What do I do in the first hour after a data breach?
The first hour is containment and fact-finding. Do not call the AP yet, first know what happened.
Try this first
- 1Log everything from minute zero. Time, reporter, signal, first action. You will need this for the AP notification and possibly insurance.
- 2Containment: isolate the compromised account or system. Reset passwords, revoke session tokens, take the device off the network.
- 3Categorise the breach. Misdirected email, lost laptop, ransomware, account takeover, accidental disclosure. The category drives next steps.
- 4List the personal data potentially affected. Which fields, how many records, which subjects. First estimate is fine; refine later.
- 5Call your DPO or, if none, your IT partner. Not the AP yet; that comes at step six.
When to bring us in
Active ransomware or thousands of records affected? Stop DIY. Call us or another CSIRT partner before you click anything else.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.