Incident Management
From detection to regulatory report. Every deadline tracked.
Structured incident lifecycle from detection through classification, response, and regulatory reporting. Automated deadline calculation for NIS2 (24h/72h/1 month), DORA (initial/intermediate/final), and GDPR (72h DPA notification). Pre-built report templates for CSIRT, ESA, and DPA submissions.
What you get
Incident Classification Taxonomy
Structured classification framework aligned to NIS2 Annex and DORA Article 18 criteria. Classify incidents by type (ransomware, data breach, DDoS, insider threat), severity (critical, high, medium, low), and regulatory significance (reportable/non-reportable) with guided decision trees that determine reporting obligations automatically.
Automated Regulatory Deadline Tracking
The moment an incident is classified as reportable, FortisEU calculates all applicable regulatory deadlines. NIS2 requires early warning within 24 hours and incident notification within 72 hours (Article 23). DORA requires initial notification within 4 hours of classification (Article 19). GDPR requires DPA notification within 72 hours (Article 33). All deadlines are tracked with countdown timers, escalation alerts, and assignment to responsible personnel.
Pre-Built CSIRT/ESA/DPA Report Templates
Pre-formatted report templates match the exact format requirements of national CSIRTs, European Supervisory Authorities (EBA, EIOPA, ESMA), and Data Protection Authorities. Templates are pre-populated with incident data, reducing report drafting from hours to minutes. Templates are updated when regulatory authorities revise their submission formats.
Evidence Packaging for Regulatory Submission
Package all incident evidence — logs, screenshots, timeline reconstructions, impact assessments — into structured evidence bundles that accompany regulatory reports. Evidence is integrity-hashed and timestamped to demonstrate chain of custody and support the organisation's account of events during regulatory review.
Cross-Framework Incident Correlation
A single security incident may trigger reporting obligations under multiple frameworks simultaneously — NIS2, DORA, and GDPR for a data breach at a financial institution. FortisEU correlates the incident across all applicable frameworks, calculates parallel deadlines, and generates separate reports for each regulatory authority from a single incident record.
Post-Incident Review Workflow
Structured post-incident review process captures lessons learned, root cause analysis, and remediation actions. Review findings are linked back to the risk register and compliance controls, closing the loop between incident response and continuous improvement as required by NIS2 Article 21(2)(b) and DORA Article 13.
How it works
Detect & Classify
Log a new incident from manual report, SIEM alert, or API integration. The classification wizard guides the responder through severity assessment, impact scope, and regulatory significance determination using criteria aligned to NIS2 and DORA classification requirements.
Calculate Deadlines
Based on classification and applicable frameworks, FortisEU automatically calculates every regulatory reporting deadline. A reportable incident at a financial entity triggers NIS2 24-hour early warning, DORA 4-hour initial notification, and GDPR 72-hour DPA notification deadlines simultaneously, each with countdown timer and assigned owner.
Draft Reports
Pre-built report templates auto-populate with incident data. The NIS2 early warning template captures initial scope and suspected cause. The DORA initial notification includes severity assessment and cross-border impact. The GDPR DPA notification details personal data categories affected and measures taken. Each report is reviewed and approved before submission.
Submit & Track
Submit reports to the appropriate authorities and track submission status, authority responses, and follow-up requests. The final incident report consolidates the entire timeline, response actions, evidence, and lessons learned for regulatory closure and internal improvement.
Built for your team
Incident Triage and Classification
A SOC analyst detects a potential ransomware incident at 02:00. They log it in FortisEU and the classification wizard determines it is a significant incident under NIS2 Article 23(3) affecting essential service availability. The system immediately calculates the 24-hour early warning deadline (due 02:00 next day), assigns the CSIRT report to the on-call CISO, and begins the response workflow with pre-configured playbook actions.
Regulatory Reporting Coordination
The CISO coordinates regulatory reporting for a data breach at a bank that triggers parallel obligations under NIS2, DORA, and GDPR. FortisEU's cross-framework correlation shows three separate reports are needed: CSIRT early warning (24h), ESA initial notification (4h from classification), and DPA breach notification (72h). Each report template is pre-populated, and the CISO reviews and approves each before submission, confident that all deadlines are tracked.
GDPR Breach Notification
The DPO is alerted that an incident involves personal data of 15,000 data subjects. FortisEU calculates the GDPR Article 33 deadline (72 hours from awareness) and pre-populates the DPA notification with data categories, approximate number of subjects, likely consequences, and measures taken. The DPO also assesses whether GDPR Article 34 individual notification is required based on the risk to data subjects, with ASK providing guidance on the assessment criteria.
Supports your compliance stack
Common questions
What are the NIS2 incident reporting timelines?
NIS2 Directive 2022/2555 Article 23 establishes a three-phase reporting timeline for significant incidents. Phase 1: early warning within 24 hours of becoming aware of the incident, indicating whether the incident is suspected of being caused by unlawful or malicious acts and whether it could have cross-border impact. Phase 2: incident notification within 72 hours with an updated assessment of severity, impact, and indicators of compromise. Phase 3: final report within one month with detailed description, root cause, mitigation measures, and cross-border impact. For incidents affecting essential services, these timelines are strictly enforced by national competent authorities.
What does DORA require for incident reporting?
DORA Regulation 2022/2554 Article 19 requires financial entities to report major ICT-related incidents to their competent authority. The reporting timeline follows ESA regulatory technical standards: initial notification within 4 hours of incident classification as major, intermediate report within 72 hours with updated analysis, and final report within one month of resolution. DORA Article 18 defines the classification criteria including client impact, data integrity loss, critical service unavailability, and geographic spread. FortisEU pre-populates the ESA-mandated report format automatically.
How does FortisEU handle parallel NIS2 and GDPR reporting for data breaches?
When an incident involves both network/information system compromise (NIS2) and personal data breach (GDPR), FortisEU generates separate regulatory reports for each authority from a single incident record. The NIS2 early warning (24h) and GDPR DPA notification (72h) run on parallel timelines with independent deadline tracking. Content is tailored to each authority's requirements — the CSIRT report focuses on technical indicators and service impact, while the DPA notification addresses personal data categories, data subject counts, and risk assessment. Cross-references between reports ensure regulatory consistency.
How does FortisEU classify incidents as reportable vs. non-reportable?
The classification wizard applies regulatory criteria from NIS2 Article 23(3) and DORA Article 18 to determine reportability. NIS2 considers an incident significant if it causes or may cause severe operational disruption or financial loss, or affects other natural or legal persons by causing considerable damage. DORA classifies incidents as major based on client count, transaction impact, duration, geographic spread, data integrity loss, and critical service availability. The wizard walks the responder through each criterion with yes/no decisions, and the system determines reportability automatically based on the responses.
Can FortisEU track submissions to national CSIRTs?
Yes. FortisEU maintains a registry of national CSIRTs and competent authorities for all 27 EU Member States, aligned to the NIS2 Directive's requirements for each sector. When an incident is classified as reportable, the platform identifies the correct CSIRT or competent authority based on your entity type, sector, and establishment country. Report templates are formatted to each authority's requirements where specific formats have been published. Submission status, authority acknowledgements, follow-up requests, and additional information submissions are tracked through the platform's incident timeline.
Related features
See Incident Management in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.