S
SHADOWVAULT just now

NIS2 Directive — Article 20

The Breach

Meridian Energy Group — Monday, 6:00 AM

You are the CISO. The ransomware hit three hours ago. The 24-hour reporting clock is already running. Every decision you make in the next hour will be scrutinised by a regulator, a board chair who faces personal liability, and a criminal group who know exactly what your data is worth.

340,000 records. 24 hours. Your name on the notification.

Alex Reeves, CISO
Your Role

Alex Reeves

CISO at Meridian Energy Group — a mid-size energy company running critical infrastructure across Germany and the Netherlands. 2,000 employees. 340,000 residential gas customers. NIS2 essential entity. Your name is on every cybersecurity policy the board has approved.

Monday, 6:00 AM. Your phone pulled you out of sleep. Three words from the SOC analyst: “It’s ransomware.” Three production servers. You’re still in your kitchen. The office is 22 minutes away.

Before You Start

How This Works

This is a decision-driven scenario. You face three decisions that real CISOs face in the first hours of a live ransomware incident. There is no safe option. Every choice closes another door. Your decisions shape what happens to your company, your board chair, a 74-year-old customer in Groningen, and you.

The 4 Stakeholder Bars (top right)

Regulator
Operations
Board
Legal

Each bar starts at 50%. Your decisions move them. There is no outcome where everyone is happy. That’s the point.

24-Hour Deadline

NIS2 requires an early warning to the CSIRT within 24 hours of becoming aware of an incident. The clock started at 6:04 AM. It does not stop while you’re thinking.

Legal References

Article references appear in the text — click them to read the exact NIS2 wording. You’ll need to understand these to know whether your choices are defensible.

What You Need to Know

NIS2 Incident Reporting — What the Law Actually Requires

Article 23 — Three-Stage Reporting

24 hrsEarly warning to CSIRT — what you know so far. Incomplete is acceptable. Late is not.
72 hrsIncident notification — initial severity assessment, scope, and indicators of compromise
1 monthFinal report — root cause analysis, full impact assessment, remediation actions taken

Article 20 — Board Accountability

The management body is personally liable for approving and overseeing cybersecurity risk-management. Individual board members can face sanctions. They must be informed immediately — not protected from bad news until you have a clean story.

Enforcement

Essential entities face fines up to €10M or 2% of annual global turnover. The early warning does not require certainty. It requires speed. File what you know. Update as you learn more. The 24-hour clock does not care about your investigation timeline.

06:15 AM Monday — 19 minutes from the office
Meridian SOC — Live Alerts
Monday 06:04:12 UTC
CRITICAL
Ransomware detected — PROD-DB-01, PROD-DB-02, PROD-DB-03
06:02:47 UTC · EDR-FALCON · Auto-quarantine FAILED
CRITICAL
File encryption in progress — .vault extension — 340K customer records at risk
06:03:15 UTC · DLP-SENTINEL · Exfiltration indicators detected
HIGH
Lateral movement attempt — PROD-DB-03 → OT-GATEWAY-01
06:03:58 UTC · NDR-VECTRA · OT network boundary probe
MEDIUM
Anomalous outbound traffic — 2.4GB uploaded to external IP (185.xx.xx.xx)
06:01:22 UTC · FW-PALOALTO · Connection active for 47 minutes

Four alerts in under two minutes. Three production servers encrypted. The lateral movement probe is heading toward OT-GATEWAY-01 — the boundary to the gas distribution control system. If that falls, this stops being a billing problem.

Your SOC analyst is talking fast. Then your phone buzzes. Signal message. Unknown number.

We are inside your network. We have your customer database. 340,000 records. Names. Home addresses. Payment details. Gas consumption history. We have encrypted your billing servers and your operations planning system.

You have 72 hours. Instructions will follow.

— SHADOWVAULT

You’re still in the car. 19 minutes to the office. You read it twice. They’re not bluffing about the OT probe — that detail isn’t in any public filing. They have been inside the network long enough to map it.

Your phone rings. Tomás Vidal, Head of Operations. He’s at the plant. He already sounds like he hasn’t slept.

Tomás Vidal
Tomás Vidal — Head of Operations

“Billing is dead. Totally down. No payments, no invoices. The operations planning system is locked. I have 14 field engineers sitting in their vans right now with no job orders.”

€50,000 an hour. That’s what this is costing. So tell me — when can you get the systems back?”

You “If I wipe those servers before forensics gets in there, we lose the evidence. We’d never know how they got in.”

Tomás “I don’t care how they got in. I care about my engineers. I care about 340,000 customers who can’t see their accounts. Give me systems.”

Tomás “Stefan Brandt — nine years with us — he’s parked in Groningen with a full crew and no job orders. He called me at 6:15. His team handles gas line emergency repairs. If there’s a leak today and we can’t dispatch him — that’s not an IT problem. That’s a safety incident.”

Tomás Vidal
Decision 1 of 3 — Incident Response Priority

Three servers encrypted. 340,000 records on a system you no longer fully control. OT boundary being probed. €50,000 bleeding out every hour. Your SOC team has one set of hands. They can preserve forensic evidence or they can start the restore. Running both at once risks contaminating the evidence trail. You have to choose.

Preserve evidence first, then contain
Forensics images the servers before anyone touches them. Clean evidence. You know the entry point. Operations stays dark for another 4-6 hours. Tomás will hate you for it.
Contain immediately — isolate and restore from backups
Wipe the infected servers, restore from backups. Operations back in 2-3 hours. Tomás gets his engineers back. The forensic evidence is gone. So is any chance of explaining to the regulator how they got in.
Split the team — forensics on server 1, restore 2-3
Half your people on forensics, half on restoration. Neither team has what they need. You get partial evidence and a partial restore. And the attacker may still be watching from somewhere in the network.
Tomás Vidal
You

“Nobody touches those servers until forensics has clean images.”

Tomás “Six hours. You’re asking me to lose €300,000 so your team can photograph a crime scene.”

You “I’m asking you to help me find the door they used. If we don’t, they’ll use it again.”

Forensics finds the entry point in under three hours: a compromised VPN credential from Grenzmann IT Services, a third-party maintenance contractor. The first exploit ran at 02:17 AM, four hours before the SOC caught it. Without the server image, that trail is gone.

At 9:47 AM, Elke Jansen, 74, calls from Groningen. Her direct debit bounced while billing was down. The €35 overdraft fee is hers. She wants to know who pays it.

Why This Was Defensible

Article 23 requires the final report to include the root cause. Without forensic images, you cannot answer that question. The €300,000 restoration delay is a fraction of the €10 million maximum fine for an incomplete report.

+3 Regulator | -1 Operations
Tomás Vidal
You

“Wipe and restore. Get operations back.”

Tomás “Finally.”

Billing comes back online at 9:30 AM. Stefan’s crew get their job orders. Elke Jansen’s direct debit still bounces — the system was down when the bank processed her payment. She gets an overdraft fee. Nobody calls her to explain.

Two weeks later, Dr. Petra Lindström at the NCSC-NL asks a single question: “How did the attacker gain initial access to your network?” You have no answer. The evidence was on those servers. You wiped them at 7:12 AM.

The Evidence Gap

Article 23 requires the final report to include the root cause. Without the forensic trail, that section of your report is blank. The regulator cannot close the investigation without it. And without knowing the entry point, there is nothing stopping the attackers from coming back through the same door.

-1 Regulator | +2 Operations
Narrator

You split the team. Forensics gets partial images — enough to identify the malware family, not the entry point. Two servers come back online. The third is too corrupted to restore cleanly. It gets quarantined.

Tomás has 60% of operations. You have 40% of the evidence. Both teams are stretched. Stefan Brandt’s crew gets some job orders back at 10:15 AM, but not the emergency repair queue. Nobody is satisfied, and the attacker may still have a foothold somewhere you haven’t looked.

Article 23 — The Compromise That Satisfies Nobody

Splitting resources feels like a balanced call. It isn’t. Article 23 requires the final report to include the root cause — and partial forensic images cannot answer that question. Meanwhile, partial restoration means ongoing operational damage and continued regulatory exposure. The regulator will also assess whether you had a documented incident response plan that defined priorities. An ad-hoc split under pressure suggests you didn’t have one, or didn’t follow it.

0 Regulator | 0 Operations
Fog of War

Investigate the Breach

You don’t know how they got in, whether data left the network, or what to tell the board. Briefing in two hours.

Pick 3 of 6 lines of investigation. The other three stay dark.

0 / 3 selected
🔍
Check server logs
Pull system and access logs to trace when the attacker moved and how far they reached
📞
Call CloudVault account manager
Servers run on CloudVault. Find out what they know, and what they’re not saying
💾
Verify backup integrity
Confirm backups are clean. After 11 days inside, they may be compromised too
📤
Confirm whether data left the network
Analyse outbound traffic. SHADOWVAULT claims they have the data. Know if it’s true
👥
Assess customer notification obligations
How many records are at risk? What do GDPR and NIS2 require you to tell customers, and when?
🚶
Contact law enforcement
File with the national cyber crime unit. They may have seen SHADOWVAULT before
Helen Marsh
Helen Marsh
Board Chair — London
Helen Marsh

Helen Marsh is in London. Right now she is reading email and drinking coffee and has no idea her company is under ransomware attack. Last October, you submitted a recommendation for a full security audit. Helen deferred it — “Q1 budget is tight, let’s revisit in March.” It is March. The audit never happened.

Under Article 23, you must submit an early warning to the CSIRT within 24 hours of becoming aware of the incident. The clock has been running since 6:04 AM.

Under Article 20, Helen carries personal liability for cybersecurity governance. She needs to know. The question is not whether — it is when, and how much you tell her.

Helen Marsh
Decision 2 of 3 — Board Notification

You don’t have the full picture yet. You don’t know how bad the data exfiltration is. You don’t know the entry point. What you know is this: Helen is personally liable under Article 20, and every hour you don’t tell her is an hour she spends in violation of her own governance obligations — without knowing it.

Call Helen now — full disclosure
Ransomware. Three servers. 340,000 records potentially compromised. 24-hour NIS2 deadline running. She will not enjoy this call. But she will hear it from you, not from a regulator.
Send a controlled email — “cyber incident under investigation”
Technically accurate. No mention of ransomware or customer data. Satisfies the notification requirement on paper. Gives you time to get the full picture before the harder conversation.
Wait until 5 PM — brief with the full picture
By 5 PM you’ll have the forensic data, the exfiltration confirmation, and a clear remediation timeline. One clean briefing. But Helen carries personal liability for 11 hours while knowing nothing.
Helen Marsh
You (on the phone)

“Helen. Ransomware. Three production servers encrypted. Attackers claim 340,000 customer records. 24-hour NIS2 early warning deadline. You need to know now.”

Helen Four seconds of silence. “What do we know? Not what do we think.”

You “Three servers encrypted. Exfiltration probable, not confirmed. OT probed, not breached. More in three hours.”

Helen “Call me in three hours. What do you need from me now?”

Helen activates the crisis protocol. By 10 AM, Legal, Comms, and the CEO are in the loop. She is not happy, but she is informed. Under Article 20, that is what matters.

Article 20 — Management Body Accountability

Article 20 requires the management body to personally approve and oversee cybersecurity risk-management measures, with individual sanctions for non-compliance. Every hour of delay is an hour Helen carries personal liability without information to discharge it.

+3 Board | +1 Legal
Narrator

7:58 AM email: “Meridian is managing a cyber incident affecting billing systems. The situation is under active investigation. Further update to follow.”

Helen reads it at 8:15 AM. She calls at 8:16.

Helen “‘Cyber incident’ could mean a phishing email or a full system failure. I carry personal liability and you sent me two sentences. What is actually happening?”

You “Ransomware. Three servers. They claim 340,000 records.”

Helen “Ransomware. 340,000 records. And you wrote ‘billing systems.’ If the regulator sees that email, it looks like you hid the severity from me.”

Article 20 — Transparency Is Not Optional

Under Article 20, the management body must “approve and oversee” cybersecurity risk-management, which requires accurate information. “Cyber incident affecting billing” describes a password lockout, not 340,000 records at risk. That email is evidence you controlled what the board knew.

-1 Board | 0 Legal
Helen Marsh
Helen (5 PM)

“Attack detected at 6:04 AM. It is 5 PM. You knew for eleven hours. I am personally liable under Article 20 and you sent nothing.”

“I deferred your October security audit on budget. When the regulator asks why, and I say I didn’t even know we were under attack until 5 PM the same day, what does that look like?”

Article 20 — Eleven Hours of Personal Liability

Every hour between your awareness and Helen’s is an hour the management body carries personal liability under Article 20 without the information to act. Without knowing the company was under attack, Helen could not activate the crisis plan, engage counsel, or escalate the deferred audit. The 11-hour gap is a documented governance failure the regulator will examine.

-3 Board | -1 Legal
Hour 6 — The Demand

SHADOWVAULT’s full instructions arrive at 12:09 PM:

Payment: €2,000,000 in Bitcoin.
Wallet: bc1q...7f3k
Deadline: 60 hours remaining.

To confirm access, we have attached 500 customer records. Names. Home addresses. Bank details. Verify them.

If payment is not received within 60 hours, the full database of 340,000 records will be published on a public forum.

— SHADOWVAULT

You open the attachment. You verify three records at random against the live database. All three match. Elke Jansen is on page 3. Full name, home address, IBAN, monthly gas consumption since 2019.

The next decision has a time limit. Indecision is a decision.

Decision 3 of 3 — The Ransom

€2 million. 340,000 records. 500 verified as real. 60 hours before they publish. The CSIRT early warning deadline is still running.

60

Auto-selects “negotiate” if timer expires — indecision is a decision

Refuse and report to law enforcement
No negotiation. File the early warning with the CSIRT. Report to the national cyber crime unit. The data may be published — you cannot control that. Focus on what you can: containment, evidence, customer notification.
Negotiate — buy time while you investigate
Open a channel with SHADOWVAULT. Extend the clock. Use the time to confirm actual exposure before making the call. Risky. You are talking to criminals. And every hour you spend talking is an hour you are not filing with the CSIRT.
Pay the ransom
€2 million. If they keep their word, the database stays private. They probably won’t. And you will have funded a criminal organisation, delayed your regulatory notification to arrange the transfer, and still face an Article 23 breach.
Dr. Petra Lindström
You

“We don’t pay. File the early warning. Get law enforcement on the line.”

Dr. Petra Lindström — NCSC-NL “Mr. Reeves. Thank you for the early warning. You are within the 24-hour window. When can you provide the full incident notification?”

You “Within 72 hours. I can confirm root cause, attack vector, and remediation timeline.”

Petra “Good. And Mr. Reeves — not paying was the right call. We have seen SHADOWVAULT twice before. They sell the data regardless.”

Article 23 — The Three-Stage Reporting Framework

Article 23 sets three hard deadlines: an early warning within 24 hours, a full incident notification within 72 hours including initial severity assessment, and a final report within one month with root cause analysis and remediation measures. Refusing to pay and filing immediately achieves both regulatory compliance and operational logic. Paying a ransom does not guarantee deletion — it funds the next attack on someone else. The NCSC-NL treats prompt self-reporting as a significant mitigating factor in any subsequent supervisory action.

+3 Regulator | +2 Legal
Narrator

You open a channel. Over two hours, SHADOWVAULT confirms they accessed the network via a compromised contractor VPN credential and have been inside for 11 days. They know which backups are clean and which are not.

Genuinely useful intelligence. It shapes your remediation plan. But you spent two hours talking to a criminal organisation instead of filing with the CSIRT.

When you file at 2 PM, Dr. Lindström asks one question: “You became aware at 6:04 AM. It is now 2 PM. What were you doing for eight hours?” The intelligence you gained does not answer that.

Article 23 — Intelligence Is Not a Defence for Delay

Engaging the attacker can yield useful information. But under Article 23, the early warning must be filed within 24 hours of becoming aware of the significant incident — not after you have resolved your questions about scope. The window is already tight. Spending two hours in dialogue with SHADOWVAULT before reporting consumes time you cannot recover. The regulator will note the gap between 6:04 AM and 2 PM. Any intelligence gained does not offset the documented delay in notification.

0 Regulator | -1 Legal
Narrator

You pay. €2 million transferred. SHADOWVAULT sends the key at 4:47 PM. Servers come back.

Three weeks later, the full database appears on a dark web leak forum. SHADOWVAULT sold it to a second group before taking your money. Elke Jansen’s details are publicly searchable. The payment bought nothing but the illusion of resolution.

Dr. Lindström “You funded a criminal organisation. The data was published anyway. Your notification was delayed six hours while you arranged payment. We are opening a formal investigation.”

Article 23 & Recital 101 — Payment Is Not a Compliance Strategy

Paying creates three compliance failures: the transfer may breach sanctions and AML law; arranging it consumes Article 23 notification time; and the data is published regardless. NIS2 Recital 101 is explicit that entities should not be encouraged to pay ransoms. The Article 34 €10 million maximum fine exceeds the ransom paid.

-3 Regulator | -2 Legal | -2 Board
Article 23 — NIS2 Incident Notification

Get the Sequence Right

The five stages of NIS2 incident notification are listed below — in the wrong order. Put them in the correct sequence. Step 1 first. Step 5 last.

Click a card to assign it the next step number. Click Reset to start again.

?

Submit Full Incident Notification

Initial assessment of severity, impact, and indicators of compromise

?

Submit Early Warning to CSIRT

Initial notification — no root cause required, just flag the incident

?

Submit Final Report

Root cause analysis, remediation measures taken, and lessons learned

?

Provide Progress Updates

Ongoing status as requested by the competent authority

?

Detect and Assess the Incident

SOC alert received — classify severity and determine if NIS2 thresholds are met

Module complete. Continue when you're ready.

After-Action Report

Compliance Score

0

Regulator

50%

Operations

50%

Board

50%

Legal Exposure

50%

Your Incident Timeline

The Verdict

NIS2 Articles in Play

Article 20 — Management body personal liability
Article 21 — Cybersecurity risk management
Article 23 — 24h early warning, 72h notification
Article 34 — Fines up to €10M or 2% turnover

What You Chose

Six Weeks Later

You scored . Three decisions. Every one had a cost. The paths you didn’t take are still there.

Take the Module Quiz →