Why an Incident Response Plan Is the Cheapest Insurance Your Business Will Ever Buy: 2025–2026 Reality Check

Quick Answer: An Incident Response Plan (IRP) is the single highest-ROI security investment in 2026. Having a tested IRP saves an average of $2.66 million per breach (IBM 2025). The global average breach costs $4.44 million ($10.22 million in the US). Germany issued its first NIS2 fine of €850,000 in February 2026 specifically for the *absence* of incident response procedures. A tailored, audit-ready IRP from Optimum Web: €359, 5–7 business days, covering NIS2, GDPR, ISO 27001, SOC 2, PCI DSS, and DORA.

In 2025, 44% of organisations admit they are not ready to quickly detect and respond to a cyber incident. Meanwhile, NIS2 enforcement is live: Germany’s BSI issued its first NIS2 penalty in February 2026, France opened investigations into 14 entities in Q1 2026 alone, and the 24-hour early warning clock under NIS2 Article 23 is binding from the moment of awareness.

This article unpacks what an Incident Response Plan actually is in 2026, four real-world cases — Maersk, Norsk Hydro, Change Healthcare, and a Fortune 500 $0 attack — that show what happens with and without one, and how Optimum Web delivers a fixed-price, regulator-ready IRP for €359 in 5–7 business days.

Three things have shifted under the feet of every European business in the last 18 months:

1. NIS2 enforcement is live. As of May 2026, the European Commission has referred seven Member States to the Court of Justice of the EU for failure to transpose NIS2. Germany’s BSI is already issuing fines. France opened investigations into 14 entities in Q1 2026 alone. The first compliance audit deadline of 30 June 2026 has passed for many member states.

2. The clock has been compressed. NIS2 Article 23 mandates a 24-hour early warning, 72-hour incident notification, and a one-month final report for any significant incident. GDPR Article 33 requires breach notification to the Data Protection Authority within 72 hours. DORA layers additional timelines on top for financial entities. 24 hours from *awareness* — not from breach discovery. If your monitoring flags unusual traffic at 14:00 on Friday, your early warning is due by 14:00 Saturday, including weekends and holidays.

3. AI changed the threat model. 16% of breaches studied in 2025 involved attackers using AI tools, most often for phishing or deepfake impersonation attacks. 97% of organisations that experienced an AI-related breach say they lacked proper AI access controls. One in five organisations reported a breach due to shadow AI, which added an average of $670,000 in breach costs. Your IRP needs sections that did not exist three years ago.

An Incident Response Plan is a written, role-assigned document that tells your organisation exactly what to do — and who does it — when a security incident occurs.

A real IRP is not a 3-page checklist. It is a 25–35 page operational document covering the full incident lifecycle. It answers, *before* an incident happens, questions you do not want to be debating at 02:00 while your CRM is encrypted:

- Who is the Incident Commander, and who is the backup if they are on holiday? - At what point does a P3 incident escalate to P1, and who has the authority to declare that? - What is the exact text of the customer email if their data is exposed? In what language? - Who calls the regulator — and who decides we are calling them? - Do we pay the ransom? Who authorises that decision? - Which systems do we isolate first to contain spread, and who has the keys to do it?

If your company cannot answer all of these from memory, you do not have an Incident Response Plan. You have a wish.

Preparation — building the capability before an incident: tooling, roles, communications channels, training, tabletop exercises, retainer agreements, contact lists for regulators.

Detection and analysis — identifying that something is wrong and classifying it. Severity scoring (P1–P4), evidence preservation, scope assessment.

Containment — stopping the spread. Network segmentation, account disabling, key rotation, host isolation. Short-term containment buys time for long-term containment while business continues.

Eradication — removing the threat. Patching the vulnerability, removing malware, eliminating attacker persistence: backdoors, scheduled tasks, service accounts.

Recovery — restoring services. Bringing systems back online, validating they are clean, monitoring for re-infection.

Post-incident review — learning. Root cause analysis, lessons learned document, update to the plan, additional controls, training.

These are the figures your CFO will respond to.

Source: IBM Security, Cost of a Data Breach Report 2025.

For ransomware specifically: the average ransom demand reached $1.2M for mid-sized businesses in 2024, 55% of organisations paid, and the average total ransomware attack cost was $5.13 million — a 574% increase over six years. Paying the ransom does not guarantee data recovery and does not prevent re-extortion.

Having a tested Incident Response Plan saves an average of $2.66 million per breach (IBM 2025). That is the measured difference between companies that had a plan they had actually exercised versus those that did not.

A €359 plan that saves $2.66 million is a 7,400× return. There are not many investments with that kind of math.

On the breach lifecycle: breaches detected in under 200 days cost an average of $3.61M, while those taking over 200 days cost $5.49M — a $1.88M difference. The IBM average is 241 days total. Companies with tested IRPs consistently sit at the lower end of this distribution.

Missing NIS2 Article 23 notification deadlines exposes essential entities to administrative fines of up to €10 million or 2% of worldwide annual turnover. For important entities, the cap is €7 million or 1.4%.

But here is the critical precedent: Germany issued its first NIS2 penalty in February 2026 to a mid-sized cloud service provider. Fine: €850,000. The reason? Failure to implement risk management measures and incident response procedures.

Note the wording carefully: the fine was issued because the company did not have an incident response plan — before any actual breach occurred. The absence of the plan was itself the violation. Germany’s December 2025 BSI Act transposition also elevates NIS2 to a board-level issue: executives and board members can be held personally liable for gross negligence in cybersecurity governance.

The best way to understand what an IRP buys is to look at companies that lived through real incidents — and compare those that had a plan to those that did not.

On 27 June 2017, the NotPetya wiper malware spread through a Ukrainian tax software update and within hours crippled the Danish shipping giant A.P. Møller-Maersk. 45,000 PCs and 4,000 servers were rendered useless. Final cost: $300–350 million, contributing to a $1.9 billion operating loss in 2017.

Maersk had no incident response plan adequate to the scale of the attack. Recovery depended on pure luck: a single server in Ghana happened to be offline during a local power outage, preserving the Active Directory that allowed them to rebuild in ten days. Without that power failure in West Africa, recovery would have taken months or years.

What Maersk did after the incident: Crisis Management Playbooks formalised. Emergency crisis teams activated. Infrastructure rebuilt across 150 sites in 100 countries over 3 months. Business Continuity Guarantees became part of enterprise customer SLAs. Cyber-Resilience Certification integrated into client RFPs.

Lesson: Maersk turned a $300M disaster into a competitive advantage — but only after the fact, and only because a power outage in West Africa happened at the right moment. The price of that lesson was nearly two billion dollars.

On 19 March 2019, Norsk Hydro — one of the world’s largest aluminium producers — found its entire global IT environment encrypted by the LockerGoga ransomware. All 35,000 employees across 40 countries affected. Estimated loss: $67–84 million. Several months to full operational recovery.

But here is what Norsk Hydro did differently from Maersk: they had decided in advance how they would handle a breach. Two key pre-decisions:

1. No ransom payment — avoiding weeks of internal debate while attackers held data hostage 2. Full public transparency — daily press conferences, public technical findings, social media updates

The company was later thanked for its transparency by authorities, who said its openness helped prevent a string of other incidents. Their stock price recovered. Their reputation grew. Their customer base stayed.

Lesson: You do not invent your communications strategy at 03:00 during the attack. You write it down before the attack. That is what an IRP is.

On 12 February 2024, the BlackCat ransomware group compromised Change Healthcare, a UnitedHealth subsidiary processing a third of all US healthcare claims.

UnitedHealth paid nearly $22 million in Bitcoin to BlackCat. Recovery costs mounted because the company clearly had not followed best practices for maintaining reliable backups. By end of 2024, reported direct response costs reached $2.87 billion, with additional business disruption losses on top.

What went wrong, per public reporting: - No tested backup restoration procedure for affected services - Initial access via a Citrix portal that lacked multi-factor authentication - Insufficient network segmentation, allowing lateral movement across the environment - Communication chaos: hospitals nationwide could not process insurance claims for weeks - Decision to pay $22M ransom did not prevent the data leak — the affiliate group re-extorted

After more than three months, UnitedHealth was still working to restore affected services.

Lesson: A multinational with a $400 billion market cap and the resources to hire any consultancy in the world still found itself unprepared. The plan needs to be tested, not just written.

A Fortune 500 company maintained an incident response retainer with consulting firm Booz Allen. When a ransomware attack hit, the playbook was already in motion before the threat actor finished encrypting.

The outcome: zero ransom payment, full recovery from clean backups, minimal customer disruption, no regulatory action. The plan and retainer cost a tiny fraction of what a single ransom payment would have been.

Lesson: This is the boring outcome — the press release nobody writes. It is what happens when the plan exists, is tested, and the team knows what to do.

AI rewrote the attack playbook. Deepfake CFO calls authorising urgent wire transfers are real. Voice cloning from public videos takes minutes. Phishing emails are now grammatically perfect in every European language. Your IRP needs new sections: deepfake verification protocols for financial decisions, AI-generated content authentication procedures for executive communications, shadow AI inventory and incident scenarios.

NIS2 turned cybersecurity into board-level personal liability. Germany’s December 2025 BSI Act transposition explicitly makes NIS2 a board-level issue with director liability. If an essential entity has no incident response procedure and a significant incident occurs, the responsible board member can be personally fined and — in extreme cases — temporarily banned from management functions.

The 24-hour clock is now binding. NIS2 requires a 24-hour early warning, 72-hour notification, and 1-month final report. 24 hours from *awareness*, not from breach discovery. If you do not have written templates and a designated person, you will not make this deadline. If you miss it, you are in violation — regardless of whether you ever experienced a significant breach.

A modern IRP is a working document. Here is what it should contain — based on what we deliver at Optimum Web and what NIS2, GDPR, ISO 27001, SOC 2, PCI DSS, and DORA auditors expect.

Section 1 — Roles and responsibilities. A RACI matrix covering Incident Commander, Technical Lead, Communications Lead, Legal/DPO Lead, and Executive Sponsor. Every role has a primary and backup. Contact details reviewed quarterly.

Section 2 — Severity classification. A P1–P4 matrix with concrete examples for your business. P1 is “stop everything, wake everyone up.” Classification triggers automatically based on observable criteria — data type, affected users, system criticality, regulatory implications.

Section 3 — Detection and analysis playbooks. For each top-10 scenario (ransomware, BEC, data exfiltration, DDoS, insider threat, supply chain compromise, lost device, account takeover, web application attack, cloud misconfiguration), a step-by-step playbook covering recognition, first 30 minutes, evidence preservation, containment options, and escalation triggers.

Section 4 — Communications templates. Pre-written, legally reviewed, executive-approved templates for internal staff, customers, and regulators. Separate templates for NIS2 24-hour, NIS2 72-hour, GDPR 72-hour, DORA, and sector-specific notifications. Each in your primary languages.

Section 5 — Regulatory notification workflows. Decision tree mapping incidents to notification obligations. Includes relevant regulators by jurisdiction, the deadline clock, required content elements, and submission method.

Section 6 — Technical containment procedures. Pre-authorised actions any on-call engineer can execute without further approval: isolate a host, disable a user account, rotate a credential, block an IP range. The pre-authorisation eliminates the “I need to ask the CTO” delay.

Section 7 — Recovery and validation. Procedures for bringing systems back online safely: clean backup validation, integrity checking, malware scanning, gradual re-introduction with monitoring, rollback procedures if re-infection occurs.

Section 8 — Post-incident review. Defined process for the after-action review: who attends, agenda, deliverables, timeline for updating the plan. Audit-ready documentation.

There are dozens of free IRP templates available from NIST, SANS, ENISA, and CISA. They are excellent starting points and useless as ending points.

A generic template knows nothing about: - Your tech stack — making containment procedures abstract and untestable - Your team — making role assignments fictional - Your regulators — making notification timelines wrong for your jurisdiction - Your data flows — making severity classification arbitrary - Your contracts — leaving liability and customer obligations unspecified - Your insurance — making claim procedures vague

A regulator auditing your NIS2 compliance will read your IRP looking for evidence it was written for *you*, not for a hypothetical company. A template with “[INSERT COMPANY NAME HERE]” still showing in three places is grounds for a finding of non-compliance. The same applies to ISO 27001 surveillance audits, SOC 2 Type II observation windows, and PCI DSS QSA assessments.

When we audit existing IRPs, the same errors appear across companies of all sizes:

At Optimum Web we have built and maintained Incident Response Plans for companies across the EU since GDPR became enforceable in 2018. Our standard delivery covers six compliance frameworks simultaneously.

In 2026, an Incident Response Plan is the single highest-ROI investment in your security programme. It costs less than one developer-week. It saves an average of $2.66 million per breach when tested. It satisfies six compliance frameworks at once. It eliminates regulatory exposure that now reaches €10 million or 2% of global turnover.

Maersk, Norsk Hydro, and Change Healthcare all have one thing in common: none of them wrote their plan the morning of the attack. The ones that did well had a plan beforehand. The ones that did poorly did not.

The cheapest insurance your business can buy is not insurance at all — it is preparation.