NIS2 crisis management: a practical readiness checklist for CISOs

Why this checklist exists

Since the European NIS2 directive came into force, thousands of “essential” and “important” entities have discovered an uncomfortable truth: having a security policy is not the same as being able to manage a crisis. Article 21 of NIS2 is explicit - organisations must demonstrate, through evidence, their ability to detect, respond to, communicate around and learn from incidents.

Below is a pragmatic checklist we use with customers and partners to help them assess where they really stand. It is structured around the four phases of a cyber crisis: prepare, detect, respond, learn.

1. Prepare - the work you do before anything happens

• You have a written crisis management plan signed off by executive leadership.
• Roles are defined using a RACI matrix (decision maker, communications lead, technical lead, legal, HR, etc.).
• You maintain an up-to-date contact list of crisis cell members, including out-of-band channels (personal mobile numbers, alternate emails).
• You have documented playbooks for at least your top 5 scenarios: ransomware, data breach, DDoS, supplier compromise, insider threat.
• Your crisis cell tests these playbooks at least once a year, ideally with a third party simulating the adversary.
• Critical documents (network diagrams, backup procedures, supplier contracts) are stored in a location reachable even if your main IT is down.

2. Detect - catching it early

• Detection sources (SIEM, EDR, NDR, MDR) are clearly identified and alerts have a defined escalation path.
• Your time-to-acknowledge an alert is measured and trended.
• You have a single point of activation - one phone number, one button - that any qualified employee can trigger to spin up the crisis cell.
• False-positive handling is documented so that legitimate alerts are never ignored.

3. Respond - the moment of truth

• You can convene a fully equipped crisis cell in under 15 minutes, including remotely, on personal devices, in the middle of the night.
• Your communication tools are independent from the IT environment under attack. (If your collaboration suite is part of the breach, this is a hard requirement.)
• Every decision, instruction and observation is timestamped automatically in a logbook that cannot be retroactively edited.
• You have pre-drafted communication templates for employees, customers, regulators, the press and law enforcement.
• Notification deadlines are tracked - 24h early warning and 72h incident notification under NIS2 are non-negotiable.

4. Learn - turning a crisis into capability

• A post-incident report is produced within 30 days and shared with executive leadership.
• Root causes are identified and translated into concrete remediation actions with owners and deadlines.
• Lessons learned feed back into your playbooks, training programmes and detection rules.
• You can prove this loop to an auditor with timestamped artefacts, not just slide decks.

How PanicSafe accelerates the journey

PanicSafe is purpose-built around exactly this lifecycle. It activates a fully equipped crisis cell in under 30 seconds, hosts your playbooks and contact lists in an environment independent from your compromised IT, and produces an immutable logbook that maps directly to NIS2 evidence requirements. Compliance is no longer a separate exercise - it becomes a by-product of running your crisis well.

The bottom line

NIS2 is not a paper exercise. The auditors who arrive after a real incident will look at what your team actually did, in what order, and how fast. The checklist above is a starting point. If you want help benchmarking your current readiness, get in touch - our team and our partner network run dedicated readiness assessments based on ANSSI and ENISA frameworks.