A security incident can quickly pose enormous challenges for companies. In the worst-case scenario, the company could become virtually inoperative overnight. Beyond the practical consequences, however, such an IT security incident also quickly becomes a legal emergency: decisions must be made within a matter of hours that will determine liability, trust, and fines.
Particularly complex is the multitude of different reporting obligations that apply depending on the industry and legal framework: a 72-hour reporting obligation under the GDPR for personal data breaches; a reporting obligation for operators of critical infrastructure under the BSI Act and for a wide range of other companies under the NIS 2 Directive, sometimes as short as 24 hours; Reporting obligations under the EU’s AI Act, sometimes as short as 2 days; sector-specific reporting obligations, such as in the financial sector under the Digital Operational Resilience Act (DORA) and its associated delegated regulations, sometimes as short as 4 hours.
We advise companies throughout the entire incident response process: from the initial legal assessment and coordination with authorities to follow-up and liability mitigation.
Our consulting services for the incident response process include
- Rapid initial legal assessment
- Analysis of applicable reporting obligations (GDPR, NIS 2, AI Regulation, DORA, etc.)
- Advice on additional legal obligations
- Support for decision-makers
- Assistance with internal coordination with IT and compliance teams
- Communication with authorities
- Support in preparing legally compliant reports
- Assistance with communication with supervisory authorities
- Legal preparation for inquiries and audits
- Liability and organizational security
- Prevention of organizational negligence and personal liability
- Follow-up on incidents to optimize internal compliance
- Preventive preparation for emergencies
- Training of key personnel on reporting and action obligations
- Integration of legal processes into existing security and crisis structures
An IT security incident is not merely a technical glitch, but a legally complex event. Companies that are prepared and have clear legal structures in place maintain control and trust even in a crisis. We support you not only proactively but also in urgent situations: If a cyberattack, data breach, or a potentially reportable IT security incident has already occurred, we are available on short notice to provide legal advice, assess the situation, and coordinate the necessary steps with you.
Feel free to contact us:
Dr. André Schmidt | Partner
Angelika Maria Szalek | Senior Associate