Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Incident Response Management: Why it Will Become Mandatory in 2026
|
24.02.2026
(updated on: 24.02.2026)

What was considered unlikely just a few years ago is a reality today: the majority of companies have already been affected by cyberattacks, many of them successfully. The question is therefore no longer whether a security incident will occur, but when it will happen and how resilient your company will be in responding to it through professional incident response management (IRM).

In this article, you will learn:

  • Definition: What exactly is incident response management (IRM)?
  • Compliance: Why is incident response management (IRM) essential for your company (with a focus on current regulations)?
  • Practice: What are the first steps in establishing an effective incident response management (IRM)?

Table of contents

What is Incident Response Management (IRM)?

Preventive measures such as firewalls, endpoint protection, and security awareness training reduce the risk of cyberattacks, but they do not make your company invulnerable. If an incident does occur, incident response comes in: it limits damage and quickly restores operations.

In other words: Prevention is the firewall, incident response is the fire department – both are indispensable for a comprehensive IT security strategy.

For this “fire department” to work effectively, an incident response management (IRM) is required. This is a structured emergency process for quickly detecting, containing, and permanently resolving security incidents. In practice, a cycle of six key phases has been established (based on international standards such as SANS or NIST, more on this here):

  1. Preparation: establishing teams, processes, and tools prior to an incident
  2. Identification: detecting suspicious activities and classifying them as incidents
  3. Containment: limiting damage, e.g., by isolating affected systems or blocking compromised user accounts
  4. Elimination: removing the source and the threat (e.g., malware, backdoors)
  5. Recovery: returning systems to normal operation in a controlled and secure manner
  6. Lessons Learned: Analyzing incidents and implementing improvements to incident response processes and other security measures

These six steps form a continuous cycle – because your company learns from every incident to defend against future threats.

Why Every Company Needs an Incident Response Management

Even companies with sophisticated preventive security measures are not completely protected against cyberattacks or security incidents. The decisive difference between a crisis that is successfully managed and damage that threatens the very existence of a company lies in the response to an incident.

The latest IBM report “Cost of a Data Breach” shows: Companies with a professional incident response management (IRM) incur around 25% lower costs per security incident on average. At the same time, they are able to resume business operations (business continuity) much faster than organizations without clearly defined incident response processes.

Incident response management is therefore a central component of a stable security posture and a key success factor for a company’s cyber resilience.

Incident response is becoming increasingly important not only for economic and reputational reasons, but also from a regulatory perspective. Numerous existing and upcoming regulations in the EU and in Switzerland directly or indirectly require a structured incident response management, including clearly defined reporting obligations and binding deadlines for security incidents.

This particularly affects:

  • Operators of critical infrastructure (“KRITIS”)
  • Financial and insurance companies
  • Manufacturers of connected and digital products
  • Manufacturer of medical devices

For these organizations, incident response is no longer a “nice-to-have” but an indispensable part of their cybersecurity strategy – both from a regulatory and strategic perspective. For quick reference, I have summarized the most important regulations in relation to incident response management:

Critical Infrastructure (NIS2 & ISG): Security of Supply

For operators of critical infrastructure, a professional incident response management is the only way to comply with strict legal reporting deadlines.

  • EU (NIS2 directive): drastically tightens cybersecurity and reporting requirements.
    • Essential and important facilities must take appropriate and proportionate technical, operational, and organizational measures to prevent security incidents or minimize their impact.
    • Significant incidents must be reported to the competent authority within 24 hours with an initial report. A more detailed report must follow within 72 hours.
  • Switzerland (Information Security Act – Informationssicherheitsgesetz, ISG): Requires operators of critical infrastructure to report serious cyber incidents to the National Cyber Security Centre (Bundesamt für Cybersicherheit, BACS) within 24 hours of their discovery. Without an effective incident response management, these deadlines are virtually impossible to meet in practice.

Financial Sector (DORA & FINMA): Digital Resilience

In the financial sector, the requirements for digital resilience are particularly high, as sector-specific laws take precedence here.

  • EU (DORA – Digital Operational Resilience Act): Establishes a uniform framework for digital operational stability. For serious ICT-related incidents, an initial report must often be provided within a very short time frame (sometimes within four hours). For financial companies in particular, a professional incident response management is therefore becoming a key element of operational resilience – and a checkpoint in supervisory and audit procedures.
  • Switzerland (FINMAG & FINMA Supervisory Notice): In accordance with Art. 29(2) FINMAG and Supervisory Notice 05/2020, the Swiss Financial Market Supervisory Authority (Eidgenössische Finanzmarktaufsicht, FINMA) requires the immediate reporting of significant cyberattacks on critical functions of supervised institutions.
    • The two-stage reporting process requires preliminary notification within 24 hours and a detailed report within 72 hours via the FINMA platform.
    • For Swiss financial institutions, a professional incident response management is therefore not only necessary from an operational perspective, but also essential from a regulatory standpoint.

Data Protection (DSGVO & revDSG): Protection of Natural Persons

Both the General Data Protection Regulation (GDPR) and the revised Swiss Data Protection Act (revDSG) require certain data breaches to be reported to the supervisory authorities without delay.

  • DSGVO: Reporting of personal data breaches within 72 hours of becoming aware of them.
  • revDSG: No fixed deadline, but notification must be made “as soon as possible”.

Without an established incident response management (detection, assessment, decision), these deadlines are almost impossible to meet in practice.

Product Manufacturer (CRA): Product Safety

The Cyber Resilience Act (CRA) introduced uniform cybersecurity requirements for manufacturers of connected products in the EU for the first time. This includes the structured handling of security vulnerabilities and security incidents throughout the entire product lifecycle.

Manufacturers must establish processes to identify and assess vulnerabilities and security incidents and report them to authorities and affected customers within defined time limits.

A structured incident response management is thus effectively becoming a prerequisite for market access.

Manufacturers of Medical Devices (MDR/FDA): Product Safety in Healthcare

In the healthcare sector, there are also strict post-market obligations and reporting requirements for manufacturers of medical devices.

The Medical Device Regulation (MDR) requires comprehensive post-market surveillance (PMS) and vigilance. Safety incidents must be reported within 2–15 days, depending on their severity. Cybersecurity incidents that cause serious malfunctions or patient risks are subject to this reporting obligation and require a detailed root cause analysis.

A professional incident response management (IRM) is also essential for meeting the requirements of the Food and Drug Administration (FDA). Although the deadlines for reporting are less strict than those for the MDR, structured incident response processes significantly support compliance with post-market cybersecurity, medical device reporting, and quality system regulations.

Implementing Incident Response Management: First Steps

An effective incident response management is much more than just a “check mark” on your compliance list. It is the backbone of your corporate resilience: responding to an emergency quickly and in a structured manner not only protects your data and reputation, but also fulfills regulatory requirements.

Setting up an IRM does not have to be complex or time-consuming. If you start pragmatically, you will immediately create noticeable security. Before we move on to the implementation, here’s a quick tip: in our accompanying blog article, we have summarized the six success factors for an effective IRM for you.

It is best to begin the practical implementation with these five steps:

1. Conduct a Gap Analysis: Where Do You Currently Stand?

Assess which processes, roles, and tools already exist – and where the most significant gaps are. This will help you avoid duplication of effort and set the right priorities.

Further information can be found here:

2. Define the Incident Response Team: Who Takes on Which Role?

Assign specific individuals to the most important roles (Incident Manager, Communication Lead, IT Operations, etc.). Clear responsibilities prevent chaos in an emergency.

3. Create Your First Playbook: Start With Ransomware

Ransomware is one of the most common and serious threats. An initial, proven playbook provides security and can later serve as a template for other scenarios.

4. Conduct Your First Tabletop Exercise: Test Your Processes

Simulate a realistic scenario with all stakeholders – including management. Practice is the only way to ensure that processes, communication, and decision-making paths are truly resilient.

5. Establish Monitoring: Can You Even Detect Incidents?

Without technical detection capabilities (SIEM, EDR), incident response remains reactive rather than proactive. Invest in tools that make suspicious activity visible at an early stage.

These five steps form the foundation of an effective incident response management. The most important takeaway here is: start now. Even a simple basic structure is much more valuable in an emergency than not having a plan at all.

Don’t understand IRM as a one-time project, but as a continuous improvement process. With every simulation, every exercise, and every real incident, you gain valuable insights to gradually refine your processes and continuously build your resilience. Security is a journey, not a destination – and the first step is the most crucial one.

Conclusion: Incident Response Is Mandatory – Not Optional

Perfect prevention is an illusion. Professional organizations accept this reality and prepare themselves accordingly. Incident response management is the safety net that, in an emergency, makes the difference between rapid recovery and a crisis that threatens the very existence of a company.

The facts are clear: regulatory requirements are becoming stricter, threats are becoming more complex, and the costs for unprepared companies are rising rapidly. However, those who have established incident response processes not only protect their data, but also secure a real trust advantage with customers and partners.

The question today is no longer whether an incident will occur, but how confidently your company will respond to it. Make preparation your strength before time works against you.

Working Together to Build Digital Resilience

Would you like to set up a new incident response management system or have your existing processes thoroughly reviewed by experts? Our cybersecurity specialists will provide you with comprehensive support:

Frequently Asked Questions (FAQs)

What Does it Cost to Implement an Incident Response Management?

The costs consist of three blocks: internal resources (time for playbooks, training), technical infrastructure (e.g., monitoring tools), and external support (on-call contracts/retainers).

Many companies use incident response retainers from external service providers, purchasing a fixed number of hours. If these hours are not needed for emergencies, they can often be put to good use for proactive measures such as exercises or security checks.

The costs vary depending on the size and maturity of the company.

The key point is: investments in incident response processes can be planned and cap your risk. The costs of an unprepared incident – due to downtime, loss of reputation, and penalties – are incalculable and often threaten the very existence of a company.

How Long Does Implementation Take?

The foundation (team, initial playbook) can often be established in just a few weeks. However, a fully mature IRM with regular exercises and process integration is a maturation process that typically takes 12–24 months. Important: start pragmatically instead of waiting for perfection.

Do Small Businesses Also Require an Incident Response Management?

Absolutely. Attackers often target SMEs automated because they assume their security measures are weaker. In addition, prolonged downtime often poses a greater threat to the existence of small businesses than to large corporations. A lean, pragmatic incident response plan is therefore essential and can be implemented with manageable effort.

Is It Sufficient to Engage an External Service Provider?

External experts are valuable in terms of forensics and capacity, but they cannot make business decisions for you. Questions such as “Should we shut down production?” or “Should we inform customers now?” must be decided by your management – this responsibility cannot be outsourced. Clear internal processes and defined responsibilities are therefore essential in order to remain capable of acting in an emergency. The external service provider is your “extended arm”, not your head.

Categories

All Categories
Active Directory / Entra ID
Attack Simulation / Red Teaming
Cybersecurity
Cybersecurity Awareness
Digital Forensics
Incident Response
IoT/OT-Security
News & Advisories
Penetration Testing

Vulnerability Management

This might also be of interest to you:

Request support from our cybersecurity specialists.
Contact us

Author

Torben Griebe has been helping companies minimize cyber risks, optimize security strategies, and establish sustainable security cultures for over 10 years. Focus areas include the development, operation, and auditing of information security management systems, incident response teams, cloud security architectures, and secure development processes. Torben Griebe completed his master’s degree in digital forensics with honors and also holds several certifications in the field of cybersecurity (CISM, CISSP, ISO/IEC 27001 Auditor).

LinkedIn

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

  • What and who is affected?
  • Who discovered and reported the incident?
  • How and when was the incident noticed?
  • What did you observe?
  • What are you concerned about in connection with the incident?
  • What actions have already been taken?

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts

Don’t miss anything! Subscribe to our free newsletter.