Cybersecurity Incident Response: Every Minute Counts

Cybersecurity incident response is the set of technical and legal procedures an organisation activates upon detection of a cyberattack, system breach, or data security event. In the EU regulatory framework, two parallel notification obligations apply simultaneously: under Article 33 of the GDPR, personal data breaches must be notified to the AEPD within 72 hours; under the NIS2 Directive (EU 2022/2555, transposed in Spain by 2026), essential and important entities must submit an early warning to the competent authority (INCIBE-CERT or CCN-CERT) within 24 hours of detecting a significant incident, followed by a more complete report within 72 hours. Failure to meet these deadlines constitutes an independent regulatory infringement separate from the underlying incident.

Our incident response team brings together lawyers specialising in cybersecurity and privacy regulation with experience in technical response coordination, crisis management, and regulatory authority relations. Integrating the legal and operational dimensions from the first moment is the difference between an effective response and one that generates additional problems.

The Preparation Gap

An active cyberattack is the worst moment to discover that the response plan does not exist, that no one knows who to call, or that the documented procedures do not reflect operational reality. Post-incident investigations consistently show that the damage caused by lack of preparation exceeds the damage from the incident itself: systems offline longer than necessary due to absent recovery procedures, regulatory fines for late notification, and client trust destroyed by uncoordinated crisis communication.

The incident response plan is not a document to be filed and forgotten. To be useful, it must reflect the company’s actual technical architecture, the critical assets that must be prioritised for recovery, the real-world roles of the people who will execute it, and the current contacts for suppliers, authorities, and insurers. It must be tested regularly through tabletop exercises that place the team in simulated stress and reveal failures before a real incident does.

What Effective Tabletop Exercises Look Like

The exercises we facilitate go beyond a theoretical discussion. We use detailed scenarios based on the most frequent attack vectors in the company’s specific sector — ransomware in manufacturing and logistics, credential compromise via phishing in professional services, supply chain attacks in critical sectors — and introduce real-time complications that test decision-making and communication under pressure. The post-exercise report identifies critical gaps and produces a concrete improvement plan.

The Legal Dimension of Incident Response

When a real incident occurs, the coordination between technical response and legal management is critical. The forensic team needs to preserve evidence in a form that is admissible if criminal involvement is suspected. Regulatory notifications must be accurate and consistent — the AEPD and the NIS2 supervisory authority can request additional information that must be consistent with what has already been notified. If there is a potential cyber insurance claim, incident documentation must satisfy the insurer’s requirements. Our service coordinates all these dimensions from the first moment.

The GDPR and NIS2 notification obligations run in parallel with very tight timelines. Our experience is clear: organisations that have conducted the tabletop exercise and have a tested, documented protocol consistently meet the deadlines with margin. Organisations that improvise rarely do.

Criminal Liability and Incident Response

In incidents involving ransomware extortion, theft of trade secrets, or sabotage, the incident response has a criminal dimension that requires specialist legal oversight from the outset. Our criminal compliance team coordinates with the incident response function to ensure that evidence is preserved, that law enforcement notification decisions are made with full legal awareness of the consequences, and that the company’s legal position is protected throughout the response.