INCIDENT RESPONSE PLAN & SECURITY ADDENDUM

1. Purpose & Scope

This Plan defines procedures for detecting, responding to, and reporting cybersecurity incidents affecting [ORGANIZATION NAME]’s network and information systems within the scope of the NIS2 Directive and corresponding national laws.

2. Governance & Roles

• Incident Response Lead (IR Lead): [TITLE/NAME] responsible for coordinating response activities.
• Cybersecurity Team: Handles detection, containment, eradication, and recovery tasks.
• Legal & Compliance: Manages regulatory notifications and evidence preservation.
• Communications Lead: Oversees stakeholder messaging and media responses.
• Executive Sponsor: Approves major decisions, resource allocation, and post-incident remediation.

3. Incident Classification

Define severity tiers (Low, Medium, High, Critical) with criteria such as service disruption, data compromise, legal impact, or cross-border relevance. Align with ENISA guidance and sector-specific rules.

4. Detection & Reporting

• Monitor systems using SIEM, IDS/IPS, and anomaly detection.
• Employees must report suspected incidents to the Security Operations Center within [MINUTES] minutes via [CONTACT CHANNEL].
• Document events in the Incident Ticketing System with timestamps, indicators of compromise, and initial containment steps.

5. Response Workflow

1. Identification: Validate incident and determine scope.
2. Containment: Implement short-term containment (network isolation) followed by long-term containment strategies.
3. Eradication: Remove malicious artifacts, patch vulnerabilities, and harden controls.
4. Recovery: Restore systems, validate integrity, and monitor for recurrence.
5. Post-Incident Review: Conduct root cause analysis and lessons learned within [DAYS] days.

6. Regulatory Notifications (NIS2)

• Submit an early warning to the competent authority within 24 hours of becoming aware of a significant incident.
• Provide an incident notification within 72 hours including impact assessment, indicators of compromise, and mitigation measures.
• Deliver a final report within one month or upon request, covering root cause, remediation, and long-term improvements.
• Coordinate with cross-border CSIRTs and affected service providers.
• Reference the national implementing laws in each Member State where services are provided to confirm any accelerated timelines or sector-specific add-ons.

7. Stakeholder Communications

• Notify affected customers, partners, and vendors as required by contract or law.
• Align messaging with GDPR breach notifications if personal data is involved.
• Maintain media holding statements and Q&A templates in Annex C.

8. Evidence Preservation & Forensics

• Preserve logs, system images, and relevant data in tamper-evident storage.
• Document chain of custody and forensic actions.
• Engage third-party experts when specialized analysis is required.

9. Third-Party & Supply Chain Coordination

• Maintain contact list for critical suppliers and service providers.
• Require vendors to notify [ORGANIZATION NAME] of incidents impacting shared services within [HOURS] hours.
• Include right-to-audit and cooperation clauses in contracts (see Annex D).

10. Security Controls & Continuous Improvement

• Reference baseline security controls (ISO 27001, CIS, NIST).
• Perform regular penetration tests, vulnerability scans, and table-top exercises.
• Track remediation tasks in the Risk Register and report to leadership quarterly.

11. Training & Awareness

• Conduct annual incident response training for relevant teams.
• Execute simulated phishing and social engineering exercises.
• Maintain documentation of attendance and performance metrics.

12. Appendices & Templates

• Appendix A: Incident Severity Matrix
• Appendix B: Notification Checklist & Draft Forms
• Appendix C: Communication Templates (internal, customer, media)
• Appendix D: Vendor Security Addendum Clauses
• Appendix E: Post-Incident Review Report Template

[// GUIDANCE: Review plan semi-annually and after every major incident to incorporate lessons learned.]