NIS2 Security Incident Tabletop Exercise

This advanced tabletop exercise simulates a full-scale cyber incident affecting a financial institution, designed specifically for internal training and regulatory readiness under the NIS2 Directive. The scenario walks participants through all five phases of incident response—from detection to recovery—emphasizing cross-functional coordination between the CISO, Legal, IT Security, and Communications teams.

The exercise includes:

• Simulated threat detection and triage aligned with real-world threats.
• Internal and regulatory reporting templates, including an early warning to the CSIRT/NIS authority.
• Stakeholder communication strategies and legal response coordination.
• Forensic and impact analysis with a focus on business continuity.
• Post-incident review and preparation for NIS2 regulatory audit and inspections.

Disclaimer: This is a simulated use case. The documents were drafted with the help of Artificial Intelligence.

Phase 1: Detection and Initial Actions

On June 13, 2025 at 08:02 CET, the bank’s network IDS flagged unusual outbound traffic from the internal file server FS1 to an external IP (203.0.113.45). Simultaneously, endpoint security on FS1 detected a malicious executable (hash ABC123EF45…), identified as an Emotet malware variant. Emotet (a banking Trojan spread via phishing attachments) is known to compromise systems and steal data by brute-forcing accounts and scanning network drives. The combination of these alerts suggests a spear-phishing compromise: an employee likely opened a malicious attachment that installed Emotet, which then attempted lateral movement and data exfiltration. This triggered the SOC’s high-priority alert.

Given the potential impact on customer data and banking operations, the incident is classified as High severity. Preliminary impact assessment indicates that the bank’s online services could be disrupted if the malware spreads, and sensitive data (financial records) may be at risk. This qualifies as a significant incident under NIS2 (causing severe service disruption and financial risk). The SOC has begun containment (isolating FS1) and forensic collection, and will report the incident upward. An internal notification and a formal “early warning” to the national CSIRT will follow within the NIS2-mandated 24-hour window.

Sample SOC Alert Log:

Analyst Triage Notes

• Indicators of Compromise (IOCs): External C2 IP 203.0.113.45 (known Emotet command server), domain emotet-ops.com, MD5 hash ABC123EF45… of malicious binary.

• Malware Signature: Emotet Trojan variant (payload identified by endpoint AV and hash).

• Entry Vector: Likely phishing email with malicious macro (Emotet commonly spreads via phishing).

• Observed Behavior: Lateral movement scans (FS1 attempted SMB connections to other hosts); large outbound HTTP data transfer blocked.

• Affected Asset: Internal file server FS1 (holds customer files), also potential compromise of database server DB1 (login attempts seen).

• Potential Impact: Customer financial data exfiltration risk; if spread, core banking database could be compromised.

• Severity (Initial Assessment): High – incident impacts critical banking services and data, matching NIS2’s definition of significant.

• Preliminary Conclusions: Emotet infection appears to be in-progress; malware present and attempting exfiltration. Containment measures (isolate FS1) are in effect.

Internal Email Escalation to Cybersecurity Manager

Executive Leadership Summary (Briefing)

• Incident Detected: June 13, 2025, 08:02 AM CET – SOC detected Emotet Trojan activity on bank file server (outbound traffic to malicious IP). Emotet is a known data-stealing malware.

• Scope & Impact: Core banking systems are affected. Initial containment (FS1 isolation) in place. Potential risk: unauthorized access to customer accounts and data exfiltration. Business Impact: High – potential service disruption and regulatory breach (customer personal data at stake).

• NIS2 Classification: This incident meets the NIS2 “significant” threshold (severe disruption/financial impact). As an EU essential financial entity, we must issue an early warning to the national CSIRT within 24 hours of detection.

• Actions Underway: SOC has initiated incident response: quarantined affected host, collected evidence, and notified stakeholders. Cybersecurity team is conducting analysis. The legal and compliance teams have been alerted to prepare for any data-breach reporting.

• Next Steps: Continue forensic investigation (identify compromised data). Prepare NIS2-mandated reports (early warning now, detailed report within 72h). Review security of similar systems. Consider informing affected customers if data loss is confirmed.

• Recommendation: Approve rapid engagement of external IR experts and law enforcement (Emotet is criminal malware). Ensure communication readiness. Emphasize to staff the need for vigilance (Emotet often enters via phishing).

Early Warning Notification to National CSIRT (Template)

Pursuant to NIS2 Article 23, an early warning must be submitted within 24 hours of awareness. Below is a structured template of key fields for our initial report (all times in CEST):

• Reporting Entity: ACME National Bank (Essential Entity – Banking sector)

• Detection Time: 2025-06-13 08:02 (CEST) – time the incident was first observed.

• Affected Services: Retail Internet Banking and internal file services (customer data repository).

• Incident Type: Unauthorized access / Malware infection (Emotet Trojan).

• Description: Unusual outbound connections from internal file server FS1 to malicious IP. Emotet malware detected on FS1, indicating potential data theft. (Initial containment initiated.)

• Initial Severity: High – critical customer data at risk, core banking operations threatened.

• Suspected Cause/Threat: Confirmed malware attack. Evidence suggests a targeted phishing campaign introduced Emotet.

• Malicious Intent: Yes (malware infection).

• Cross-Border Impact: No (incident appears localized; no evidence of data affecting other Member States).

• Indicators of Compromise: C2 IP 203.0.113.45; domain emotet-ops.com; malware file hash ABC123EF45…; unusual admin login from 203.0.113.45.

• Mitigation/Actions Taken: Infected host isolated; traffic to C2 blocked; logs collected; incident response initiated.

• Next Report: A detailed incident notification (with full severity impact and IOCs) will follow within 72 hours, as required by NIS2.

This notification serves as our early warning report to the national CSIRT (CERT-IT), fulfilling NIS2’s 24-hour requirement. A more detailed incident notification will be submitted later.

Phase 2: Internal Coordination

Crisis Management Meeting Minutes

Date: [Today’s Date]
Time: 10:00 AM CET
Attendees: Cybersecurity Manager, CISO, Legal Advisor, COO

Agenda:

• Incident update (Emotet malware discovery)

• Impact assessment and NIS2 classification

• Containment and remediation actions

• Regulatory reporting obligations (NIS2)

• Communications and escalation plan

Discussion:

• Incident Overview: The Cybersecurity Manager reported that Emotet malware was detected on a file server hosting customer data. The server was immediately isolated from the network to prevent further spread. A forensic scan is in progress to determine scope and confirm whether any data exfiltration occurred.

• Impact and Classification: The team agreed this likely qualifies as a “significant incident” under NIS2 (it could cause considerable damage to customers or ACME’s operations). The CISO noted that under NIS2 Article 23 we must now treat this with high priority. An initial severity assessment will be required.

• Containment & Mitigation: The CISO confirmed containment measures are underway (disconnect infected systems, apply patches and clean tools). This aligns with NIS2’s required incident handling measures (prevention, detection, response). The team will preserve logs and images for investigation. Business continuity plans are activated to maintain banking services.

• Regulatory Reporting: The Legal Advisor reminded everyone that NIS2 mandates an early warning report within 24 hours of awareness and a detailed incident notification within 72 hours to the national CSIRT/competent authority. Failure to meet these deadlines risks severe fines. ACME Bank, as an essential financial entity, could face penalties up to €10M or 2% of turnover for non-compliance. Importantly, NIS2 holds senior management personally accountable for cyber risk management.

• Communications: The COO stressed the need for coordinated messaging. The Legal Advisor noted that NIS2 also requires informing affected customers (service recipients) about the incident and any mitigation steps. We will prepare customer-facing advisories as needed. Internally, a concise executive summary will be drafted for the Board.

• Board Involvement: The CISO emphasized that the Board must be briefed immediately, since NIS2 brings cybersecurity directly into board accountability. The COO agreed to schedule an ad-hoc Board meeting this week to review the situation and approve resources for risk mitigation.

Decisions and Action Items:

• Containment (CISO): Maintain isolation of infected server; complete malware removal.

• Forensic Analysis (Cybersecurity Team): Complete full system scans to confirm impact and collect evidence.

• Regulatory Notification (Legal/CISO): Draft and submit an early warning to the national CSIRT within 24h, followed by the formal incident report within 72h.

• Customer Advisory (Legal/COO): Review requirements to notify affected customers of the threat and protection measures as per NIS2 Article 23(2).

• Board Briefing (CISO): Prepare an executive summary of the incident and NIS2 obligations for the Board (email to follow).

• Next Meeting: Reconvene tomorrow at 10:00 AM CET for updates on containment, analysis results, and progress on NIS2 reporting.

Executive Summary Email to Board

Internal Decision Log

• Isolate Affected Server: Immediately disconnect the infected file server to halt malware spread. NIS2 Context: Taking prompt containment measures supports the required incident handling process.

• Conduct Forensic Analysis: Perform a thorough forensic investigation to determine breach scope and data exfiltration. NIS2 Context: Documenting the incident and assessing its severity is necessary for the 72-hour notification content.

• Assess Severity: Classify the incident severity. Because customer personal data is potentially compromised, this is being treated as a significant incident. NIS2 Context: Article 23 requires an initial impact and severity assessment in the 72-hour report.

• Notify Competent Authority: Legal/CISO to submit an early warning to the national CSIRT within 24 hours and a full incident notification within 72 hours. NIS2 Context: Mandatory deadlines for incident reporting are set by NIS2 Article 23.

• Customer Communication: Prepare notification for customers whose data may be affected. NIS2 Context: Per Article 23(2), entities must inform recipients of services about significant threats and protective measures without undue delay.

• Executive Briefing: The CISO will update the Board promptly. NIS2 Context: Executives are held accountable for cyber resilience under NIS2. The Board must be engaged in oversight as part of its risk governance duties.

Escalation Memo from Legal

Phase 3 – Containment & Communication

Following detection of the Emotet malware incident, ACME’s incident response team immediately moved to contain the breach and communicate with affected parties. In line with best-practice guidance, the team isolated infected hosts, preserved evidence, and began coordinating notifications. The timeline below summarizes key containment actions over the first 72 hours:

• Day 1, 09:00: IT detects unusual network traffic and a suspicious email with a malicious attachment. Incident Response (IR) team is activated.

• Day 1, 09:10: Preliminary analysis identifies Emotet trojan (spread via malspam) as the culprit. The infected workstation is disconnected from the network.

• Day 1, 09:20: All affected systems are quarantined and offline to halt the spread (“isolate affected systems”). Antivirus signatures and firewall rules are updated to block the Emotet payloads and command-and-control servers.

• Day 1, 10:00: Emergency meeting with senior management and compliance. Legal/regulatory teams are alerted and prepared to notify authorities.

• Day 1, 10:30: National CSIRT is notified with an early warning (per NIS2 Article 23, within 24 hours) that a malicious Emotet incident has been detected and is under investigation. It is reported as malicious and with no expected cross‑border impact.

• Day 1, 13:00: Full network scan and endpoint audits begin. Persistence mechanisms (scheduled tasks, registry entries, services) are identified in line with Emotet behavior. IR team removes Emotet services and cleans infected hosts.

• Day 1, 15:00: All potentially compromised user and administrator credentials are reset and multi-factor authentication is enforced to block unauthorized access. Network segmentation is enforced for critical banking systems.

• Day 1, 16:00: Internal communications drafted. The executive team convenes to approve external messaging to customers and staff.

• Day 2, 09:00: Forensic analysis continues; no evidence of data exfiltration is yet confirmed. IR team completes eradication of Emotet from identified hosts and performs additional scans on backups.

• Day 2, 11:00: Regulatory/legal team prepares the 72-hour incident notification. Draft customer advisory email and staff advisories are reviewed.

• Day 2, 14:00: Press office prepares statements. We verify contingency plans to ensure continuity of banking services.

• Day 3, 09:00: Containment verified: all infected endpoints cleaned or reimaged, critical systems monitored for anomalies. The formal 72-hour incident notification report is finalized and submitted to the national CSIRT, as required by NIS2 Article 23.

This log of actions aligns with NIS2’s incident handling requirements. For example, industry guidance emphasizes isolating affected systems and preserving evidence while keeping stakeholders informed. ACME’s response adhered to these practices and prepared all communications mandated by Article 23.

Draft Customer Advisory Email

In compliance with NIS2 Article 23, ACME Bank is obligated to notify customers of significant incidents that may affect their services. The following is a draft email from ACME Bank to its customers.  This advisory succinctly explains the situation and gives clear protective measures. It reflects NIS2’s requirement to communicate threats and remedies to affected service recipients. By notifying customers promptly and advising them to enable MFA and monitor accounts, ACME fulfills its obligation to keep users informed.

Draft Internal Staff Advisory

ACME Bank also issues an internal advisory to all employees to raise awareness and ensure vigilance. This staff advisory alerts employees to the threat and instructs them on vigilance. It incorporates lessons from Emotet’s known behavior (spread by email and persistence mechanisms) and reinforces protective actions. By communicating clearly with staff, ACME supports its internal incident handling (Article 21) and ensures everyone understands their role in the response.

72-Hour Incident Notification Report (National CSIRT)

Incident Summary: On [Date 1], ACME Bank detected a significant malware intrusion (Emotet trojan) affecting our internal network. The trojan was introduced via a phishing email and had the potential to disrupt banking services. The incident is considered significant under NIS2 because it poses risk of severe operational disruption and potential financial harm. The bank’s cybersecurity team immediately isolated infected systems and began remediation.

Timeline: The incident was discovered at 09:00 on [Date 1]. An early warning was submitted to our national CSIRT within 24 hours, reporting that the incident was caused by malicious software and had no known cross-border impact. Key actions in the first 72 hours are summarized in the Containment Actions Log (above). By [Date 3, 09:00], all known malicious activity was contained.

Initial Impact Assessment (Severity & Scope): Emotet’s presence prompted a precautionary shutdown of several internal services. At peak, approximately 15 workstations and servers showed indicators of compromise (emails forwarded, processes running). No core banking systems were taken offline. There is currently no confirmed unauthorized access to customer accounts or evidence of customer data exfiltration; however, potential exposure of employee credentials and internal documentation remains under investigation. We estimate the incident’s impact as moderate: it has not halted critical services, but required urgent action and carries reputational risk. This preliminary assessment of severity and impact is provided in compliance with NIS2 Article 23.

Root Cause: The breach was caused by an Emotet banking Trojan delivered via a spear-phishing email. Emotet is a polymorphic downloader that spreads rapidly through networks. Our analysis indicates an employee opened a malicious attachment, allowing Emotet to install and begin propagating using collected credentials. Emotet’s dropper modules were able to harvest passwords and attempt lateral movement. All signatures of Emotet infection (scheduled tasks, registry entries, running services) were identified and removed.

Mitigation Measures Taken: We have executed comprehensive containment steps:

• Isolation: Disconnected all infected endpoints and blocked malicious C2 domains.

• Eradication: Removed Emotet processes, scheduled tasks, and registry entries on compromised machines.

• Recovery: Systems were reimaged or rebuilt from clean backups. Patches were applied for all critical vulnerabilities.

• Credential Changes: All potentially affected user and admin passwords have been reset, and network-wide MFA has been enforced.

• Monitoring: Enhanced logging and network monitoring remain in place. We are reviewing historical logs for any lateral movement or data access.

• Communications: Customers, regulators, and staff have been informed as per our incident response plan.

Remaining Actions and Outlook: The incident is currently contained. IR teams continue analysis to confirm no data was exfiltrated. We will cooperate with law enforcement on any criminal investigation. A final incident report, including detailed post-incident analysis and lessons learned, will be submitted within one month as required.

Cross-Border Impact: At present, we have no indication that the incident affected systems or customers outside our country.

Please contact ACME Bank’s CSIRT liaison ([email protected]) for further information or interim updates.

Sincerely,

Emily Johnson
Director of Cybersecurity Operations
ACME National Bank

Updated Cybersecurity KPIs

• Mean Time to Detect (MTTD): The average detection time for this incident was 8 hours, down from the prior baseline of 24 hours. Reducing MTTD is critical: industry guidance notes that faster detection (low MTTD) leads to more agile, effective response. ACME NB will continue to track MTTD to drive faster threat identification.

• Mean Time to Resolve (MTTR): Our MTTR (detection-to-recovery) for Emotet was 12 hours. MTTR measures how quickly we return to normal operations, encompassing both remediation and recovery. A shorter MTTR signifies an efficient response process. Post-incident analysis shows this MTTR is comparable to industry best practices.

• Vulnerability Patching Rate: We measure “days to patch” for critical vulnerabilities. Before the incident, the average was 45 days; after response we accelerated to 15 days. This metric (also called patching cadence) is fundamental: a high patching rate minimizes the window of exposure. Achieving patch installation within 30 days for critical updates is now a KPI target.

• Security Training Completion: 95% of staff completed mandatory cybersecurity training this quarter, up from 70% prior. Training effectiveness is a key KPI, ensuring employees can recognize threats. High participation indicates a stronger security culture, which NIS2 explicitly encourages for management and employees.

• Incident Reporting Rate: We track the number of suspicious events reported by staff (phishing attempts, malware alerts). The count increased by 30% after training campaigns. Reporting rate is a useful metric: more reports suggest higher vigilance among employees. This aligns with the notion that staff awareness (and training) is effective when they report issues promptly.

• Phishing Click Rate: In simulated exercises, the percentage of users clicking on test-phishing emails has dropped from 15% to 4%. This KPI helps quantify user behavior improvements. A lower click rate indicates successful training and a strengthened human defense.

• Compliance and Audit KPIs: Other monitored KPIs include patch compliance rate (target 100% within 30 days), endpoint security coverage (target 100%), and time to remediate detected vulnerabilities (target ≤48 hours). These collectively demonstrate progress toward meeting Article 21’s control requirements and overall security objectives.

Internal Board-Level Briefing (Risk Mitigation & Accountability)

In the board briefing, the CISO presented the incident timeline, risk impact, and mitigation outcomes. Pre- and post-incident risk levels were compared: for example, the operational risk rating for email services was lowered from High to Moderate after enhanced filtering and segmentation. The board was reminded of its NIS2 governance role per Article 20 – namely to approve cybersecurity measures and oversee implementation. Management emphasized that all board members have completed the required cybersecurity training as encouraged by Article 20.

• Mitigation Outcomes: Key technical measures were implemented (e.g. new email threat filtering, enterprise-wide MFA, faster patch deployment). These directly addressed the root causes and NIS2’s all-hazards security objectives. Business continuity systems operated smoothly throughout, demonstrating resilience.

• Residual Risk: After remediation, the residual cyber risk for core banking services is Low. The Board noted that service levels are fully restored and that incident response procedures functioned effectively. A re-test of backups and recovery processes confirmed operational readiness.

• Board Accountability (Art.20): The board formally approved the revised cybersecurity budget and policies, fulfilling its Article 20 duty to sanction risk-management measures. Members affirmed they understood their accountability: per NIS2 they can be held liable if governance failures occur. The Board also validated that all directors completed cybersecurity governance training, as Article 20 requires.

• Next Governance Steps: Board members scheduled quarterly cyber risk reviews going forward, and requested regular KPI dashboards. The Board’s risk appetite statement was updated to incorporate lessons from this incident. The importance of enterprise-wide security culture was stressed, reinforcing that cybersecurity is a strategic priority.

Vendor Review Outcome & Security Posture Recommendations

• Vendor Assessment: We reviewed all third-party services involved (email gateway provider, managed IT services, and authentication software). No vendor systems were found to be compromised. However, the review did uncover that one vendor’s patch cycle lagged behind ACME’s standards, which may have contributed to the delayed OS patch.

• Supply Chain Risk Management: Per NIS2 Article 21(d), we evaluated the cybersecurity practices of our direct suppliers. To strengthen security, we will mandate stricter contractual requirements: vendors must meet minimum security standards (e.g. automated patch management, incident logging) and allow ACME periodic security audits. Key vendor SLAs will include cyber KPIs and reporting.

• Vendor Security Posture: For example, we will require the email security vendor to implement advanced threat analysis (sandboxing, URL scanning) that could catch new malware variants. The IT outsourcing partner has been instructed to tighten vulnerability management (applying ACME’s critical patches within 48 hours). We will also insist on security certification proof (e.g. ISO 27001) for all critical providers.

• Recommendations: In line with NIS2, ACME NB will adopt a formal Vendor Risk Management policy. This includes initial due diligence, periodic reassessment, and real-time monitoring of critical suppliers. By addressing supply-chain security (Article 21(d)), we reduce the chance that a third-party failure could enable future incidents.

Executive Sign-off Memo (Incident Closure)

A formal memo from the CISO to the executive team closes out the incident. It states that all NIS2 reporting and response obligations are complete: the final report was submitted on [Date], within the 30-day deadline, and all corrective actions have been implemented or are on schedule. The memo confirms that systems are fully recovered, backups are intact, and enhanced monitoring is in place. It asserts that no unresolved issues remain, and that the incident can be considered formally closed. The CISO and CEO will sign off to acknowledge closure.

• Compliance and Closure: The memo notes that by meeting the Article 23 timelines and report requirements (including root-cause analysis and mitigation description), ACME NB fulfills its CSIRT notification obligations.

• Residual Actions: Any low-priority improvements (e.g. extended user training) are documented as scheduled tasks. Remaining risk is documented as acceptable.

• Auditable Record: All incident documentation (reports, analyses, communications) is being retained per the NIS2 data retention guidance. The sign-off ensures that this incident’s lifecycle is formally complete in ACME’s records.

• Acknowledgement: The memo concludes with executive approval to close the incident, reinforcing accountability at the highest level and signaling that normal operations resume under heightened vigilance.

Policy and Governance Improvement Recommendations

• Incident Response Plan Update: Revise the IR plan to explicitly align with NIS2 Article 23 requirements. This includes defined thresholds for a “significant incident”, clear notification procedures (CSIRT, competent authority), and templates for early warning and final reports. Include cross-border communication steps and integration with law enforcement protocols.

• Risk Management Policy: Strengthen the formal Risk Management Policy to embody the “all-hazards” approach of Article 21. Ensure documented processes for regular risk analysis, incident handling, business continuity, and crisis management. Assign roles and timelines for risk assessments and ensure continuous improvement of controls.

• Vendor/Supply-Chain Policy: Develop a Supplier Security Policy per Article 21(d). This policy will specify how ACME evaluates and monitors vendor cyber hygiene. It should require security questionnaires, contract clauses on patching and breach notification, and periodic vendor audits.

• Cyber Governance Charter: Create a board-level Cybersecurity Charter that codifies Article 20 responsibilities. It will detail governance structure, reporting lines, and board approval processes for security measures. Also establish a training plan for executives and staff in line with Article 20(2) and Article 21(g) requirements.

• Cybersecurity Training & Culture: Introduce ongoing security awareness initiatives, including annual phishing simulations and specialized training for technical and non-technical staff. This implements Article 21’s cyber hygiene and Article 20’s leadership training mandates. Promote a “see something, say something” culture by encouraging voluntary reports of near-misses and threats (supported by NIS2 Article 30).

• Performance Monitoring & Reporting: Establish a continuous monitoring program with the KPIs defined above. Produce periodic compliance reports to the board. Ensure that policies are periodically reviewed and tested (e.g. tabletop exercises, audits) to confirm ongoing adherence to NIS2 Articles 21 and 23. Leverage voluntary information sharing (Article 30) by participating in CSIRT briefings and sharing anonymized threat data to improve collective resilience.

By implementing these measures, ACME National Bank will reinforce its cybersecurity posture and ensure full alignment with NIS2. The post-incident review and reporting process not only satisfies regulatory obligations but also drives continuous improvement across policies, controls, and governance.

Phase 5: Regulatory Oversight and Audit Readiness

Simulated Inspection Notification Letter

Internal Audit Readiness Checklist

• Governance & Oversight: Confirm that the Board of Directors has formally approved the bank’s cybersecurity risk-management strategy and that responsibilities are assigned (per NIS2 Article 20). Document that board members completed mandated cybersecurity training and that similar training is provided regularly to all staff.

• Risk Management Policies: Ensure documented policies exist for risk analysis, system security, and effectiveness reviews. Verify that cyber risk assessments are up-to-date (reflecting the Emotet incident findings) and are approved by senior management.

• Incident Response & Continuity: Check that a formal incident response plan and business continuity/disaster recovery plans are in place (backup tests, crisis drills). Make sure incident drills are documented and lessons learned are incorporated.

• Technical Controls: Verify implementation of layered defenses: up-to-date anti-malware and endpoint detection for malware, multi-factor authentication on all critical systems, encryption of sensitive data, and secure configuration management. Confirm that vulnerability management and patching procedures are documented and regularly followed.

• Supply Chain Security: Confirm policies for evaluating and monitoring third-party and vendor cyber risk. Evidence might include supplier security questionnaires, contractual security clauses, and recent audit reports of key vendors.

• Training & Awareness: Review records showing all employees (from board to line staff) completed cybersecurity awareness and phishing training in the last 12 months. Ensure there are logs of training dates, content, and attendance certificates.

• Incident Reporting: Verify that incident notification procedures align with NIS2 Article 23 timelines. There should be logs showing any “early warnings” sent within 24 hours and full incident reports within 72 hours of discovery. Confirm that the final Emotet incident report was submitted to the CSIRT as required.

Sample Compliance Evidence Documents

• Annual Cybersecurity Training Log (Excerpt): NIS2 Article 20 mandates regular training for management and staff. For example:

  Date	Training Session	Audience	Evidence
  2024-10-05	Board Cybersecurity Oversight Workshop	CEO, Board Members	Attendee sign-in sheet
  2024-12-01	All-Staff Phishing Simulation & Training	All Employees	Completion certificates in LMS
  2025-02-15	Risk Management Policy Review	CISO, IT Managers	Training records

  
  These logs and certificates demonstrate management and employee training as required under Article 20.

• Governance & Oversight: Board Meeting Minutes:  ACME National Bank – Board of Directors Meeting Minutes

• Cyber Risk Management Policy (Excerpt): an update of the following policy is mandatory:

Section 4.2 – Quarterly Cyber Risk Assessment

Objective: To systematically identify, evaluate, and prioritize cyber risks across all business units and critical systems. The assessment process must incorporate data from recent security incidents, threat intelligence feeds, and vulnerability scanning results.

Process Owner: Director of Cybersecurity Operations

Frequency: Assessments are to be conducted every quarter, or immediately following any significant security incident (e.g., the Emotet malware compromise of June 2025).

Approval & Sign-Off: June 2025 Assessment

“I hereby certify that the June 2025 Cyber Risk Assessment, which includes the detailed Emotet Incident Addendum, has been thoroughly reviewed and is approved for presentation to the Board of Directors.”

Approved By:

• Emily Johnson, Director of Cybersecurity Operations – Signature on file

• Robert Keller, Chief Operating Officer – Signature on file

• John Smith, Board Chair – Dated 05 June 2025

• Technical Controls: Vulnerability & MFA Report  (Excerpt): Application of the patches and enforcing of MFA:

Critical Vulnerabilities – Q2 2025

Multi-Factor Authentication (MFA) Enforcement

Report Date: 12 June 2025

Scope: All user and administrator accounts with access to critical information systems, as defined by the Cyber Risk Management Policy.

Result: 100% MFA coverage has been achieved and enforced. Detailed enforcement logs are archived and available in Azure AD (export file reference: MFA_Coverage_June2025.csv).

• Emotet Incident Report (Excerpt): NIS2 Article 23 requires timely incident notification and a final report. A portion of the internal incident timeline is shown below (times in UTC):

Early Warning Notification (24 Hours)

• Date/Time: 11 June 2025, 10:15 CEST

• Recipient: National CSIRT (Netherlands)

• Submission Method: CSIRT Secure Portal

• Subject: Early Warning – Emotet Malware Detected – ACME NB

Body Excerpt:

“This serves as an early warning notification under NIS2 Article 23. ACME National Bank has detected Emotet malware on an internal file server (FS1). Affected systems have been isolated from the network. At this time, no cross-border impact is suspected and no personal data is known to be compromised. Further details will follow in the formal incident notification.”

72-Hour Incident Notification

• Date/Time: 14 June 2025, 08:00 CEST

• Contents: The full report was submitted containing:

  1. Detailed Incident Chronology & Business Impact Assessment

  2. Mitigation Measures Undertaken and Planned

  3. List of Affected Systems and Business Units

  4. Known Indicators of Compromise (IoCs)

  5. Contact Details for the assigned Incident Manager

Final Incident Report

• Submission Date: 13 June 2025

• Title Page Excerpt:

  “ACME National Bank Emotet Malware Final Incident Report – NIS2 Article 23 Compliance – Submitted 13 June 2025”

• Key Attachments Provided:

  • Root-Cause Analysis (RCA_Emotet_June2025.pdf)

  • Containment & Eradication Logs (Logs_Emotet_June2025.csv)

  • Forensic Evidence Chain of Custody Summary (Forensics_Summary.docx)

Board-Level Cybersecurity Strategy Briefing (Slide Notes)

• Governance & Accountability: Reiterate that the Board formally approves and oversees all cybersecurity risk measures. Highlight that failure in oversight could lead to personal liability (per NIS2 & corporate law).

• Risk-Based Strategy: Commit to embedding cybersecurity into enterprise risk management. All major IT and business risks (e.g. malware, supply chain) are evaluated regularly under an “all-hazards” approach.

• Invest in Protective Controls: Outline plans to invest in state-of-the-art defenses: advanced email filtering, endpoint detection and response (EDR), robust backup/DR systems, and network segmentation. Emphasize mandatory deployment of multi-factor authentication for all sensitive systems.

• Training & Culture: Confirm Board and executive cybersecurity training programs (fulfilling Article 20) and a schedule for ongoing staff awareness campaigns. Highlight that skilled personnel are a key defense layer.

• Incident Preparedness: Review incident response improvements: a tested IR plan, regular drills, and procedures for rapid communication (to CSIRT, regulators, customers) in line with NIS2 reporting obligations.

• Supply Chain Security: Commit to stringent third-party security management (vendor audits, security clauses, diversity of suppliers) as per NIS2 supply-chain risk requirements.

• Continuous Compliance: Outline an ongoing compliance program: regular internal audits, gap analyses against NIS2/ISO 27001, and a 12-month roadmap to remediate any findings. This shows long-term governance commitment to regulatory compliance and cyber resilience.

Each point reinforces ACME Bank’s alignment with NIS2 governance expectations and ensures sustained commitment at the highest level.

Updated Cyber Risk Register (Post-Incident)

In keeping with NIS2’s risk management mandate, the cyber risk register has been updated to reflect insights from the Emotet incident. Key entries (excerpt) are shown below: