The NIS2 Directive on cybersecurity for Networks and Information Systems emerges as a necessity to update European legislation on the topic. It is a binding text for all Member States, with transposition scheduled for the upcoming October 17, alongside the EWC directive on the resilience of critical entities. In What You Should Know About the New European NIS2 Directive on Cybersecurity, Teresa Ruiz focused on the need to take action in case of a cyberattack, given the new regulations theses Directives impose on essential companies. In this article, we will analyze the basic points of our action plan when we have already suffered a cyberattack.
If you are unsure why you should keep reading, here’s a fact: Cybercrime is predicted to cost the world $9.5 trillion USD in 2024 . Additionally, non-compliance with both directives can have severe consequences, such as significant financial penalties, operational restrictions, or even the closure of operations.
Table of Contents
Conduct a forensic analysis to determine the extent of the cyberattack
The first thing to keep in mind, once a cyberattack has been verified, is to activate a two-level response protocol: on the technical side, to restore operational normality, and on the communication side, to comply with regulatory requirements, contain and minimize damage as quickly as possible.
From a technical perspective, the best approach is to conduct forensic analysis with a specialized external company. This procedure involves analyzing IT systems to assess the damage caused.
Regarding the communication response, which is of interest from the perspective of reputational damage, the DIRCOM (Director of Communications) can rely on the specialized advice of communication consultants to implement the response plan. This protocol should cover the following aspects:
Internal Communication
Employees should be the first to be notified. They must be transparently informed about the situation, with clear measures established on how they will carry out their tasks until normal operations can be restored. If done well, they will be the main ambassadors of the brand and the company’s message.
If internal communication is not properly managed, there is a risk that employees will spread information not aligned with the company. In this case, they may create more chaos and potential reputational problems.
Coordination with Authorities
Authorities should be notified within the first 24 hours if the incident is serious, and a preliminary assessment report should be submitted within a maximum of 72 hours, along with a final report one month after the incident. INCIBE-CERT plays a significant role if the incident occurs in Spain. However, it is always advisable to be redundant and individually inform the Data Protection Agency since it is always better to err on the side of caution.
Putting the Customers at the Center
Informing affected parties quickly and clearly is also an essential requirement. It is a requirement stated by the regulator as well. Having pre-prepared standard or pro forma communications for cyberattacks helps save time. Ideally, communication should be done directly via email with suppliers and customers. At the same time, we should post the statement on the website (provided it has not been affected by the attack). The statement should explain the facts, the potential consequences for those affected, how they should act, and what measures the company is implementing to resolve the incident as quickly as possible.
Therefore, acting quickly and effectively on the communication front in the first hours after a cyberattack is crucial not only for regulatory compliance and risk minimization but also for avoiding heavy fines or government intervention if the company belongs to a strategic sector. This can only be done successfully if the executive directors have established an action procedure beforehand.
Although at first glance it may seem that the demands of both security and European technology are yet another headache for essential entities, the new legislation will lead to an upgrade of the security standards of critical infrastructures and, therefore, should reduce the likelihood of cyberattacks and improve the security and business continuity of these entities.
