Build a NIS2-compliant incident response plan for your Irish business in a single day. A practical, time-boxed guide covering team, contacts, assets, and procedures.

When a Letterkenny professional services firm decided to build an incident response plan following the Health Research Board cyberattack in early 2026, the managing director's first instinct was to commission a specialist consultancy and allow three months for the project. We suggested a different approach: block out a single workday, bring in the right people, and build something functional that your team can actually use. They did it in six hours. The result was not perfect — no first version is — but it was tested, it was documented, and when a phishing attack compromised a staff account eight weeks later, they knew exactly what to do.

Building a NIS2-compliant incident response plan is not a multi-month project if you approach it correctly. The NIS2 Directive requires that essential and important entities have documented incident response and recovery procedures — and that they can demonstrate those procedures work. The NCSC Ireland has published clear guidance on what incident response plans should cover.[^1] This article gives you a structured one-day approach to building something that is both compliant and genuinely useful under pressure.

WHAT: What NIS2 Requires From Your Incident Response Plan

NIS2 Article 21 requires that organisations implement measures covering the handling of incidents, business continuity, and crisis management. Article 23 requires that significant incidents are reported to the competent authority — in Ireland, the NCSC — within 24 hours of the organisation becoming aware of them, with a more detailed report within 72 hours. These are not aspirational targets; they are legal obligations with financial consequences for non-compliance.

An incident response plan that meets these requirements does not need to be a hundred-page document. It needs to answer four questions clearly enough that anyone on your team can act on them under pressure: Who is in charge? Who do we call? What do we protect first? What do we report, and when?

The temptation is to make the plan comprehensive before making it usable. A ten-page plan that is tested and known is more valuable than a comprehensive manual that has never been read in a crisis.

Does your business have a documented incident response procedure that staff could follow without guidance from IT? Book a free 20-minute strategy call — we run one-day IRP build sessions for Irish businesses and can guide you through the process.

WHAT NOW: The One-Day Build Process

Morning — Define your team and compile your contact list. Start by naming your incident response team. In most Irish SMEs, this is three to five people: the person with authority to make decisions under pressure, the person responsible for IT, the person who communicates with staff and clients, and a senior manager who understands the business impact. Write down each person's role, their primary contact number, and their backup contact. Then build your external contact list. This must include your IT provider's out-of-hours number, your cyber insurance company's claims line, the NCSC Ireland's incident reporting contact, and the Data Protection Commission's breach notification contact. These numbers must exist somewhere that does not depend on your email being operational — a printed card, a secure note, a physical document in a known location.

The reason the contact list comes first is that it is the most commonly missing element when incidents occur. An Garda Síochána's National Cyber Crime Bureau is another external contact worth including — ransomware and significant data breaches are criminal matters as well as regulatory ones.[^2]

Afternoon — Document your critical assets and data. Create a simple inventory of the systems your business cannot function without. For each one, record what it is, where it is hosted, who is responsible for it, what data it holds, and what happens to the business if it is unavailable for an hour, a day, or a week. This Business Impact Analysis does not need to be sophisticated — a spreadsheet with eight to ten rows is a perfectly adequate starting point. The purpose is to give anyone managing the response a clear picture of what to restore first when the pressure is on.

Include your backup and recovery procedures in this section. Where are your backups stored? How recently were they tested? How long does a full restore take? If you cannot answer these questions, you have a gap that needs closing before the plan is complete.

End of day — Write your five-step response procedure. Based on the team, contacts, and critical assets you have now documented, write a simple five-step procedure for responding to a significant incident: Detection — how does the team know something has happened? Containment — what is the immediate action to limit the spread? Eradication — how is the threat removed? Recovery — which systems come back first and in what order? Notification — what must be reported, to whom, and within what timeframe?

The notification step is where NIS2 compliance lives. For businesses in scope, the 24-hour initial notification to the NCSC Ireland must be built into your procedure as a specific, named step — not as a general reference to "notify regulators." Write the actual notification process: who makes the call, what information they need to have ready, and what happens if the designated person is unavailable.

WHY IT MATTERS: The Regulatory and Business Case

The Data Protection Commission expects organisations holding personal data to have documented procedures for detecting, assessing, and responding to personal data breaches. A breach that is reported late — or not at all — because the business had no documented notification procedure is treated more severely than one that was reported promptly and handled professionally.[^3]

For businesses in scope for NIS2, the 24-hour reporting window is non-negotiable. An incident response plan that does not include an explicit notification step — with a named person, a contact number, and a checklist of what information to provide — is a plan that will fail at the most critical moment.

The business case is equally clear. Incidents managed with a tested plan consistently result in shorter downtime, lower recovery costs, and better regulatory outcomes than incidents managed reactively. A Sligo manufacturing business that suffered ransomware in 2025 and had a tested plan in place was back to partial operations within 36 hours. A comparable business that had no plan took eleven days to reach the same point, at a cost roughly four times higher.

A fire drill does not stop the fire. It means everyone knows where the exits are. Your incident response plan is the same.

WHAT NEXT: After the Build Day

1. Test the plan within four weeks of building it. Run a 30-minute tabletop exercise with the scenario: "It is 11am on a Monday. A staff member has received a phishing email and clicked the link. They have reported it. What do we do next?" Work through the steps using your actual contact list and procedures.

2. Store the plan somewhere accessible without email. A printed copy in a physical location known to all team members. A copy on a USB drive kept offsite. A version in a secure, cloud-based location that does not depend on your corporate email account.

3. Review and update the plan every six months. Staff change, systems change, and regulatory requirements evolve. An incident response plan that is two years old and has never been updated is significantly less valuable than one that reflects the current business and current infrastructure.

How to Build a NIS2-Compliant Incident Response Plan in One Day.

WHAT: What NIS2 Requires From Your Incident Response Plan

WHAT NOW: The One-Day Build Process

WHY IT MATTERS: The Regulatory and Business Case

WHAT NEXT: After the Build Day

Related Reading