Cybersecurity Incident Response: Every Minute Counts

Cybersecurity incident response is the set of technical and legal procedures an organisation activates upon detection of a cyberattack, system breach, or data security event. In the EU regulatory framework, two parallel notification obligations apply simultaneously: under Article 33 of the GDPR, personal data breaches must be notified to the AEPD within 72 hours; under the NIS2 Directive (EU 2022/2555, transposed in Spain by 2026), essential and important entities must submit an early warning to the competent authority (INCIBE-CERT or CCN-CERT) within 24 hours of detecting a significant incident, followed by a more complete report within 72 hours. Failure to meet these deadlines constitutes an independent regulatory infringement separate from the underlying incident.

Our incident response team brings together lawyers specialising in cybersecurity and privacy regulation with experience in technical response coordination, crisis management, and regulatory authority relations. Integrating the legal and operational dimensions from the first moment is the difference between an effective response and one that generates additional problems.

The Preparation Gap

An active cyberattack is the worst moment to discover that the response plan does not exist, that no one knows who to call, or that the documented procedures do not reflect operational reality. Post-incident investigations consistently show that the damage caused by lack of preparation exceeds the damage from the incident itself: systems offline longer than necessary due to absent recovery procedures, regulatory fines for late notification, and client trust destroyed by uncoordinated crisis communication.

The incident response plan is not a document to be filed and forgotten. To be useful, it must reflect the company’s actual technical architecture, the critical assets that must be prioritised for recovery, the real-world roles of the people who will execute it, and the current contacts for suppliers, authorities, and insurers. It must be tested regularly through tabletop exercises that place the team in simulated stress and reveal failures before a real incident does.

What Effective Tabletop Exercises Look Like

The exercises we facilitate go beyond a theoretical discussion. We use detailed scenarios based on the most frequent attack vectors in the company’s specific sector — ransomware in manufacturing and logistics, credential compromise via phishing in professional services, supply chain attacks in critical sectors — and introduce real-time complications that test decision-making and communication under pressure. The post-exercise report identifies critical gaps and produces a concrete improvement plan.

The Legal Dimension of Incident Response

When a real incident occurs, the coordination between technical response and legal management is critical. The forensic team needs to preserve evidence in a form that is admissible if criminal involvement is suspected. Regulatory notifications must be accurate and consistent — the AEPD and the NIS2 supervisory authority can request additional information that must be consistent with what has already been notified. If there is a potential cyber insurance claim, incident documentation must satisfy the insurer’s requirements. Our service coordinates all these dimensions from the first moment.

The GDPR and NIS2 notification obligations run in parallel with very tight timelines. Our experience is clear: organisations that have conducted the tabletop exercise and have a tested, documented protocol consistently meet the deadlines with margin. Organisations that improvise rarely do.

Criminal Liability and Incident Response

In incidents involving ransomware extortion, theft of trade secrets, or sabotage, the incident response has a criminal dimension that requires specialist legal oversight from the outset. Our criminal compliance team coordinates with the incident response function to ensure that evidence is preserved, that law enforcement notification decisions are made with full legal awareness of the consequences, and that the company’s legal position is protected throughout the response.

The DORA Notification Timeline

For financial entities subject to DORA (Regulation 2022/2554), the incident notification requirements are even more demanding than NIS2. DORA’s delegated technical standards set specific classification criteria and notification timelines: an initial notification within 4 hours of classifying an incident as major, an intermediate report within 72 hours, and a final report within one month. Financial entities need a pre-classified incident response workflow — one that moves from detection to major/non-major classification in minutes, not hours. Our DORA compliance team integrates the incident response protocol with the regulatory notification workflow as a single, coherent process.

Supply Chain Incidents

A significant proportion of major cyber incidents originate in compromised third-party suppliers — software vendors with privileged access to client environments, cloud infrastructure providers, or managed service providers. These incidents present specific legal complications: the company is simultaneously a victim of the supplier’s security failure and potentially a controller of personal data breached by a processor. Our incident response service includes a post-incident analysis of the contractual gap that allowed the supply-chain incident to occur — producing a concrete recommendation for contractual remediation. Data breach management for the GDPR notification dimension runs in parallel.

Cyber Insurance Claims Coordination

Insurance claims following a significant cyber incident require careful coordination with the incident response process. Most policies require notification to the insurer within 24 to 72 hours of discovering the incident — a window that frequently overlaps with the regulatory notification process. Our approach establishes a dedicated insurance coordination track alongside the regulatory notification process, with a designated contact responsible for managing the insurer relationship from detection through claim resolution. Organisations that have not yet conducted a cybersecurity audit of their current security controls should do so before the next renewal — both to ensure coverage conditions are satisfied and to identify gaps that the insurer’s underwriting process may flag.

Regulatory Framework: GDPR, NIS2, DORA, and Spanish Implementation

The key regulatory instruments governing cybersecurity incident response and notification obligations in Spain are:

GDPR (Regulation 2016/679), Articles 33 and 34: Article 33 requires notification to the AEPD within 72 hours of becoming aware of a personal data breach likely to pose a risk to individuals’ rights and freedoms. The notification must describe the nature of the breach, the categories and approximate number of individuals and records concerned, the data protection officer contact, likely consequences, and measures taken or proposed (Art. 33.3 GDPR). Article 34 requires direct notification to affected individuals when the breach is likely to result in high risk — without undue delay and with no fixed hour limit.

NIS2 Directive (EU 2022/2555): requires essential and important entities to report significant incidents to the relevant CSIRT or competent authority — in Spain, INCIBE-CERT (private sector) or CCN-CERT (public administrations) — within 24 hours (early warning), 72 hours (initial report), and one month (final report). An incident is significant if it has caused or could cause severe operational disruption, financial loss, or material harm to natural or legal persons.

DORA (Regulation 2022/2554): financial entities face stricter timelines. A preliminary notification must be submitted within 4 hours of classifying an ICT incident as “major” per EBA delegated technical standards. Intermediate report within 72 hours, final report within one month.

Ley 36/2015 (Seguridad Nacional) and RD 43/2021 (Infraestructuras Críticas): operators of critical infrastructure have additional obligations under the National Security Framework, including coordination with the CNPIC (Centro Nacional de Protección de Infraestructuras y Ciberseguridad), a mandatory Security Plan, and regular testing of the Self-Protection Plan.

Sectors Most Affected

Healthcare: patient data breaches have the highest regulatory and reputational impact — AEPD sanctions for healthcare data breaches are consistently among the highest applied. NIS2 classifies hospitals and healthcare providers as essential entities with the most demanding notification obligations. Tabletop scenarios for healthcare must include ransomware targeting patient management systems, which effectively halts clinical operations and triggers both GDPR and NIS2 obligations simultaneously.

Financial services (DORA): financial entities subject to DORA have incident notification requirements beyond GDPR and NIS2. The initial notification to Banco de España or CNMV must be made within 4 hours of classifying an incident as major — far more demanding than the NIS2 24-hour early warning. The dual regulatory notification requirement (DORA to the financial supervisor, GDPR to the AEPD) must be managed as a coordinated process with consistent facts and a unified timeline.

Critical infrastructure and logistics: NIS2 essential entities in energy, transport, and water face the most demanding response obligations, including mandatory coordination with CCN-CERT or INCIBE-CERT. The 24-hour early warning is particularly demanding for distributed infrastructure where incident detection is not instantaneous.

Professional services (law firms, consultants, accountants): high-value client data makes professional services a frequent target. A breach involving client confidential information creates simultaneous GDPR, professional secrecy, and legal privilege dimensions that require legally qualified incident management from the first hour.

Retail and e-commerce: large volumes of customer payment and personal data, combined with the operational dependence on digital systems, make this sector a high-frequency target. Business interruption during peak commercial periods (December, promotional campaigns) creates pressure to recover quickly that can lead to forensic preservation errors.

Company Size Segmentation

Autónomos and microenterprises: not subject to NIS2 obligations, but GDPR applies regardless of size. Any breach affecting client personal data triggers the 72-hour AEPD notification obligation. A basic IRP — two pages of escalation contacts, a containment checklist, and a notification template — provides meaningful protection at minimal cost. Full incident response retainers are available from EUR 3,000 per year.

SMEs (10–100 employees): the highest-risk group by absolute incident probability. SMEs are frequent ransomware targets (lower security maturity than large enterprises, but sufficient data value to justify attack economics). An annual tabletop exercise focused on ransomware and phishing, combined with a tested backup and recovery procedure, reduces average downtime from weeks to days.

Medium and large companies (100+ employees): full IRP development, annual tabletop exercises, and a 24/7 incident response retainer with guaranteed 4-hour response. NIS2 obligations apply to in-scope companies above the 50-employee or EUR 10M revenue threshold in covered sectors.

Worked Example: Ransomware — Healthcare Sector

A private healthcare clinic (55 employees, 12,000 registered patients) suffered a ransomware attack at 03:00 on a Saturday. Patient management systems and clinical records were encrypted. The attacker demanded EUR 85,000.

BMC incident response timeline: 03:45 — systems isolated, backup integrity verified, forensic snapshot taken before any recovery attempt. 06:00 — GDPR notification assessment: patient health records constitute high-risk personal data — AEPD notification required within 72 hours. 08:00 — director briefing, decision not to pay ransom taken after legal assessment. 18:00 Saturday — AEPD preliminary notification filed (15 hours after detection). Monday 09:00 — clinical records system restored from verified backup; 36-hour total downtime.

Forensic investigation confirmed no exfiltration. AEPD archived the notification without sanction proceedings, citing rapid notification, effective containment, and absence of actual data loss. The outcome was entirely dependent on having a tested IRP and forensic tooling in place before the incident.

Common Mistakes We Fix

1. Treating the IRP as a documentation exercise rather than an operational tool. Plans that list the right steps but do not reflect the actual system architecture or tested recovery procedures provide false assurance and fail under real incident conditions.

2. Not running tabletop exercises with the executive team. Failures in real incidents arise from decisions requiring business authority — ransom payment, proactive client notification, media engagement. These decisions must be rehearsed before the incident, not improvised under attack conditions.

3. Missing the AEPD 72-hour deadline because of internal approval chains. The clock starts at detection. Notification can be preliminary and updated as the investigation progresses; the 72-hour deadline cannot be extended. Organisations requiring C-suite and legal approval before filing must complete those sign-offs within the notification window.

4. Not coordinating the GDPR notification with the insurance notification. Most cyber insurance policies require notification within 24 hours of discovering the incident — overlapping with the AEPD timeline. A pre-established joint protocol prevents the most common failure: notifying the AEPD and then discovering the insurance deadline was missed.

5. Not documenting ransom payment decisions. In ransomware incidents where payment is considered, the decision and any payment must be documented for corporate governance, potential OFAC screening if the attacker is a sanctioned entity, and potential law enforcement disclosure. Undocumented payments create additional exposure independent of the underlying incident.

How We Work

Preparedness track: IRP design and documentation (4–6 weeks), annual tabletop exercise, and quarterly IRP review. Fixed annual fee based on company size and sector.

Response track: available through retainer (guaranteed response within 4 hours, 24/7) or on-call engagement (business hours priority). The retainer includes the preparedness track and an agreed number of incident response hours per year at reduced rates.

Post-incident: post-mortem report with lessons learned, IRP update, regulatory interaction management through closure, and civil or criminal claim coordination where the incident involves third-party liability (compromised supplier, director negligence).

Geographic Coverage and Multi-Jurisdiction Incidents

Our incident response practice operates across all Spanish jurisdictions and has experience coordinating cross-border responses involving supervisory authorities in multiple EU Member States.

Spain-based companies with EU operations: incidents affecting personal data subjects in multiple Member States require notification to the lead supervisory authority under the GDPR one-stop-shop mechanism (Art. 56 GDPR) — typically the authority in the Member State of the company’s main establishment. Cross-border breach notifications must be coordinated simultaneously with the lead authority and all relevant concerned authorities. Our team manages this coordination, ensuring consistent documentation across all notifications.

Spanish subsidiaries of non-EU groups: incidents originating at group level may require independent Spanish regulatory notifications even when the primary incident response is managed by the parent company’s security team. The Spanish entity is independently responsible for its AEPD and NIS2 notification obligations. We advise the Spanish entity on its independent obligations and manage the AEPD and INCIBE/CCN-CERT relationship for the Spanish-specific aspects of the response.

Multinational incident response: for groups with operations across multiple EU jurisdictions, we coordinate with correspondent law firms to ensure that incident documentation and regulatory notifications are consistent across all supervisory authorities. This is critical when the lead GDPR supervisory authority requests information about measures taken across the entire group — inconsistent notifications to different authorities can create regulatory complications beyond the original incident.

For companies in Madrid and the Costa del Sol, our physical presence allows for immediate in-person support at the client’s premises during the critical first hours of an incident — an advantage when systems are compromised and remote communication channels may be unreliable.

Integration with the Broader Cybersecurity and Legal Practice

Incident response is most effective when integrated with a broader programme of preventive cybersecurity governance and legal compliance. Our incident response service connects directly with:

• Cybersecurity Audit: annual technical review of security controls, identifying vulnerabilities before attackers do and ensuring that the IRP reflects the current technical environment.
• NIS2 Compliance: for in-scope companies, the NIS2 security measures (risk management, supply chain security, access controls, encryption) directly reduce incident probability. NIS2 compliance and incident response planning are developed as a single programme.
• DORA Compliance: for financial entities, DORA incident management requirements are integrated into the IRP design from the outset.
• Breach Response: the personal data breach management service covers the GDPR Art. 33-34 dimension in depth, with specialist support for high-complexity breach notifications involving large volumes of affected individuals, sensitive data categories, or regulatory investigations following the initial notification.
• Virtual CISO: for companies without a dedicated security lead, the vCISO function provides ongoing security governance including IRP maintenance and tabletop exercise facilitation as part of a comprehensive security management programme.