalating, responding to, and recovering from security incidents. It includes crisis team contacts, communication templates for the DPA and CERT, procedures for different incident types, and reporting timelines.
GDPR covers personal data breaches with a 72-hour deadline to the DPA. NIS2 covers significant cyber incidents with a 24-hour early warning to CERT. One incident can trigger both obligations — e.g., ransomware that affects personal data requires both DPA and CERT notification.
Yes. GDPR applies to all organizations processing personal data, regardless of size. Breaches happen to small businesses too — lost laptops, hacked email accounts, ransomware. The plan doesn't need to be complex, but it must exist before an incident occurs.
Beyond GDPR fines (up to €20M or 4% of turnover), costs include: forensic investigation, individual notifications, legal expenses, customer churn, and reputational damage. According to IBM, the average global cost of a data breach in 2024 is $4.88M.
A tabletop exercise simulates a real incident with your crisis team around a table. We prepare a scenario relevant to your industry, guide the exercise through detection, escalation, and response phases, and document findings and improvement recommendations. We recommend at least one exercise per year.
DORA requires financial institutions to report significant ICT incidents in stages to their financial regulator: initial notification, intermediate report with updated information, and final report with root cause analysis. Incident classification is based on impact, duration, and scope criteria.
Learn More About Incident Response
Industries we serve
Prepare Your Incident Response Plan
Free initial meeting to assess your incident readiness. When an incident occurs, there's no time to plan — prepare in advance.