The calm in a crisis is just decisions you made earlier.

The reason to take this seriously is that the human in the loop of a crisis is you and the cost of an unmade decision is highest exactly when there is no time to make it well. Almost everything that goes badly wrong in the first hour goes wrong because a choice that should have been settled in advance arrived, for the first time, in the worst possible moment.

01The first hour decides the rest.

When an incident lands, the expensive mistakes happen fast and early. Someone wipes a machine that held the only evidence of how the attacker got in. Two people give different accounts to two different customers. A compromised server stays online for another six hours because nobody in the room feels authorised to take it down. None of these are technical failures. They are decision failures and they happen because the decision turned up for the first time at the worst imaginable moment.

The teams that come through this well have pre-made those calls. There is a named person who can authorise pulling a system offline without waiting for a meeting. There is one channel where the real picture lives so nobody is briefing from rumour. There is a standing rule that you isolate and preserve before you clean, so the evidence the investigation and the regulator will both want is still there in the morning. Settled in advance, each of these is obvious. Invented under pressure, each becomes a coin flip with real money on it.

02The clocks are not the enemy.

Within 24 hours

• Early warning to your authorityNIS2
• Decide: is it significant?NIS2

Within 72 hours

• Full incident notificationNIS2 Art 23
• Personal-data breach to the DPAGDPR Art 33

Within one month

• Final report: cause, impact, fixNIS2

European regulation now puts a clock on all of this and it is worth meeting before it feels hostile. Under NIS2, an essential or important entity facing a significant incident owes its national authority an early warning within 24 hours of becoming aware, a fuller notification within 72 hours and a final report within a month.¹ Where personal data is caught up in it, GDPR adds its own duty to notify the supervisory authority within 72 hours when people’s rights are genuinely at risk.² One event commonly trips both clocks together.

It is tempting to read these deadlines as bureaucratic pressure stacked onto an already bad day. They are better understood as the deadlines a competent responder would set anyway. The 24-hour warning forces precisely the question you should be asking regardless: is this significant and who outside the room needs to know. The staging from warning to notification to final report mirrors how an investigation actually unfolds, moving from "something is wrong" to "here is exactly what happened and what we changed". The law is mostly asking you to do, on a clock, what a serious operator would want to do in any case.

03Readiness is a muscle, not a binder.

The gap I see most often is between a plan that exists and a plan that works, with the whole of the difference being rehearsal. A response plan that has been written, approved and filed is a document. A response plan that the actual people have walked through together, ideally against a realistic scenario, is a capability. The first time the team runs the plan should never be the first time the incident is real.

What a working plan contains is not exotic: the named roles and the single decision-maker, a way to reach everyone out of hours, the technical drill for isolation and evidence, the communications lines for staff and customers and regulators, the phone numbers you will be reaching for at 3am. The content matters. The rehearsal matters more, because rehearsal is what turns a list into reflexes and surfaces the quiet gap nobody noticed until someone asked who actually holds that number.

A plan nobody has rehearsed is not a safety net. It is a document that lets you down on the one day it was for.

04Why readiness frees you to build.

None of this is an argument for timidity and that is the part I care about most. The reason to be ready for the bad day is not fear. It is so that fear stops being a reason to say no. An organisation that knows exactly how it would respond to an incident can run ambitious, connected, heavily automated systems with a clear head, because it has already looked the worst case in the eye and made its decisions while calm. The readiness is what buys the confidence to build.

That is the inversion worth ending on. Incident response sounds like the most defensive subject there is, all worst cases and damage control. Done properly it is the opposite. It is the work that lets you stop being afraid of your own ambition, because you have made, deliberately and in advance, the decisions you would otherwise be forced to make at the worst possible time. The calm in the crisis was never luck or temperament. You built it earlier, on purpose.

QUESTIONS ON THIS PIECE

What readers tend to ask.

01What are the NIS2 incident reporting deadlines?

NIS2 sets a staged clock for a significant incident: an early warning to your national CSIRT or competent authority within 24 hours of becoming aware, a fuller incident notification within 72 hours and a final report within one month. The staging is deliberate. You are not expected to know everything at hour one, only to start the conversation and then fill it in as the picture clears.

02Does GDPR require reporting a data breach?

Yes. Under Article 33, if a personal-data breach is likely to risk people’s rights and freedoms, you must notify the supervisory authority within 72 hours of becoming aware and inform the affected people where the risk is high. A security incident and a personal-data breach are often the same event, so the NIS2 and GDPR clocks frequently run together.

03What should an incident response plan include?

Named roles with one clear decision-maker, a way to reach everyone out of hours, the technical steps to isolate and preserve evidence rather than destroy it, communications lines for staff, customers and regulators, plus the contacts you will need under pressure. Above all it should be rehearsed. A plan nobody has run is a document, not a capability.

04Who needs to be involved when a cyber incident happens?

More people than the security team. The first hour pulls in whoever can authorise taking systems offline, legal and data-protection for the regulatory clocks, communications for what gets said and the technical people doing containment. Deciding who those people are in advance and how to reach them at 3am is most of what separates a calm response from a scramble.