On April 28, 2025, the Spanish power grid stopped working for more than four hours, at best. The incident affected 59 million people throughout Spain, Portugal and parts of southern France. It caused losses of close to 1.6 billion euros, reminding us that resilience to a cyberattack is no longer an exclusive matter of the IT department, but an imperative that runs through the entire organisation. Although the experts attributed the fall to a problem of coordination between generation and distribution, public opinion immediately assumed that it was a digital aggression. This leap – from "technical error" to "deliberate attack"— shows two indisputable realities:
- Any disruption to critical infrastructure is perceived today as a cybersecurity crisis.
- The distance between internal detection and media exposure is measured in minutes; the first version that reaches the public usually becomes the dominant narrative.
To navigate this environment, businesses need a plan that combines technology, law, reputation, and finance. This guide, designed for readers familiar with frameworks such as NIST CSF, ISO 27035 and ISO 22301, compiles the best practices and metrics essential to face a high-impact cyberattack successfully.
Anatomy of a cybersecurity crisis
A crisis is declared when an incident exceeds day-to-day procedures and threatens business continuity. The ISO/IEC 27035‑2:2023 standard recommends activating a Cyber Crisis Committee: a command team that isolates affected systems, prioritizes critical assets defined in the Business Impact Analysis and authorizes external communications. To decide judiciously, the committee monitors, among other indicators, the recovery target time (RTO) – tolerable hours of inactivity – and the recovery target point (RPO) – data that can be lost without irreversible damage – in addition to legal and reputational risk.
When sensitive personal data, interruption of an essential service and suspicion of intentional "aggression" converge, news coverage skyrockets. In 2024, for example, a European rail operator took 48 hours to clarify that a breach affected its signalling system; that silence fuelled rumours of sabotage and led to a stock market crash of 11%, far exceeding the real cost of the incident. Anticipating media pressure and preparing truthful messages is as crucial as containing the technical threat.
Strategic readiness: shielding before cyber attack
Appoint a Chief Information Security Officer (CISO) with cross-cutting authority, along with a Data Protection Officer (DPO) involved throughout the information lifecycle. Both should report directly to the executive committee to avoid bottlenecks.
Twice a year scenarios are recreated – double extortion ransomware, massive cloud filtration, internal failure – to measure detection, containment and recovery times. These exercises uncover both technical gaps and departmental friction.
Service Level Agreements (SLAs) should set a maximum RTO of four hours and the obligation to report serious incidents in less than two. The cyber insurance policy, on the other hand, must cover forensic expenses, sanctions of the General Data Protection Regulation (GDPR) and, if appropriate, ransoms, reviewing sub-limits and grace periods.
Detection and analysis: from alert to attribution
The first 24 hours decide the fate of the crisis. Validating the alert involves contrasting it with the records of the SIEM (Security Information and Event Management) platform, the EDR (Endpoint Detection and Response) telemetry and the analysis of network flows. Once the intrusion is confirmed, the damage is sized – compromised surface, leaked data and potential cost using the FAIR (Factor Analysis of Information Risk) model — and the attack is preliminarily attributed (cybercrime, hacktivism or nation-state) to anticipate the next move.
If the incident affects essential services or involves sensitive data, the committee immediately notifies the authorities and activates escalation protocols. At the same time, the legal team preserves evidence and controls the deadlines required by the GDPR and the European Directive NIS2.
Containment and eradication: stopping bleeding
Containing a breach requires balancing speed with preserving forensic integrity. The network is segmented, compromised credentials are revoked and critical patches are applied, while analysts capture forensic images and calculate hashes that prove the authenticity of the evidence. Documenting each step is the best defense against accusations of negligence.
Recovery: safe return to normal
Before reactivating the systems, the technical teams perform targeted penetration tests, scan residual indicators and verify the integrity of the backups. The legal department confirms that the notifications were sent to the Spanish Data Protection Agency in ≤ 72 hours (GDPR) and that the preliminary notice of NIS2 was sent in ≤ 24 hours.
With the systems validated, a brief and contrasted statement is published that explains what happened, what measures have been taken and how those affected will be assisted. A final report – root cause, costs and improvement plan – is presented to the board, the insurers and, where appropriate, the regulator.
Communication in the midst of crisis
Industry studies indicate that a poor narrative can reduce market capitalization by up to 7% in just two weeks. To avoid this, the strategy rests on four pillars:
- Controlled speed: issue a preliminary message in less than two hours.
- Consistency: aligning public information with forensic findings.
- Empathy: recognizing the impact on customers and partners.
- Gradual transparency: updating data as it is confirmed.
Repsol applied this formula in 2024: it disseminated a note 90 minutes after the incident, stopped rumors and maintained its price, demonstrating that timely information mitigates reputational damage.
Essential regulatory framework
- GDPR: notification to the Spanish Data Protection Agency in ≤ 72 hours and, if there is a high risk, communication to those affected.
- NIS2 directive: preliminary notice in ≤ 24 hours; complete report in ≤ 72 hours.
- Law PIC (8/2011): immediate coordination with the National Center for the Protection of Infrastructures and Cybersecurity (CNPIC).
- Law 43/2010: specific obligations for trust service providers.
In addition, contractual clauses – especially in the financial sector, supervised by the European Banking Authority (EBA)— can impose even stricter deadlines.
Cyber insurance: your financial safety net
Current policies cover own damages – loss of earnings, research and restoration expenses – and third-party claims, including administrative fines where permitted by law. Review sublimits for ransomware, “cyber warfare” exclusions, and the inclusion of breach coach and crisis communication services. A Spanish SME that invoices 20 million euros will pay between €5,000 and €9,000; the figure can be reduced by up to 30% with ISO 27001 certification and annual pentesting.
The cybersecurity crisis has ceased to be a marginal risk: today it determines the financial health and reputation of any organization. Only companies that combine rigorous preparedness, coordinated response, and continuous learning transform an incident into an opportunity to bolster the trust of customers, regulators, and investors.
