ANSSI and ENISA crisis management: a methodology your team will actually use

Frameworks are not procedures

If you have read ANSSI’s “Crisis management” guides or ENISA’s incident response good-practice publications, you know they describe what a mature crisis capability looks like. They are excellent at the strategic level. They are deliberately not, however, a step-by-step manual you can hand to a stressed colleague at 2 a.m.

That gap - between the framework on the shelf and the actions in the war room - is where most organisations fail. This article shares the methodology we have refined with our team and partners, based on those agencies’ guidance, but translated for real operational use.

The four-level model we recommend

We structure crisis response around four nested layers. Each one has a clear purpose, a clear owner, and clear deliverables.

Level 1 - Strategic crisis cell

• Purpose: make the decisions only the company can make: legal, financial, communication, ethical.
• Owner: CEO or designated executive. Includes legal counsel, communications lead, CFO, CISO.
• Cadence: key decision points (typically every 2-4 hours during an active crisis).
• Output: strategic decisions, formally logged with author and timestamp.

Level 2 - Operational crisis cell

• Purpose: translate strategic decisions into orchestrated technical and business actions.
• Owner: CISO or crisis manager. Includes IT operations, SOC, business unit leads, HR, internal comms.
• Cadence: continuous, with formal stand-ups every 30-60 minutes.
• Output: prioritised task list, status updates, escalation requests.

Level 3 - Technical response teams

• Purpose: execute containment, eradication, forensics, restoration.
• Owner: SOC manager, IR lead, infrastructure leads.
• Cadence: continuous.
• Output: technical actions logged with evidence (commands, screenshots, hashes).

Level 4 - Support functions

• Purpose: logistics, well-being, sleep rotation, food, transport, legal hold, HR communication.
• Owner: office manager / HR / legal.
• Cadence: continuous, often invisible, always essential.
• Output: keep the other three levels operational for as long as the crisis lasts.

A crisis that drags on more than 24 hours without level 4 working properly is a crisis that ends in burnout - and burnout makes mistakes that turn a serious incident into a catastrophic one.

The RACI principle, applied

Each scenario in your playbook library should specify, for every key action:

• R - Responsible: the person doing the work.
• A - Accountable: the person answerable for the outcome (only one).
• C - Consulted: people whose expertise is needed before deciding.
• I - Informed: people who must know after the fact.

Without RACI, the same task is either done three times or not at all. With RACI, even a brand-new colleague joining the crisis cell at hour 6 can take over an action without ambiguity.

The five playbooks every organisation should have

If you have nothing today, start with these five. They cover the vast majority of declared incidents:

1. Ransomware / mass encryption event
2. Confirmed data breach with personal data exposure
3. Critical supplier outage (cloud provider, identity provider, payment processor)
4. DDoS or availability attack on a customer-facing service
5. Insider threat / suspected internal malicious action

Each playbook should fit on a single page at the top level (the triage view), and expand to detailed checklists below. The triage view is what your stressed colleague reads in the first 2 minutes; the detail is what they consult once they know which path applies.

Traceability is not optional

Both ANSSI and ENISA insist on a single point that is often overlooked in commercial tools: a complete, immutable log of decisions and actions. Not because of compliance alone - because the post-crisis review is where your organisation actually gets stronger. You cannot improve what you cannot reconstruct.

PanicSafe was built around this principle. Every action taken inside the platform - from a chat message to a task completion to a document share - is automatically captured in a tamper-evident logbook that supports both regulatory evidence and honest internal post-mortems.

Post-crisis: the most undervalued phase

The strongest crisis teams we work with treat the post-crisis review as the most important phase, not the most boring one. Within 30 days they produce:

• A factual chronology, reconstructed from the logbook.
• A short list of root causes (technical and organisational).
• A list of changes to playbooks, training, detection rules and contracts.
• An honest internal communication: what worked, what did not, what we now ask of every team.

That document is what turns a painful event into durable capability. It is also, not coincidentally, exactly what regulators want to see.

Want to go further?

Our team in Lyon regularly runs methodology workshops with customers and partners, mapping their existing processes against ANSSI and ENISA frameworks and identifying where PanicSafe accelerates the journey. Get in touch if you would like to schedule one.