Skip to main content
Informationssicherheit / NIS2

Incident response

Incident response is the structured process for detecting, responding to and containing security incidents in order to limit damage and restore normal operations as quickly as possible.

Incident response covers all organisational and technical measures an organisation uses to react to security incidents. The process typically follows an established phase model, such as the NIST model (Preparation, Detection and Analysis, Containment/Eradication and Recovery, Post-Incident Activity) or the equivalent approach in BSI Standard 200-4. The goal is to detect an incident early, assess it correctly, contain it, eradicate it and learn from it in order to reduce the likelihood and impact of future incidents.

A core element of effective incident response is a documented incident response plan with clear roles, escalation paths, reporting chains and communication rules. Organisations often set up a dedicated Computer Security Incident Response Team (CSIRT or SOC) that classifies incidents, conducts forensic analysis and coordinates containment. Incident response is closely interlinked with emergency and business continuity management as well as disaster recovery procedures, so that the availability of critical processes is maintained even during serious incidents.

From a regulatory perspective, incident response has gained considerable importance through the NIS2 Directive and its national implementation. Essential and important entities must maintain appropriate measures for handling security incidents and are subject to staggered reporting obligations to the competent authority (in Germany, the BSI): an early warning within 24 hours, an incident notification within 72 hours and a final report after one month at the latest. Top management bears responsibility for the implementation and effectiveness of these measures, which is why incident response is a central building block of an information security management system (ISMS).

Legal Basis

Art. 21(2)(b) and Art. 23 NIS2 Directive (EU) 2022/2555; ISO/IEC 27035; BSI Standard 200-4; ISO/IEC 27001 Annex A (A.5.24 ff.)

Practical Example

A mid-sized mechanical engineering company that qualifies as an important entity under NIS2 detects unusual encryption activity on a file server via its SIEM. The CSIRT activates the incident response plan, isolates the affected systems from the network (containment), preserves forensic evidence and identifies a ransomware infection. The information security officer submits an early warning to the BSI within 24 hours, files the formal incident notification within 72 hours and restores the systems from verified backups. In the final post-incident review, lessons learned are documented and patch management is adjusted to permanently close the exploited vulnerability.

FAQ

Common models divide the process into preparation, detection and analysis, containment, eradication and recovery, and finally post-incident review. The BSI describes a comparable approach in Standard 200-4. The aim is to contain incidents quickly and to learn from every incident.
Affected entities must report a significant security incident to the competent authority as an early warning within 24 hours, as a full incident notification within 72 hours and as a final report after one month at the latest. Top management is liable for compliance with these obligations.
Incident response focuses on the immediate detection, containment and eradication of a specific security incident. Business continuity management goes further and ensures that critical business processes are maintained or quickly restored during and after a disruption. In an emergency, both disciplines work closely together.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Security Incident CSIRT NIS2 Reporting Obligation Digital forensics Business Continuity Management (BCM)
Back to Glossary