Incident Response Plan Template — Building Blocks, Obligations, Costs

Cybersecurity · May 2026 · 13 min read

← Part of the Cybersecurity Guide
Martin Keller By Martin Keller · Reepa Solutions

When an IT security incident occurs, the first 24 hours determine the total damage. Mid-market companies that are forced to improvise during this window incur, on average, three to five times higher direct follow-on costs than organisations with a well-practised incident response plan. Add to that GDPR fines for missed 72-hour reporting deadlines, NIS2 sanctions with personal liability for management, and long-term reputational damage with customers and suppliers. This template shows which building blocks an effective IR plan must contain, which statutory reporting obligations are triggered and within what timeframes, and what retainer costs management and CFOs should budget for — written pragmatically for companies with 50 to 2,000 employees. How this topic fits into the overall security strategy is covered in detail in our Cybersecurity Guide for Mid-Market Companies.

Why every incident without an IR plan becomes more expensive — GDPR, NIS2, and liability

The financial damage from an IT security incident is made up of several layers. On the direct side: business interruption, recovery costs, external forensics, legal advice, and in some cases ransom payments. For ransomware incidents at mid-market companies, total damages between €200,000 and €4 million have been regularly documented in recent years. This range depends almost entirely on how quickly and how methodically the organisation can respond — not on the technical depth of the incident.

On the regulatory side, three amplifiers are at work. First, GDPR Article 33: as soon as personal data may be involved, a 72-hour deadline begins to notify the competent data protection authority. Missed deadlines are sanctioned in practice as a separate violation — independent of the underlying incident itself. Fines in the six-figure range solely for late notification have been documented by German supervisory authorities. Second, NIS2, which has been in force since October 2024 and introduces staggered reporting obligations for highly important and important entities: 24 hours for the early warning, 72 hours for the formal notification, one month for the final report. Senior management is personally liable for compliance — insurance solutions covering this personal liability are expensive and by no means standard. Third, sector-specific regulators: BaFin for financial services providers, BSI for operators of critical infrastructure, the Federal Network Agency for telecommunications and energy. These deadlines often run in parallel.

At the third level, reputational damage with customers, suppliers, and insurers takes effect. Supplier audits on cybersecurity are now standard in manufacturing, logistics, healthcare, and automotive — any company that had to manage an incident without a documented IR plan and without timely notifications loses points in tenders or entire contracts. Cyber insurers, in turn, almost always require evidence of a practised IR plan as a precondition for coverage. Those who cannot demonstrate one pay higher premiums or receive reduced benefits in the event of a claim. For deeper coverage of the regulatory side, see our cluster article NIS2 Directive for Mid-Market Companies.

The six mandatory building blocks of an effective IR plan

An IR plan is not a 200-page manual that nobody reads when it matters. It is a compact operational guide with clearly assigned responsibilities. In practice, six building blocks can be identified that are indispensable for a mid-market company. What each building block must specifically contain is something we work through with your team or an advisor in a follow-up step.

Statutory reporting obligations at a glance

The table below summarises the most important reporting obligations that may be triggered by an IT security incident at a mid-market company. It is not a substitute for individual legal advice, but serves as a starting point for board-level communication and plan preparation.

ObligationTriggerDeadline from awarenessRecipient
GDPR Article 33Breach of personal data72 hoursCompetent data protection authority
GDPR Article 34High risk to data subjectsWithout undue delayAffected individuals directly
NIS2 Early WarningSignificant security incident24 hoursCompetent national authority (BSI in DE)
NIS2 NotificationSignificant security incident72 hoursCompetent national authority
NIS2 Final ReportSignificant security incident1 monthCompetent national authority
BSI Act §8bKRITIS operator, significant incidentWithout undue delayBSI directly
BaFin / MaRisk AT 7.2Financial services provider, IT incidentWithout undue delay, max. 4hBaFin
Cyber insurerInsured incidentTypically 24–48hAs contractually agreed

Multiple deadlines run in parallel — a ransomware encryption event with data exfiltration at a KRITIS organisation simultaneously triggers the GDPR notification (72h), NIS2 early warning (24h), NIS2 formal notification (72h), BSI notification (without delay), and insurer notification (contractual). Anyone who walks into such a multi-obligation scenario without a prepared template loses the first hours on administrative work while technical containment is delayed. That is exactly what a well-prepared IR plan prevents.

Escalation workflow and recovery levels

The escalation workflow is the organisational backbone of the plan. It describes at which severity level which people are brought in — and crucially, who is authorised to make which decisions. In practice, a three-level model has proven effective: Level 1 covers operational IT disruptions with no security component, handled by the service desk. Level 2 covers security-relevant events with limited scope — for example, a single phishing click with suspicious activity on a workstation. Here the IT security team takes over with defined containment measures. Level 3 covers genuine security incidents with potential impact on personal data, business continuity, or compliance — here management is brought in, the external forensics provider is engaged, and the reporting-obligations block is activated.

The recovery levels are the counterpart on the restoration side. Which business processes must be up and running first? In a manufacturing mid-market company, this is typically production control with logistics and dispatch connectivity, followed by ERP and customer communications, and only then back-office functions such as internal collaboration. The sequence follows from the RTO and RPO values per process — management sets these values, not IT. An observation from several Reepa engagements: in more than half of mid-market companies we advised before an incident, the gap between the RTO expectations of business units and the backup strategy actually in place was the biggest risk finding — larger than any individual technical vulnerability.

Free quick-check of your existing IR plan

You already have an incident response plan but are unsure whether it will hold up in a real incident? We offer a free quick-check: a 30 to 45-minute structured conversation working through the six mandatory building blocks, followed by a concise written assessment using a traffic-light system and a clear recommendation on where adjustments make sense.

Free IR Plan Quick-Check

A focused starting point at no cost and with no commitment. You receive a well-grounded external perspective on your existing plan and concrete recommendations on which building blocks should take priority.

Request a free IR plan quick-check

Tabletop exercises — what they actually deliver

A tabletop exercise is a facilitated simulation of an incident around the conference table — no technical interventions, no live systems, just the plan, the participants, and a realistic scenario. That may sound unspectacular, but it is the single most effective instrument for improving a plan. In a three-hour exercise, between 12 and 25 concrete gaps are typically uncovered: missing emergency numbers, unclear decision-making authority, conflicting responsibilities between IT and data protection, and incorrect assumptions about backup availability.

Typical scenarios for mid-market companies include ransomware with data encryption in the production environment, data exfiltration via a compromised cloud access key, targeted CEO fraud with fake payment instructions, and a supplier incident with knock-on effects on the company's own supply chain. For organisations subject to NIS2, we recommend at least two exercises per year with different scenarios — this covers the reporting-obligations spectrum more broadly. Management must attend in person, not delegate — because these are precisely the people who make critical decisions in a real incident.

IR retainers and the vendor landscape

In a real incident you need specialists who have seen many incidents before. In-house teams at mid-market companies very rarely reach that level of experience density — simply because they handle too few incidents. An IR retainer is a framework agreement with an external provider that guarantees a response time, a fixed hourly rate, and an agreed escalation process. The range of models is wide.

Market participants can be roughly grouped into three categories. Globally active Big-Four-adjacent providers such as Mandiant, CrowdStrike Falcon Complete, and Palo Alto Unit 42 offer broad incident experience, large teams, and 24/7 availability — with corresponding annual base fees starting at €40,000 for smaller mid-market clients and six- to seven-figure volumes for large accounts. Specialised forensic providers such as Kroll, Coveware, and Arete are particularly sought after for extortion incidents, bringing negotiation experience and legally defensible forensics. Boutique providers and regional specialists — a category that includes Reepa Solutions in the DACH mid-market — focus on companies with fewer than 2,000 employees, offer personal service and leaner contracts starting at €12,000 to €30,000 annual base fee, with smaller teams and a narrower geographic reach.

Which provider is the right fit depends on industry, size, maturity, and risk appetite. An insurance group or KRITIS operator selects a Big-Four-adjacent provider — depth is decisive there. A mid-market mechanical engineering firm with 400 employees is far better served by a boutique retainer, because the ratio of effort to visibility is calibrated differently. What matters is that the contract is in place before an incident occurs — retainer agreements signed after an incident are more expensive and slower to deliver value. For a complementary overview of audit formats, see the cluster article Red Team vs Pentest.

What an IR programme costs for a mid-market company

The costs of building and operating an effective IR programme depend heavily on the starting point. The table below shows typical ranges for mid-market companies with 50 to 2,000 employees. It is intended as guidance — precise proposals require a brief scoping workshop.

Work PackageEffort (days)External advisor (€)In-house expectation
Initial assessment + plan draft6–12from 7,5001–2 workshops with management and IT lead
Reporting-obligations block + template text3–6from 3,500Close coordination with DPO and legal counsel
Escalation workflow + roles matrix4–8from 4,5001 day per location
Recovery concept (RTO/RPO)5–10from 5,500With business units per process
First tabletop exercise with management2–3from 2,500Half day of management time — mandatory
Retainer agreement (annual base fee)12,000 – 60,000Negotiated with IR provider
Hourly rate in a real incident250 – 600 €/hTypically 80–400 h per incident

Add to this internal personnel costs and ongoing tooling costs — SIEM licences, EDR platforms, backup infrastructure. These do not belong in the IR plan in the strict sense but in the overall cybersecurity budget. Measured against the damage potential of a ransomware incident — in Reepa engagements regularly in the low six-figure range for a 200-person company — the total IR programme represents a modest line item. An observation from multiple engagements: companies that set up a full IR programme after their first real incident recovered on average 60 to 80 percent of their initial build costs at the very next incident — simply through faster and more orderly response.

When you should revise your IR plan now

There are four situations in which revising an existing plan should not wait. First, after a real incident — even if it ended without major damage. The insights from actual deployment are the most valuable source of plan improvements. Second, after any significant architectural change — cloud migration, new locations, major M&A activity. Third, after personnel changes in key roles, because the roles matrix otherwise runs empty. Fourth, at the latest 12 months after the last review, even if nothing major has happened — contacts change, providers change, legal frameworks are refined.

Pragmatically: if you have an IR plan but have not exercised it in more than two years and have not updated it in more than one year, you do not have a working plan — you have a document. The difference becomes visible in a real incident. Unfortunately, always too late.

Frequently asked questions

What must an incident response plan contain at a minimum?

Six building blocks are indispensable in practice: first, a clearly staffed roles matrix with deputies; second, a communication chain with reachable phone numbers available 24/7; third, an escalation workflow with clear thresholds; fourth, a reporting-obligations block with deadlines for GDPR, NIS2, and where applicable BaFin or BSI; fifth, a recovery concept with defined recovery objectives; sixth, a regular exercise and review cycle. Without these six components, an IR plan is ineffective when it matters most. Templates from BSI, ENISA, or SANS are helpful but must be adapted to your organisation's specific structure.

What statutory reporting deadlines apply in the event of an IT security incident?

For personal data, GDPR Article 33 applies: 72 hours from the point of becoming aware of the incident to notify the competent data protection authority. For operators of critical and highly important facilities under NIS2, staggered deadlines apply: 24 hours for an initial early warning, 72 hours for the formal notification, and one month for the final report. In addition, sector-specific obligations apply — financial services via BaFin and MaRisk, critical infrastructure via the BSI Act, telecommunications via the Federal Network Agency. These deadlines often run in parallel and must be explicitly mirrored in the plan.

What does an incident response retainer cost and is the investment worthwhile?

Retainer models for mid-market companies typically range from €12,000 to €60,000 in annual base fees, depending on the size of the environment and the guaranteed response time. During an incident, hourly rates between €250 and €600 apply, with a typical effort of 80 to 400 hours per serious case. Compared to the total cost of an uncontrolled ransomware incident — which in practice is often six to seven figures — a retainer pays for itself in the first real engagement. Without a retainer, you can spend several days just finding a provider while the damage continues to grow.

How often must an incident response plan be exercised?

The minimum standard for mid-market companies is one tabletop exercise per year involving management and IT leadership. For organisations subject to NIS2, we recommend two exercises per year using different scenarios — for example, ransomware with data encryption and separately a data exfiltration scenario with GDPR reporting obligations. A full technical exercise with the forensics team and a recovery test should take place every two years. Plans that have never been exercised fail in real incidents — this is something we can reproduce with every untested organisation.

Do we need an external incident response provider or is our own team sufficient?

Mid-market companies with fewer than 500 employees very rarely have an in-house IR team with forensic depth. Even companies with a dedicated security team often need external specialists in a real incident — for forensics, negotiation support with extortionists, legal guidance through the reporting obligations, and insurance communication. The rule of thumb: secure your own first response within the first two hours, then bring in an external team under a retainer agreement. Without this combination, the process takes significantly longer in our experience and costs correspondingly more.

What distinguishes an incident response plan from an emergency or BCM plan?

An incident response plan describes the specific procedure for IT security incidents: detection, containment, forensics, reporting obligations, and recovery. An emergency or business continuity plan is broader in scope and covers all events that threaten business operations — fire, power failure, pandemic, supply chain disruption. Both plans must be aligned with each other but are separate documents with different owners. The IR plan is a component within the BCM and is managed by the IT security lead; the BCM plan is owned by senior management or the risk manager.

Ready to take your IR plan to the next level?

Let's talk for 30 minutes, no commitment required. We will walk through the six mandatory building blocks with you, identify the biggest gaps in your current plan, and provide an honest assessment — whether in-house or with external support — along with a realistic roadmap. Deeper context in the Cybersecurity Guide.

Schedule a 30-minute conversation
Martin Keller
Martin Keller · Backend & Cloud Architect · Reepa Solutions

IT security and cloud architect with over ten years of experience. Develops Reepa Security with his team — an offensive audit platform for mid-market companies. Writes regularly about cloud security, NIS2, GDPR compliance, and incident response programmes.

Reviewed: 22 May 2026 · More about Martin

More from our knowledge hubs

🛡
Security
Cybersecurity
15 articles →
🧠
Artificial Intelligence
AI for Mid-Market
15 articles →
Infrastructure
Cloud & DevOps
15 articles →
💻
Development
Software Development
15 articles →