Incident management – responding effectively and complying with NIS 2

“It’s not a question of if we’ll be attacked, but when. This adage is truer than ever. Despite all protective measures, there is no such thing as zero risk in cybersecurity. That’s why incident management is crucial: an attack can always happen, and it’s the ability to detect and react to it quickly that will make the difference between a contained incident and a catastrophe for the company. The NIS 2 directive is well aware of this: it requires organizations toimprove their incident response systems, and introduces very strict notification obligations in the event of a major incident. Let’s take a look at what this means for CIOs and CISOs.

Cyber incidents: the moment of truth for the enterprise

A significant cyber attack is often described as a crash test for the organization. Yet too few companies are truly prepared to handle a digital crisis. An IBM/Ponemon study revealed that 77% of companies have no formal, proven incident response plan(Incident Response Analyst – job description: missions, training, salary…). This figure is alarming, given that an improvised response can lead to costly mistakes (extended reaction time, chaotic communication, inappropriate decisions under stress). According to the FBI, the number of attacks exploded by +300% during the pandemic(Incident Response Analyst – job description: missions, training, salary…), which means it’s high time we made up for this lack of preparation.

NIS 2 adds further pressure to structure this function. It introduces a requirement for an incident management plan and, above all, very short notification deadlines to the competent authorities: a preliminary alert within 24 hours of detection (to signal that a significant incident is in progress) and a full report within 72 hours giving details and mitigation measures taken(NIS 2 Directive: Impact on SMEs and suppliers). In addition, a final report must be provided within up to one month, once the incident has been resolved(NIS 2 Directive: Impact on SMEs and suppliers). Failure to meet these notification deadlines will in itself be grounds for sanction, even in the absence of any fault on the part of the cause of the incident.

These obligations imply that the company has a well-established internal organization for detecting, qualifying and escalating security incidents. Detecting an intrusion in less than 24 hours is not trivial – many data leaks are only discovered weeks or even months later. NIS 2 is therefore an incentive to invest in detection capabilities (monitoring systems, SOC, etc.). Moreover, being able to issue a report within 72 hours presupposes rapid investigation processes and fluid collaboration between technical experts, managers and communicators. This is what cyber crisis management is all about.

Beyond the compliance aspect, good incident management is vital to limit the impact. A study by Hiscox Report 2023 estimates that 53% of companies suffered an attack last year (compared with 48% the previous year)(Statistics and impacts of cyber attacks on companies in …), and of these, 30% quantified the financial damage at at least $50,000(84% of large companies suffered a security incident in the last 12 months compared with 65% in 2023 | Business Wire)(84% of large companies suffered a security incident in the last 12 months compared with 65% in 2023 | Business Wire). An effective response can drastically reduce these costs (by containing the attack before it spreads, recovering systems faster, etc.). Conversely, a slow or inadequate response can turn a minor incident into a major crisis. To illustrate, 84% of large companies have detected a cyber attack in the last 12 months(84% of large companies have suffered a security incident in the last 12 months versus 65% in 2023 | Business Wire) – we can’t prevent all these attacks, but we can train ourselves to react to them to reduce the damage.

Reinforcing response capability: best practices

For IT Departments, improving incident management means acting on three fronts: detection, operational response and communication/notification. Here are some concrete measures:

• Set up a team and an Incident Response Plan (IRP): If you haven’t already done so, formalize an Incident Response Plan covering different scenarios (malware, ransomware, denial of service, data breach…). This plan should define roles (who decides to shut down certain systems, who contacts the authorities, who manages the crisis com, etc.), technical procedures (isolation of an infected workstation, restoration from backups, etc.) and playbooks for each type of incident. Set up a multi-disciplinary response team (IT, security, legal, communications, HR) ready to mobilize. Everyone needs to know their mission in the event of an alert. Also document the list of important contacts (police/ANSSI, incident response provider if existing contract, cyber insurer, etc.). This plan must be approved by management and circulated to stakeholders.
• Improve detection capabilities: Invest in security monitoring tools (SIEM, EDR, NDR…) and/or an SOC (in-house or outsourced) capable of continuously analyzing events and rapidly identifying incidents. NIS 2 does not explicitly require an SOC, but without good detection, meeting the 24-hour deadline for alerting will be impossible. Make sure you also have a clear internal process so that any suspicious anomaly spotted by an employee can be escalated quickly to the security team (e.g. a technician who sees a strange encrypted file should know who to report it to immediately).
• Train through crisis exercises: Don’t just have a plan; test it. Organize regular exercises to simulate a major incident. For example, simulate a widespread ransomware attack: servers encrypted, network unavailability… What does your team do? These drills, ideally carried out as a surprise, highlight shortcomings (obsolete contacts, unclear procedures, poorly managed stress). After each exercise, hold a debriefing to improve the plan and fill in any gaps. ANSSI recommends this kind of exercise, even at management level, to get everyone used to their role in a real-life situation.
• Ensure technical resilience: Incident management goes hand in hand with business continuity. Check that your backups are well segmented, frequent and tested for restoration. 41% of companies admit that they cannot restore all their data after an incident(Resilience: 80% of companies have no real DRP!) – that’s far too many. A well-designed DRP (Disaster Recovery Plan) should enable critical systems to be restarted within a few hours. In addition, plan for workarounds: e.g., have backup workstations not connected to the main network to continue certain operations in the event of an incident, alternative means of communication (backup telephones, external e-mails) if the IS is down, etc. The more you think about these aspects in advance, the more effective your crisis management will be.
• Careful crisis communication: Communication is often neglected, yet it is essential. Define pre-written messages for the first 24 hours (for customers, for the media, for employees) so as not to improvise under pressure. Appoint an official spokesperson. During the incident, keep employees regularly informed about what’s going on (to avoid rumors and maintain confidence). And, of course, be prepared to notify the authorities within the time limits set by NIS 2. This means quickly recognizing whether an incident is “significant” or not. Establish criteria in advance (e.g. more than X users affected, service interruption > Y hours, etc.) that trigger the obligation to notify. In case of doubt, it’s better to notify preventively within 24 hours, even if it means clarifying later.
• Learn from experience: After each incident (even minor ones), do a post-mortem to analyze what went right or wrong. Update your procedures accordingly. Each incident should make the organization a little more resilient. And don’t hesitate to share your feedback with the community (via sector-specific Computer Security Incident Response Teams – CSIRTs, or anonymized publications): NIS 2 encourages cooperation between entities on incident management, as this benefits everyone.

By developing these capabilities, a company moves from a submissive attitude (“we hope we won’t be attacked”) to a proactive attitude (“we’re ready to react when it happens”). This is an essential component of cyber-resilience. And it also reassures the authorities: being able to demonstrate that you have a robust response system will be well received in the event of an NIS 2 inspection (and may avoid sanctions if an incident nevertheless goes wrong).

How Smart Global Governance facilitates incident management and NIS 2 compliance

Smart Global Governance solutions provide invaluable support in structuring your incident management process and meeting NIS 2 incident management requirements. By centralizing information and automating certain tasks, the platform enables your incident response team to be more responsive and organized.

• Central incident log: Smart Global Governance’s incident management module lets you record and track every security incident (intrusion attempt, detected malware, etc.), with a workflow from initial reporting through to resolution. All relevant information is recorded: time-stamp, system affected, severity, actions taken, persons responsible assigned… This creates an incident memory, useful for post-event analysis and justification to the authorities. What’s more, in the event of an audit, you can demonstrate that “all incidents are properly logged and handled according to an established process”, which is a guarantee of seriousness.
• Playbook and task management: The platform includes the ability to define standard response plans (playbooks) for different scenarios. For example, a “Ransomware” playbook can automatically create a series of tasks: isolate the affected network segment, check the integrity of backups, inform a particular manager, etc., assigned to the right people. When an incident occurs, the CISO can trigger the corresponding playbook, and Smart Global Governance will orchestrate the response, ensuring that each step is taken and completed. This prevents actions being forgotten in the heat of the moment. You can monitor the progress of each task in real time, and receive alerts if anything falls behind schedule.
• Notifications and automated escalation: linked to your monitoring systems, Smart Global Governance can receive incident alerts (from a SIEM, for example) and automatically create an incident ticket in the log. Better still: if the incident exceeds a certain severity threshold, the platform can instantly notify key stakeholders by SMS or email (e.g. COMEX member, legal manager). This ensuresimmediate escalation, without waiting for an analyst to manually inform his or her superiors. In the context of NIS 2, where 24-hour notification starts as soon as a breach is detected, this time saving can make all the difference.
• NIS 2 reporting module: Smart Global Governance can facilitate the compilation of the information required to notify the ANSSI (or competent authority). As the incident log already contains all the technical details and actions taken, you can generate a structured report with the key elements (incident type, date/time, impact, mitigation measures) as a basis for regulatory notification. A report template aligned with NIS 2 expectations can be integrated, guiding you to omit no necessary information. This helps you to comply with the form and content requirements of official notifications, in addition to meeting the deadline.
• Post-incident analysis and capitalization: Once the incident is closed, the platform enables you to launch a feedback process. Team members can record lessons learned directly on the incident form, and create follow-up actions (e.g. “reinforce authentication on server X”, “train team Y in procedure Z”) which will be tracked until they are implemented. The tool thus ensures continuous improvement of the security system. Statistics can also be extracted on past incidents (frequency, average time to resolution, most common types) to help adjust the overall strategy.
• PCA/PRA integration: Combined with Smart Global Governance’s business continuity modules (PCA/PRA), incident management forms part of a global approach to resilience. For example, if a critical incident is declared, the platform can suggest triggering the associated continuity plan. The links between risks, incidents and recovery plans are documented, providing a coherent vision of crisis response.

Thanks to Smart Global Governance, your organization can gain in responsiveness and coordination at critical moments of a security incident. CIOs and CISOs have a centralized command post to manage the crisis, without getting lost in e-mails or scattered files. Every minute counts during an attack; by eliminating trial and error and automating repetitive tasks, the platform saves you precious minutes – even hours. What’s more, it helps you scrupulously fulfill your NIS 2 obligations in terms of incident management and reporting, thus avoiding the “over-incident” of regulatory non-compliance in the midst of a crisis. So it’s a double safety net: for your operations, and for your compliance.