01
INCIDENT REPORT
We prepare all required reports (early warnings, detailed reports, final analysis) in the correct format and on time, for both NIS2 and DORA obligations.
Incident
reporting.
Are you subject to European cyber incident reporting obligations?
If your company operates in a critical sector: energy, transport, healthcare, digital infrastructure, IT services, or financial services, EU law requires you to act fast and report to authorities when a cyber attack hits. Missing these deadlines can result in heavy fines and personal liability for your management.
Our process
How we prepare your incident report
We help you document the incident, prepare the required reports and coordinate the communication needed for regulatory, client and stakeholder notifications.
02
REGULATORY COMMUNICATION
We handle or support communication with national CSIRTs, financial regulators (EBA, EIOPA, ESMA), and other competent authorities.
03
CLIENT & STAKEHOLDER NOTIFICATIONS
We draft clear, compliant notifications to your affected customers and business partners.
04
POST-INCIDENT ADVISING
We guide your team through root cause documentation, remediation planning, and lessons-learned processes that satisfy regulatory requirements.
Resolved cases
Some of the cases we helped resolve
Crypto source of funds cases require more than transaction exports. These examples show how we reconstruct complex trading histories, compare reported claims with on-chain evidence, and prepare documentation that can be reviewed by banks, law firms and tax authorities.
Law enforcement assistance in a connected crypto investigation
Case overview
A law enforcement agency from an Asian country contacted us in relation to one of their ongoing investigations.
Situation
During their investigation, they identified a wallet address that had already been flagged by us in one of the investigative tools we use. They were looking for any information connected to that address and to the case we were working on.
Our work
Together, we connected both cases and established that they shared the same perpetrator.
Outcome
The joint investigation was successful. The perpetrator was identified and criminal charges were filed.
Multi-chain wallet analysis for an anti-corruption investigation
Case overview
We were contacted by an anti-corruption agency in relation to an ongoing investigation of an individual holding a public function in their country.
Situation
The only information disclosed to us consisted of several wallet addresses across multiple blockchains.
Our work
We were tasked with producing a report covering incoming and outgoing transactions related to the disclosed wallet addresses, identifying service accounts such as exchanges, merchant services and crypto ATMs, and tracing the funds to their final destinations.
Outcome
The final report provided a structured overview of the wallet activity, identified relevant services and documented the movement of funds across multiple blockchains.
FAQ
Frequently asked questions about cyber incident reporting
Q
What is cyber incident reporting?
Cyber incident reporting is the process of documenting and notifying the relevant authorities, regulators, clients or stakeholders after a cybersecurity incident. It can include early warnings, formal incident reports, final reports, customer notifications and post-incident documentation.
Q
When does a company need to report a cyber incident?
A company may need to report a cyber incident when the incident affects network security, business continuity, customer data, critical operations, digital services, financial services or regulated infrastructure. Reporting obligations depend on the company’s sector, jurisdiction, role and the impact of the incident.
Q
What are NIS2 incident reporting obligations?
NIS2 requires certain essential and important entities in the EU to report significant cybersecurity incidents to competent authorities or CSIRTs within defined timelines. Depending on the incident, this may include an early warning, incident notification, intermediate updates and a final report.
Q
What are DORA incident reporting obligations?
DORA applies to financial entities and certain ICT third-party service providers in the EU financial sector. It requires regulated organisations to classify, document and report major ICT-related incidents to the relevant financial authorities, including details on impact, timeline, affected systems and remediation.
Q
What should we do first after a cyberattack?
Preserve evidence, document the incident timeline and avoid deleting logs, attacker messages, wallet addresses, transaction IDs, emails, screenshots or system records. The first step is to understand what happened, what was affected and which reporting deadlines may apply.
Q
What information is needed to prepare an incident report?
Useful information includes the date and time of detection, affected systems, suspected attack vector, internal logs, attacker communications, wallet addresses or transaction IDs if crypto is involved, business impact, affected clients, mitigation steps and contact details for the response team.
Q
Can Bloctopus Intelligence prepare reports for CSIRTs, regulators and authorities?
Yes. Bloctopus Intelligence can help prepare structured incident reports for national CSIRTs, competent authorities, financial regulators, law enforcement or other reviewing bodies. The report can organise technical facts, blockchain intelligence where relevant, timelines, impact assessment, evidence and remediation steps.
Q
Does incident reporting include crypto transaction tracing?
It can. If the incident involves crypto payments, stolen digital assets, ransomware wallets, exchange accounts or blockchain transactions, incident reporting may need to include crypto asset tracing. Bloctopus can map wallet addresses, transaction flows and exchange touchpoints to support a forensic incident report.
Q
Can incident reporting help after a ransomware attack?
Yes. After a ransomware attack, incident reporting can help document the ransom demand, affected systems, attacker communications, crypto wallet addresses, payment flows, operational impact and remediation steps. This information may be needed for regulators, insurers, law enforcement, legal counsel and management.
Q
Do you guarantee that a report will satisfy the regulator?
No. No external provider can guarantee acceptance by a regulator, CSIRT, authority, insurer or court. The purpose of the report is to present the available facts, evidence, timeline, impact and remediation steps in a structured and evidence-based way. Final assessment depends on the relevant authority, applicable framework and facts of the incident.
How we approach your case