Information Security 6 min read

Incident response: the first 24 hours and regulatory requirements

How to balance technical cyberattack containment with strict compliance reporting requirements during the critical first 24 hours after threat detection.

The first 24 hours after detecting a compromise are the most stressful for any organization. When critical services fail and signs of unauthorized access appear, IT teams naturally want to "put out the fire" quickly: restart servers, restore from backups, and return to normal. However, this approach, focused solely on rapid technical recovery, is now outdated and dangerous for business survival.

Modern incident response is inextricably linked to regulatory requirements. Attempting to immediately erase traces of an intruder destroys digital evidence (forensics), complicates investigations, and prevents timely notification of regulators. This article explores how to synchronize threat containment measures with strict compliance requirements during the first, most critical day after a breach.

Anatomy of the first day: why technical response without compliance is a financial risk

When an incident occurs, a deep internal conflict arises between the IT department and the legal team. Engineers want to minimize RTO (Recovery Time Objective) and often follow the simplest scenario: reinstalling the OS or deploying a backup. From a compliance perspective, this is catastrophic. Volatile data, which might contain unique attack artifacts, is destroyed. Furthermore, without a detailed root cause analysis, the attacker could exploit the same vulnerability again within hours.

According to the ENISA Threat Landscape 2025 report, which covered 4,875 incidents, essential entities under the NIS2 directive account for 53.7% of all affected structures. This means over half of incidents occur in critical infrastructure and essential service companies, where strict reporting rules apply. Missing regulatory notification deadlines risks heavy fines and license suspension.

This is why the first 24 hours require clear coordination between technical containment and legal evidence preservation procedures.

Containment without evidence destruction: applying NIST CSF 2.0 'Respond'

The updated NIST CSF 2.0 framework officially introduces the 'Govern' function, emphasizing that cyber risk management is an integral part of overall corporate governance. When activating the 'Respond' function, the primary task is not full recovery, but threat containment and impact minimization.

To localize an attack without harming the investigation, the IR team must follow a structured protocol:

  • Logical isolation instead of physical shutdown: Powering off servers leads to the loss of RAM content, where encryption keys and active network connections are stored. Instead, use network isolation at the EDR or firewall level.
  • Memory dumping: Before any destructive actions, create a forensic copy of the compromised host's RAM.
  • Identity intelligence: According to the Cisco Cybersecurity Readiness Index 2025, cyber readiness is based on five pillars, with Identity Intelligence and Network Resilience being key. During an incident, it is vital to immediately identify compromised accounts and block them. If an attacker has obtained legitimate credentials, isolating a single server will not stop them.

Mapping the attack with MITRE ATT&CK: rapid scale assessment

To make informed decisions in the first hours, the IR team needs a common language to describe the threat. The MITRE ATT&CK matrix structures attacker behavior into tactics and techniques. It is not a legal compliance law, but an indispensable tool for rapid alert mapping.

If the SOC detects technique T1078 (Valid Accounts) combined with T1021 (Remote Services), it becomes clear the attacker is at the lateral movement stage. This allows for proactive action: blocking compromised sessions at the domain level and restricting access between segments, rather than just scanning individual PCs for viruses.

Such mapping helps clearly respond to regulator requests regarding affected systems and attack vectors using standardized MITRE concepts.

NIS2 requirements and the 24-hour report: what to communicate

The NIS2 directive sets strict frameworks for essential organizations. One of the main requirements is submitting an early warning report within 24 hours of detecting a significant incident. While this rule does not apply to every company globally regardless of jurisdiction, it is mandatory for European critical infrastructure.

In the initial notification, the regulator does not expect a final root cause investigation. The report should contain:

  • The fact of incident detection and start time.
  • The preliminary nature of the event (e.g., ransomware, DDoS, data breach).
  • Suspicion of illegal activity (cyberattack).
  • Preliminary assessment of cross-border impact on other organizations.

To meet this requirement, the organization must have a pre-prepared report template and an agreed-upon communication matrix.

Building resilient architecture to prevent chaos

The best way to navigate the first 24 hours without panic is to build resilience at the IT architecture level (Security by Design). Intecracy Group offers expertise in threat modeling and response process building, based on reliable technology platforms.

For building resilient enterprise systems, the UnityBase platform is used (a joint development of companies within Intecracy Group; InBase is a key, but not the only, developer). The platform's mechanisms provide critical functions for incident response:

  • Audit trail: The platform automatically records user and system process actions, allowing for the immediate reconstruction of the event timeline during an investigation.
  • Access control (RBAC/RLS): Role-based access and row-level security ensure that the compromise of one account does not grant access to the entire database.
  • Enhanced security in commercial editions: For projects with high security requirements, the platform's official website recommends Enterprise (EE) or Defence (DE) editions, which support Active Directory integration, advanced authentication capabilities, and integrity checks of server modules.

Meanwhile, Softengi (a member of Intecracy Group), certified to the international ISO/IEC 42001:2023 AI management standard, develops custom solutions based on the "security by design" principle, minimizing the attack surface during integrations.

Hourly incident response checklist for the first 24 hours

This algorithm allows for simultaneous threat containment and compliance with regulatory requirements:

  1. 0-2 hours: Detection and verification. Activate the IR team, logically isolate the first compromised hosts without powering off (preserving RAM). Start an out-of-band communication channel.
  2. 2-6 hours: Mapping and scale assessment. Determine tactics via MITRE ATT&CK, localize entry points, aggregate EDR logs. Identify compromised accounts.
  3. 6-12 hours: Containment and evidence preservation. Block accounts, rotate access keys, create forensic images of RAM and disks.
  4. 12-18 hours: Categorization and legal assessment. Determine if the incident falls under NIS2/GDPR requirements, assess business process impact.
  5. 18-24 hours: Regulatory notification. Send the early warning report to the regulator or CERT using the approved template, start client communication.

FAQ

Do we need to notify the regulator about an incident if we haven't determined the exact cause of the breach yet?

Yes. According to NIS2 requirements, an early warning must be sent within 24 hours of detecting a significant incident. At this stage, it is sufficient to report the fact of the event, its nature, and a preliminary impact assessment, rather than providing a full technical report.

How can we preserve attack evidence (forensics) while restoring business processes as quickly as possible?

The key approach is logical isolation of compromised equipment instead of physical shutdown. Use EDR systems to isolate hosts, take memory dumps, and disk copies before deploying clean backups. This preserves attack artifacts and allows for parallel recovery processes.

Which organizations are subject to the 24-hour reporting requirement under the NIS2 directive?

Essential and Important organizations in critical sectors (energy, transport, healthcare, digital infrastructure, finance) are subject to early reporting requirements. The list is ultimately regulated by the national legislation of the countries implementing the directive.

Data sources

Sources & materials

Materials and sources used in this article.

  1. ENISA Threat Landscape 2025 — enisa.europa.eu
  2. NIST Cybersecurity Framework (CSF) 2.0 — nist.gov
  3. MITRE ATT&CK — attack.mitre.org
  4. Cisco Cybersecurity Readiness Index 2025 — newsroom.cisco.com
  5. NIST: Artificial Intelligence Risk Management Framework (AI RMF 1.0) — nist.gov