--- title: "NIS2 Response: Containment & Eradication" description: "NIS2 Response controls (RS): containment and eradication procedures. How to implement incident response measures that meet baseline compliance requirements." canonical: https://www.aegister.com/en/cms/insights/nis2-response-rs-containment-eradication/ url: /en/cms/insights/nis2-response-rs-containment-eradication/ lang: en --- ![](/static/images/header-contact.webp) # NIS2 Response Controls (RS): Containment and Eradication in Incident Handling --- ![NIS2 Response Controls (RS): Containment and Eradication in Incident Handling](/static/images/cms/nis2-requisiti-di-base.webp) ## NIS2 Response Controls (RS): Containment and Eradication in Incident Handling February 06, 2026 [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) [CSIRT](/en/cms/keyword/csirt/) +8 In the NIS incident-response lifecycle, containment and eradication are the execution steps that limit damage and remove attacker persistence. Operationally, teams need pre-defined strategies, controlled tradeoffs, and evidence-driven verification to avoid service disruption or incomplete remediation. Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) ## Key takeaways - Containment and eradication are not one-off actions; they are iterative response activities. - Containment choices must balance evidence preservation, service continuity, and risk reduction. - Eradication should remove root compromise conditions and verify residual risk before closure. - Both phases require documented objectives, actions, rationale, and effectiveness checks. Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) ## Containment and eradication operating sequence ### 1. Define containment strategy Select containment actions based on incident severity, business impact, evidence-preservation needs, and operational dependencies. ### 2. Execute and track containment actions Apply technical and procedural controls (for example isolation, account controls, segmentation, temporary restrictions) and document decisions and impacts. ### 3. Verify containment effectiveness Check whether compromise indicators persist; if they do, return to investigation and refine containment. ### 4. Plan eradication actions Define actions to remove malicious artifacts, persistence mechanisms, and exposed weaknesses, with clear ownership and sequencing. ### 5. Validate eradication and transition Confirm that eradication goals are met and that outputs are ready for downstream recovery and governance reporting. Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) ## Minimum evidence set for containment/eradication | RS phase | Practical objective | Typical evidence | | --- | --- | --- | | Containment strategy | Risk-informed and traceable action selection | Containment plan, decision rationale, impact notes | | Containment execution | Controlled action rollout | Action log, change records, timeline updates | | Effectiveness checks | Residual-compromise validation | Verification checklist, indicator review results | | Eradication planning | Complete removal strategy | Eradication plan, owner assignments, dependencies | | Eradication closure | Verified completion and handoff readiness | Closure criteria record, residual-risk note, handoff package | Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) ## 90-day execution checklist 1. Define containment decision criteria with legal, operations, and cyber stakeholders. 2. Standardize containment action templates with mandatory rationale and impact fields. 3. Establish objective effectiveness checks before moving to eradication closure. 4. Create eradication play patterns for recurring attack scenarios. 5. Require formal handoff package from eradication to recovery and post-incident review. ## FAQ ### Can containment and eradication be executed only once per incident? Not always. Guidance indicates iterative loops may be required when new evidence or residual compromise emerges. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) ### What should be documented for containment decisions? At minimum: objectives, selected actions, rationale, expected impact, and criteria used to evaluate effectiveness. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) ### How is eradication considered complete? When planned eradication actions are verified, residual compromise is not detected, and records are ready for recovery and governance follow-up. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) ## Related reading - [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/) - [NIS2 Response Controls (RS): Signaling and Investigation Operating Model](/en/cms/insights/nis2-response-rs-signaling-investigation/) - [NIS2 crisis management plan: practical guide for an approvable ID.IM-04 document](/en/cms/insights/nis2-crisis-management-plan-id-im-04/) - [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/) ## Official sources - [ACN - Incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt) - [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) Share this post ## Related News [![NIS2 Response Controls (RS): Signaling and Investigation Operating Model](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-response-rs-signaling-investigation/) [NIS2 Response Controls (RS): Signaling and Investigation Operating Model](/en/cms/insights/nis2-response-rs-signaling-investigation/) [The NIS2 Response (RS) domain requires structured incident response through signaling, investigation, and iterative decision loops. Practical guide to escalation, evidence integrity, and notification handoff.](/en/cms/insights/nis2-response-rs-signaling-investigation/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +11 [![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 [![NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [IS-3 in the ACN baseline model covers service-level violation incidents affecting entity services and activities. Practical guide to qualification, service-impact mapping, and escalation workflow.](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)