How to Create an Incident Response Plan
Complete guide to creating an incident response plan for EU-regulated entities, covering IRP structure, NIS2 Article 23 incident reporting, DORA Article 17 incident management, the six-phase response lifecycle, and validation through tabletop exercises.
- 1
Embed NIS2 Article 23 and DORA Article 19 reporting timelines directly into your IRP workflow with pre-drafted templates and designated reporting contacts.
- 2
Pre-classify incident scenarios against regulatory reporting thresholds to eliminate decision latency during the critical first hours.
- 3
Define clear roles (Incident Commander, Technical Lead, Communications Lead, Legal Counsel, Privacy Officer) with documented responsibilities and escalation paths.
- 4
Test the IRP through regular tabletop exercises at technical, management, and cross-functional levels — an untested plan is a document, not a capability.
- 5
Maintain a decision log during every incident for post-incident review and potential supervisory examination.
1. IRP Fundamentals and EU Regulatory Context
An incident response plan (IRP) is a documented set of procedures that guides an organisation's actions when a cybersecurity incident occurs. It defines what constitutes an incident, who is responsible for responding, how the response should be coordinated, what communication and reporting obligations apply, and how the organisation will recover and learn from the event. For EU-regulated entities, the IRP is not a discretionary preparedness document — it is a regulatory requirement under NIS2 Article 21(2)(b) (incident handling), DORA Article 17 (ICT-related incident management process), and ISO 27001 Annex A Control A.5.24-A.5.28 (information security incident management).
The EU regulatory landscape imposes specific incident reporting obligations that must be embedded directly into the IRP. NIS2 Article 23 mandates a three-stage reporting process with tight timelines (24-hour early warning, 72-hour incident notification, one-month final report). DORA Article 19 requires financial entities to report major ICT-related incidents to their competent authority using classification criteria defined in Commission Delegated Regulation (EU) 2024/1772. These reporting obligations are not add-ons to be figured out during an incident — they must be pre-integrated into the response workflow with pre-drafted templates, designated reporting contacts, and rehearsed escalation procedures.
The IRP must also address the cross-border dimension of incident response in the EU. NIS2 requires entities to report to the competent authority or CSIRT of the Member State where they are established, but incidents affecting services in other Member States trigger additional notification obligations. DORA adds complexity for financial entities operating across multiple EU jurisdictions, where the lead supervisory authority and national competent authorities may both require notification. An effective IRP for a multi-jurisdiction EU entity must include a jurisdiction matrix that maps incident types and affected services to the appropriate reporting channels in each Member State.
2. NIS2 Article 23: Incident Reporting Integration
NIS2 Article 23 establishes a three-tier incident reporting regime for significant incidents. Within 24 hours of becoming aware of a significant incident, the entity must submit an early warning to the competent authority or CSIRT indicating whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have a cross-border impact. Within 72 hours, an incident notification must provide an initial assessment of the incident including its severity and impact, and where available, the indicators of compromise. Within one month, a final report must include a detailed description of the incident, the root cause analysis, mitigation measures applied, and the cross-border impact where applicable. For ongoing incidents, an interim progress report is required at the 72-hour mark, with the final report due one month after incident resolution.
Integrate these timelines directly into your IRP workflow. The 24-hour early warning is the most operationally challenging requirement because it starts from the moment any employee 'becomes aware' of the incident — not from the moment the security team is formally notified or the incident is classified. This means your IRP must include a rapid internal escalation pathway that ensures security-relevant events reported by any employee (help desk tickets, suspicious activity reports, automated alerts) are triaged and assessed against the significant incident criteria within hours, not days. Pre-draft the early warning template so that the only variables to complete are the incident-specific details, not the structural format.
Define 'significant incident' thresholds operationally. Article 23(3) provides the legal criteria — an incident is significant if it has caused or could cause severe operational disruption or financial loss, or has affected or could affect other persons by causing considerable damage. Translate these into concrete, pre-classified scenarios for your environment: ransomware affecting production systems (always significant), data breach exposing personal data of more than a defined threshold of individuals (always significant), DDoS attack causing service unavailability exceeding a defined duration (significant if it impacts essential or important service delivery), and so on. Pre-classification eliminates decision latency during incidents, which is critical when the 24-hour clock is already running.
The NIS2 24-hour early warning clock starts when any employee becomes aware of the incident, not when the security team classifies it. Build internal escalation procedures that account for this broad trigger to avoid inadvertent deadline violations.
3. DORA Article 17: Incident Management Framework
DORA Article 17 requires financial entities to establish and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents. Unlike NIS2's principles-based approach, DORA's incident management requirements are highly prescriptive. Article 17(1) requires early warning indicators, procedures for identifying, tracking, logging, categorising, and classifying ICT-related incidents, assignment of roles and responsibilities, communication plans for staff, external stakeholders, media, and clients, and procedures for reporting to senior management and to the management body. Article 17(2) requires financial entities to establish procedures and processes to ensure consistent and integrated monitoring, handling, and follow-up of ICT-related incidents.
The DORA incident classification framework, defined in Commission Delegated Regulation (EU) 2024/1772, establishes specific criteria for determining whether an ICT-related incident is 'major' and therefore subject to reporting. The classification criteria include the number of clients or financial counterparts affected, the duration of the incident, the geographic spread, the data losses (availability, authenticity, integrity, confidentiality), the criticality of the services affected, and the economic impact. Financial entities must implement these classification criteria in their IRP triage procedures, ensuring that incident responders can rapidly assess incoming incidents against the criteria and determine reporting obligations.
DORA Article 19 sets the incident reporting timelines for major ICT-related incidents: an initial notification within four hours of classifying the incident as major (or within 24 hours of becoming aware, whichever is earlier), an intermediate report within 72 hours of the initial notification, and a final report within one month of the incident's resolution. For financial entities also subject to NIS2, the DORA timelines generally take precedence because they are more prescriptive — but the IRP should explicitly map both frameworks' timelines to ensure no obligation is missed. The IRP should also address DORA Article 19(4), which allows financial entities to voluntarily report significant cyber threats, and define the internal process for determining when voluntary threat reporting is appropriate.
DORA's initial notification deadline is four hours from classification as a major incident (or 24 hours from awareness, whichever is earlier). This is tighter than NIS2's 24-hour early warning. Financial entities subject to both must plan for the DORA timeline.
4. Plan Structure: The Six-Phase Response Lifecycle
Structure your IRP around the six-phase incident response lifecycle: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity (lessons learned). This framework, derived from NIST SP 800-61 and aligned with ISO 27035, provides a structured yet flexible approach that accommodates the variety of incident types an organisation may face. Each phase should include defined activities, responsible roles, decision criteria, escalation triggers, and documentation requirements.
Preparation is the phase that occurs before any incident and encompasses all activities that enable effective response: maintaining current contact lists for internal response team members, external parties (legal counsel, forensics providers, law enforcement, regulatory contacts), and communication channels; deploying and maintaining detection infrastructure (SIEM, EDR, network monitoring, log aggregation); establishing secure communication channels for incident coordination that do not depend on potentially compromised infrastructure (out-of-band communication via mobile phones, encrypted messaging apps, or dedicated incident management platforms); pre-drafting notification templates for regulatory authorities, data protection authorities (GDPR Article 33/34 notifications), customers, and media; and conducting regular training and exercises. Preparation also includes maintaining a current asset inventory and data map — you cannot assess the impact of an incident on systems and data you do not know you have.
Detection and analysis is where the IRP intersects with your security monitoring capabilities. Define the detection sources (SIEM alerts, EDR detections, user reports, threat intelligence feeds, network anomaly detection), the triage process for determining whether a detected event constitutes an incident, the initial classification criteria (severity, category, regulatory reporting trigger), and the assignment of the incident to the appropriate response team. Containment follows detection and must balance the need to stop the incident from spreading against the need to preserve forensic evidence. Define containment strategies for each major incident category: network isolation for lateral movement, account disabling for credential compromise, service shutdown for active data exfiltration. Eradication removes the threat from the environment — malware removal, vulnerability patching, credential resets. Recovery restores affected systems and services to normal operations with enhanced monitoring to detect recurrence. Post-incident activity captures lessons learned and drives improvements to prevent recurrence.
5. Roles, Responsibilities, and Communication Protocols
Define clear roles within the incident response organisation. The Incident Commander leads the overall response, makes containment and escalation decisions, and serves as the single point of authority during the incident. The Technical Lead coordinates the technical response activities (detection, containment, eradication, recovery) and leads the forensic investigation. The Communications Lead manages internal and external communications including regulatory notifications, customer notifications, and media statements. The Legal Counsel advises on regulatory obligations, litigation risk, evidence preservation, and law enforcement engagement. The Privacy Officer assesses personal data implications and manages GDPR Article 33/34 notifications to data protection authorities and data subjects.
Establish communication protocols that address both internal coordination and external reporting. Internal coordination requires a secure, out-of-band communication channel (assume that email and corporate messaging may be compromised during a cyber incident), a regular cadence of status updates (every 2-4 hours during active response, daily during extended incidents), a decision log that records all significant decisions, the rationale behind them, and who made them (this log is essential for post-incident review and potential supervisory examination), and escalation criteria that define when the incident must be escalated to senior management, the management body, and external parties.
External communication must be planned, consistent, and legally reviewed. Pre-draft holding statements for each major incident category so that the first public or customer communication can be issued within hours rather than days. Coordinate regulatory notifications through a single contact point to avoid inconsistent messaging — if both the CSIRT (NIS2) and financial supervisory authority (DORA) require notification, ensure the incident description is consistent across both. For GDPR-triggering incidents (personal data breaches), coordinate the supervisory authority notification (Article 33, within 72 hours) with the NIS2/DORA notification timeline to avoid conflicting deadlines and duplicative effort. Maintain pre-established relationships with your relevant CSIRTs and competent authorities — the middle of an incident is not the time to discover the correct reporting channel.
6. Testing Through Tabletop Exercises
An untested incident response plan is a document, not a capability. Testing through tabletop exercises is the most effective way to validate your IRP, identify gaps, and build team muscle memory before a real incident forces the plan into action. NIS2 Article 21(2)(f) requires entities to implement policies and procedures for assessing the effectiveness of cybersecurity risk-management measures, which includes testing incident response capabilities. DORA Article 25 requires financial entities to test ICT business continuity and response plans at least annually, with tabletop exercises and simulation exercises explicitly referenced.
Design tabletop exercises around realistic scenarios that stress-test the specific elements of your IRP that are most likely to fail under pressure. Effective scenarios include: a ransomware attack that encrypts production systems and demands payment within 48 hours (tests containment decisions, business continuity activation, regulatory reporting under time pressure, and management body communication); a supply chain compromise where a trusted software vendor pushes a malicious update (tests detection capabilities, scope assessment, NIS2 Article 21(2)(d) supply chain security controls, and coordination with the vendor); a data breach where personal data is exfiltrated and published online (tests GDPR notification alongside NIS2/DORA notification, customer communication, media management, and law enforcement engagement); and a nation-state intrusion discovered through threat intelligence sharing (tests coordination with CSIRT, evidence preservation, long-term containment without alerting the adversary).
Conduct tabletop exercises at multiple levels. Technical tabletops involve the incident response team and focus on detection, containment, and eradication procedures. Management tabletops involve senior management and the management body and focus on strategic decisions, resource allocation, and external communication. Cross-functional tabletops bring together IT, security, legal, privacy, communications, HR, and business operations to test coordination across functional boundaries. After each exercise, conduct a structured debrief that identifies strengths, weaknesses, and specific improvement actions. Track improvement actions to completion and incorporate lessons learned into the IRP update cycle. DORA requires that test results and remediation plans be reported to the management body, and NIS2's management body oversight obligation (Article 20) implies a similar expectation.
Run tabletop exercises at multiple organisational levels: technical (response team procedures), management (strategic decisions and communication), and cross-functional (coordination across departments). Each level reveals different gaps in your incident response capability.
How does NIS2 incident reporting differ from GDPR breach notification?
NIS2 and GDPR serve different purposes and have different scopes. NIS2 Article 23 requires reporting of significant incidents affecting network and information system security to the CSIRT or competent authority (24-hour early warning, 72-hour notification, one-month final report). GDPR Article 33 requires notification of personal data breaches to the data protection authority within 72 hours. A single incident may trigger both: a ransomware attack that encrypts a database containing personal data requires both a NIS2 notification (to the CSIRT/competent authority) and a GDPR notification (to the DPA). Your IRP should include a triage step that assesses each incident against both sets of criteria.
How often should the incident response plan be tested?
DORA Article 25 requires financial entities to test ICT business continuity plans at least annually. NIS2 Article 21(2)(f) requires assessment of risk-management effectiveness, which includes incident response testing. Best practice for EU-regulated entities is at least one full-scale tabletop exercise annually involving the management body, plus quarterly technical tabletop exercises for the incident response team. Additionally, test specific components (notification procedures, communication channels, forensic tool readiness) on a rolling basis throughout the year.
What is the difference between an incident response plan and a business continuity plan?
An incident response plan focuses on detecting, containing, eradicating, and recovering from security incidents — it is an operational document for the security and IT teams. A business continuity plan (BCP) focuses on maintaining critical business operations during and after a disruptive event — it addresses people, processes, technology, and facilities. The IRP feeds into the BCP: when an incident triggers business continuity activation, the IRP manages the technical response while the BCP manages the business operations response. Both NIS2 Article 21(2)(c) and DORA Article 11 require business continuity arrangements that should be coordinated with the IRP.
Should we engage external incident response providers?
For most EU organisations, maintaining a fully staffed, 24/7 internal incident response capability is not practical. Establish a retainer relationship with an external incident response provider (sometimes called an incident response retainer or IR-on-call service) that can supplement your internal team during major incidents. Select a provider with EU-based operations, appropriate security clearances for your sector, and demonstrated experience with NIS2/DORA-regulated entities. Include the external provider in your tabletop exercises so they understand your environment, procedures, and regulatory obligations before an incident occurs.
How do we handle evidence preservation during incident response?
Evidence preservation is critical for three reasons: forensic analysis to understand the incident's scope and root cause, potential law enforcement investigation, and supervisory examination of your response. Train incident responders to preserve volatile evidence before containment actions destroy it (memory captures, network connection states, running process lists). Maintain forensic images of affected systems before remediation begins. Document the chain of custody for all evidence. Your IRP should include a checklist of evidence to collect for each major incident category and the tools/procedures for collection. Ensure evidence storage meets GDPR requirements if it contains personal data.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.