Cybersecurity Incident Response: Every Minute Counts

Cybersecurity incident response is the set of technical and legal procedures an organisation activates upon detection of a cyberattack, system breach, or data security event. In the EU regulatory framework, two parallel notification obligations apply simultaneously: under Article 33 of the GDPR, personal data breaches must be notified to the AEPD within 72 hours; under the NIS2 Directive (EU 2022/2555, transposed in Spain by 2026), essential and important entities must submit an early warning to the competent authority (INCIBE-CERT or CCN-CERT) within 24 hours of detecting a significant incident, followed by a more complete report within 72 hours. Failure to meet these deadlines constitutes an independent regulatory infringement separate from the underlying incident.

Our incident response team brings together lawyers specialising in cybersecurity and privacy regulation with experience in technical response coordination, crisis management, and regulatory authority relations. Integrating the legal and operational dimensions from the first moment is the difference between an effective response and one that generates additional problems.

The Preparation Gap

An active cyberattack is the worst moment to discover that the response plan does not exist, that no one knows who to call, or that the documented procedures do not reflect operational reality. Post-incident investigations consistently show that the damage caused by lack of preparation exceeds the damage from the incident itself: systems offline longer than necessary due to absent recovery procedures, regulatory fines for late notification, and client trust destroyed by uncoordinated crisis communication.

The incident response plan is not a document to be filed and forgotten. To be useful, it must reflect the company’s actual technical architecture, the critical assets that must be prioritised for recovery, the real-world roles of the people who will execute it, and the current contacts for suppliers, authorities, and insurers. It must be tested regularly through tabletop exercises that place the team in simulated stress and reveal failures before a real incident does.

What Effective Tabletop Exercises Look Like

The exercises we facilitate go beyond a theoretical discussion. We use detailed scenarios based on the most frequent attack vectors in the company’s specific sector — ransomware in manufacturing and logistics, credential compromise via phishing in professional services, supply chain attacks in critical sectors — and introduce real-time complications that test decision-making and communication under pressure. The post-exercise report identifies critical gaps and produces a concrete improvement plan.

The Legal Dimension of Incident Response

When a real incident occurs, the coordination between technical response and legal management is critical. The forensic team needs to preserve evidence in a form that is admissible if criminal involvement is suspected. Regulatory notifications must be accurate and consistent — the AEPD and the NIS2 supervisory authority can request additional information that must be consistent with what has already been notified. If there is a potential cyber insurance claim, incident documentation must satisfy the insurer’s requirements. Our service coordinates all these dimensions from the first moment.

The GDPR and NIS2 notification obligations run in parallel with very tight timelines. Our experience is clear: organisations that have conducted the tabletop exercise and have a tested, documented protocol consistently meet the deadlines with margin. Organisations that improvise rarely do.

Criminal Liability and Incident Response

In incidents involving ransomware extortion, theft of trade secrets, or sabotage, the incident response has a criminal dimension that requires specialist legal oversight from the outset. Our criminal compliance team coordinates with the incident response function to ensure that evidence is preserved, that law enforcement notification decisions are made with full legal awareness of the consequences, and that the company’s legal position is protected throughout the response.

The DORA Notification Timeline

For financial entities subject to DORA (Regulation 2022/2554), the incident notification requirements are even more demanding than NIS2. DORA’s delegated technical standards set specific classification criteria and notification timelines: an initial notification within 4 hours of classifying an incident as major, an intermediate report within 72 hours, and a final report within one month. Financial entities need a pre-classified incident response workflow — one that moves from detection to major/non-major classification in minutes, not hours. Our DORA compliance team integrates the incident response protocol with the regulatory notification workflow as a single, coherent process.

Supply Chain Incidents

A significant proportion of major cyber incidents originate in compromised third-party suppliers — software vendors with privileged access to client environments, cloud infrastructure providers, or managed service providers. These incidents present specific legal complications: the company is simultaneously a victim of the supplier’s security failure and potentially a controller of personal data breached by a processor. Our incident response service includes a post-incident analysis of the contractual gap that allowed the supply-chain incident to occur — producing a concrete recommendation for contractual remediation. Data breach management for the GDPR notification dimension runs in parallel.

Cyber Insurance Claims Coordination

Insurance claims following a significant cyber incident require careful coordination with the incident response process. Most policies require notification to the insurer within 24 to 72 hours of discovering the incident — a window that frequently overlaps with the regulatory notification process. Our approach establishes a dedicated insurance coordination track alongside the regulatory notification process, with a designated contact responsible for managing the insurer relationship from detection through claim resolution. Organisations that have not yet conducted a cybersecurity audit of their current security controls should do so before the next renewal — both to ensure coverage conditions are satisfied and to identify gaps that the insurer’s underwriting process may flag.

The DORA Notification Timeline

For financial entities subject to DORA (Regulation 2022/2554), the incident notification requirements are even more demanding than NIS2. DORA’s delegated technical standards set specific classification criteria and notification timelines: an initial notification within 4 hours of classifying an incident as major, an intermediate report within 72 hours, and a final report within one month. Financial entities need a pre-classified incident response workflow — one that moves from detection to major/non-major classification in minutes, not hours. Our DORA compliance team integrates the incident response protocol with the regulatory notification workflow as a single, coherent process.

Supply Chain Incidents

A significant proportion of major cyber incidents originate in compromised third-party suppliers — software vendors with privileged access to client environments, cloud infrastructure providers, or managed service providers. These incidents present specific legal complications: the company is simultaneously a victim of the supplier’s security failure and potentially a controller of personal data breached by a processor. Our incident response service includes a post-incident analysis of the contractual gap that allowed the supply-chain incident to occur — producing a concrete recommendation for contractual remediation. Data breach management for the GDPR notification dimension runs in parallel.

Cyber Insurance Claims Coordination

Insurance claims following a significant cyber incident require careful coordination with the incident response process. Most policies require notification to the insurer within 24 to 72 hours of discovering the incident — a window that frequently overlaps with the regulatory notification process. Our approach establishes a dedicated insurance coordination track alongside the regulatory notification process, with a designated contact responsible for managing the insurer relationship from detection through claim resolution. Organisations that have not yet conducted a cybersecurity audit of their current security controls should do so before the next renewal — both to ensure coverage conditions are satisfied and to identify gaps that the insurer’s underwriting process may flag.