Ransomware response under NIS 2
The mechanics of the first 24 hours: what to contain, who to tell, and what the directive actually requires.
What this page is
Ransomware is not a separate regulatory category. NIS 2 treats it as one significant incident among others. Commission Implementing Regulation (EU) 2024/2690 lists ransomware explicitly in Annex section 11.6 as a recognised significant incident type for digital infrastructure entities, but the obligations sit in Article 21 (risk management measures) and Article 23 (reporting cascade) of the directive itself.
The page is written for a managing director, an IT lead or a CISO in a 50 to 250 person company who has either just been hit or wants to know what the first hours should look like. It is not legal advice and it is not a replacement for an incident response retainer. It is the legal mechanics around the technical work.
The single most useful sentence: containment, reporting, management decision and law enforcement run in parallel, not in sequence. The directive does not let you finish one before starting the next.
Directive (EU) 2022/2555 (NIS 2)
Article 21(2)(c): policies and procedures concerning business continuity, such as backup management and disaster recovery, and crisis management. Article 21(2)(i): policies and procedures regarding the use of cryptography and, where appropriate, encryption.
Article 21(2)(c) is where the recoverable backup obligation lives. Existence of a backup is not the test. Restorability under attack conditions is. Article 21(2)(i) covers the encryption posture that decides whether the attacker reads everything they touch. Article 23 then sets the four stage reporting cascade: early warning within 24 hours, incident notification within 72 hours, intermediate report on request, final report within one month.
Commission Implementing Regulation (EU) 2024/2690
Annex section 11.6 lists ransomware among the incident scenarios that constitute a significant incident for entities providing digital infrastructure services.
The CIR is binding without national transposition and tells you what counts as significant for the entity types it covers (essentially the 11 digital infrastructure and digital service categories). For sectors outside its scope, the significance test in Article 23(3) NIS 2 still applies: serious operational disruption, financial loss, or material non material damage to others. Ransomware that locks production almost always meets that test.
BSIG (Germany)
§30 BSIG: technical and organisational measures appropriate to the risk. §32 BSIG: notification to the BSI via the Meldeportal at bsi.bund.de. §44 BSIG: BSI cooperation with law enforcement authorities.
BSIG is the German transposition example. NL and AT have their own. The 24 / 72 hour / intermediate / one month cascade is directive level and identical across member states. The reporting channel is national: in Germany the BSI Meldeportal, separately the data protection supervisory authority under Article 33 GDPR if personal data is involved, separately again the State Criminal Police Office (LKA) or BKA if you want a criminal investigation.
Technical containment and forensic preservation
Isolate affected segments without wiping them. The single most common mistake under panic is to power off and reimage before any image is taken, which destroys both the evidence the BSI and law enforcement need and the indicators of compromise that tell you what else the attacker touched. Disconnect from the network, do not switch off. Take memory and disk images before remediation. Start the restore from the most recent verified clean backup on isolated infrastructure. Article 21(2)(c) NIS 2 requires the backup to be recoverable, not just present. The single most common failure mode in audited incidents is backups that were online and got encrypted alongside production.
Management body decision
Article 20 NIS 2 puts the management body on the hook. In a live ransomware incident there are three decisions only the management body can sign: declare a significant incident under Article 23, authorise external incident response spending, and refuse or consider any ransom demand. The decision and the reasoning have to be documented in real time. The platform audit trail is built for this. The point is not to have a perfect answer in hour two. The point is to have a recorded decision by an accountable person.
Regulator reporting cascade
Article 23 NIS 2 is a four stage cascade with hard clocks. Early warning to the national CSIRT or competent authority within 24 hours of becoming aware. Incident notification within 72 hours with an initial assessment of severity and impact and any indicators of compromise available. Intermediate update on request from the authority. Final report within one month. In Germany this goes through the BSI Meldeportal under §32 BSIG. If personal data is affected, Article 33 GDPR runs in parallel with its own 72 hour clock to the data protection supervisory authority. The two reports are separate and go to separate authorities.
Speed before completeness
The BSI position is explicit: Schnelligkeit vor Vollständigkeit. The 24 hour early warning under Article 23(4) NIS 2 is not a full report. It is a flag with what you know. You are allowed to say the scope is not yet known. You are not allowed to wait until it is. Filing an incomplete early warning on time and updating it later is the directive compliant path. Waiting for clarity is not.
Payment is a business decision, not a compliance shortcut
The BSI advises against paying ransom and the position is clear that insurance payouts are not a transfer of risk in the Article 21 sense: pauschaler Risikotransfer ist ausgeschlossen. Paying does not extinguish the reporting obligation, does not satisfy the recoverable backup obligation under Article 21(2)(c), and does not stop a criminal investigation. The decision to pay or not is separate from the four parallel tracks above and never replaces them.
BSI and CERT Bund (Germany)
The Bundesamt für Sicherheit in der Informationstechnik is the competent authority for NIS 2 reporting in Germany. Reports under §32 BSIG go through the BSI Meldeportal at bsi.bund.de. CERT Bund inside the BSI handles the technical response coordination. For the EU layer, the CSIRTs network coordinated by ENISA is the upstream channel between national CSIRTs.
BKA and State LKA cybercrime units
Ransomware is a criminal offence under §202a, §202b, §303a and §303b StGB. The criminal investigation runs separately from the regulatory report. Each State Criminal Police Office (LKA) has a Zentrale Ansprechstelle Cybercrime (ZAC). The BKA runs the federal cybercrime track. §44 BSIG explicitly provides for BSI cooperation with law enforcement, which means filing with one does not file with the other. Filing a criminal complaint is a separate decision the management body has to take.
Sector regulator, data protection authority, supply chain
Three additional channels can be open at the same time. If personal data is affected, Article 33 GDPR notification to the competent data protection supervisory authority runs on its own 72 hour clock. Some sectors (energy, finance, health) have additional sector specific reporting under their own regimes that NIS 2 explicitly preserves. And under Article 21(2)(d) NIS 2, ransomware affecting a supplier may trigger your contractual notification duties to your customers, even if you are not the directly affected entity.
Pay the ransom, get the key, move on.
Payment does not close the file. The reporting cascade under Article 23 NIS 2 still runs. The recoverable backup obligation under Article 21(2)(c) is still tested by an auditor next year and a paid recovery is not evidence of one. The data protection authority will still ask under Article 33 GDPR what personal data left the perimeter. And in most published cases, attackers either return for a second payment or sell the access to another group anyway.
Power everything off immediately to stop the spread.
Powering off destroys volatile memory before any image can be taken. The forensic evidence the BSI needs for the early warning, the indicators of compromise the rest of your estate needs, and the artefacts a criminal investigation depends on are all in RAM at the moment of attack. Isolate at the network level, preserve memory and disk images, then remediate. The fifteen minutes of preserved evidence is worth more than the fifteen minutes of avoided spread on already isolated segments.
Wait until we know the full scope before filing.
Article 23(4) NIS 2 requires the early warning within 24 hours of becoming aware, not within 24 hours of full understanding. The directive explicitly allows the early warning to be a partial picture. Waiting past the 24 hour mark to get clarity is the single most common reason entities miss the deadline. The BSI position, Schnelligkeit vor Vollständigkeit, is the directive intent.
A 180 person mechanical engineering company in Baden Württemberg, classified as wichtige Einrichtung under NIS 2 because the sector and headcount put it in scope. 07:42 on a Tuesday: production ERP throws certificate errors, file shares unreadable, a ransom note on three servers. 07:58: IT lead disconnects the affected VLAN at the switch, leaves machines running. 08:15: CEO informed, decides to convene the management body within the hour and to engage the external IR retainer the company had on file. 09:30: management body in a room, three decisions documented in the audit log: declare significant incident under Article 23, authorise the IR engagement, no ransom decision yet. 10:40: external IR begins memory imaging on the affected hosts. 12:15: 24 hour early warning filed through the BSI Meldeportal under §32 BSIG, stating scope unknown, ransomware family suspected, no personal data exfiltration confirmed yet.
14:00: data protection officer confirms personal data is on two of the affected file shares. Article 33 GDPR notification drafted, the 72 hour clock starts ticking against the State data protection supervisory authority. 16:30: backups verified clean on isolated infrastructure, restore begins on a separate VLAN. The next day: criminal complaint filed with the State LKA cybercrime unit. Day three: 72 hour incident notification under Article 23 NIS 2 with a sharper picture: initial entry vector, scope of encryption, no public service disruption (the company does not run essential services for third parties). Within four weeks: the final report under Article 23(4)(d). The recoverable backups, the four parallel tracks, the documented management body decisions, and the audit trail are what saved this company. The encryption posture under Article 21(2)(i) is what limited the data exfiltration. None of this required a six figure consulting engagement before the incident. It required four written things on the wall: who calls whom, what gets reported when, who can sign which decision, and where the recoverable backups actually are.
The platform stores the four written things on the wall: the contact list for BSI, data protection authority and LKA; the reporting templates for the 24 / 72 hour / one month cascade under Article 23; the assignment of which management body member can sign which decision; and the link to the backup configuration evidence required by Article 21(2)(c). Everything is captured in the audit trail with timestamps so that the post incident final report can be produced from real data, not from memory.
The platform is free and open source. There is no paid tier and no lock in. The point of this page is not to sell anything. It is to make sure that if a ransomware incident hits next week, the management body knows which four phone calls to make, in which order, on which clock.
- Directive (EU) 2022/2555 (NIS 2): Article 20 (management body accountability), Article 21(2)(c) and (i) (continuity, backup, recovery, cryptography), Article 23 (reporting cascade). EUR-Lex.
- Commission Implementing Regulation (EU) 2024/2690, Annex section 11.6 (ransomware as a significant incident category for digital infrastructure entities). EUR-Lex.
- BSIG (Germany): §30 (risk management measures), §32 (BSI Meldeportal), §44 (cooperation with law enforcement). Gesetze im Internet.
- Regulation (EU) 2016/679 (GDPR): Article 33 (notification of a personal data breach to the supervisory authority). EUR-Lex.
- BSI: NIS 2 information packages on Schnelligkeit vor Vollständigkeit and the position that pauschaler Risikotransfer is not a substitute for technical and organisational measures. bsi.bund.de.
- ENISA: CSIRTs network coordination for cross border incidents. enisa.europa.eu.