---
title: "NIS2 Response: Signaling & Investigation"
description: "NIS2 Response controls (RS): signaling and investigation operating model. How to detect, escalate, and investigate security events for compliance."
canonical: https://www.aegister.com/en/cms/insights/nis2-response-rs-signaling-investigation/
url: /en/cms/insights/nis2-response-rs-signaling-investigation/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Response Controls (RS): Signaling and Investigation Operating Model

---

![NIS2 Response Controls (RS): Signaling and Investigation Operating Model](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Response Controls (RS): Signaling and Investigation Operating Model

February 05, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[incident response](/en/cms/keyword/incident-response/)
+9

Within the NIS baseline framework, the Response domain (RS) requires entities to execute incident response through structured sub-phases, including signaling and investigation. Operationally, this means teams must classify events, escalate appropriately, preserve evidence, and maintain a consistent flow toward decision and notification points.

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Key takeaways

- Response should be run through documented phases, not ad hoc actions.
- Signaling and investigation are iterative and may loop as new evidence emerges.
- Roles and contacts for escalation and external interfaces must be pre-assigned.
- Investigation quality depends on evidence integrity, event correlation, and timeline reconstruction.

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

## Signaling and investigation sequence

### 1. Event signaling and escalation

Teams should signal relevant events rapidly through predefined channels, with clear thresholds for escalation and decision ownership.

### 2. Initial response coordination (RS.MA)

The incident-response plan should activate procedures, responsibilities, and communication flows for management, technical teams, and external stakeholders.

### 3. Investigation workflow

Investigation should collect forensic evidence, correlate logs and artifacts, and build an evolving timeline of attacker actions and service impact.

### 4. Iterative decision loop

As investigation findings evolve, teams may return to signaling/escalation steps, refine incident qualification, and update response priorities.

### 5. Preparation for notification and containment handoff

Signaling and investigation outputs should be structured so they can support notification obligations and downstream containment/eradication actions.

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Minimum evidence set for RS signaling/investigation

| RS area | Practical objective | Typical evidence |
| --- | --- | --- |
| Signaling governance | Fast and repeatable event escalation | Signaling SOP, escalation matrix, contact list |
| Response activation | Coordinated incident-response execution | Incident playbook, activation records |
| Investigation integrity | Reliable technical and forensic analysis | Evidence log, chain-of-custody records, analysis notes |
| Timeline reconstruction | Coherent sequence of incident evolution | Event timeline, correlated log artifacts |
| Decision traceability | Documented response decisions and updates | Decision register, incident status reports |

Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

## 90-day execution checklist

1. Validate signaling thresholds and escalation ownership across cyber, operations, and legal teams.
2. Test response-plan activation in a scenario with partial information and evolving evidence.
3. Standardize investigation templates for evidence capture, correlation, and timeline building.
4. Define criteria for when signaling returns to deeper investigation before new response actions.
5. Ensure incident records can support both governance review and external reporting when required.

## FAQ

### Are signaling and investigation linear steps?

No. Guidance indicates response sub-phases can be iterative as new evidence changes incident understanding. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

### What is the minimum requirement for investigation evidence?

At minimum, organizations should preserve and document relevant evidence, correlation logic, and timeline updates supporting response decisions. Source: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)

### How does this phase connect to notification?

Signaling and investigation provide the factual basis used to determine whether notification obligations apply and what information is reported. Sources: [ACN incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 Article 25 in Practice: Incident Notification Obligations and Operating Timeline](/en/cms/insights/nis2-article-25-incident-notification/)
- [NIS2 Response Controls (RS): Containment and Eradication in Incident Handling](/en/cms/insights/nis2-response-rs-containment-eradication/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)

## Official sources

- [ACN - Incident management guidance](https://www.acn.gov.it/portale/documents/d/guest/acn_linee_guida_csirt)
- [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

Share this post

## Related News

[![NIS2 Response Controls (RS): Containment and Eradication in Incident Handling](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-response-rs-containment-eradication/)

[NIS2 Response Controls (RS): Containment and Eradication in Incident Handling](/en/cms/insights/nis2-response-rs-containment-eradication/)

[Containment and eradication are iterative response steps that limit damage and remove attacker persistence. Practical guide to strategy selection, evidence-driven verification, and handoff to recovery.](/en/cms/insights/nis2-response-rs-containment-eradication/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

[![NIS2 Detection Controls (DE): Event Monitoring and Adversarial Signal Handling](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-detection-de-event-monitoring/)

[NIS2 Detection Controls (DE): Event Monitoring and Adversarial Signal Handling](/en/cms/insights/nis2-detection-de-event-monitoring/)

[The NIS2 Detection (DE) domain requires monitoring networks, services, and endpoints to identify adverse events early. Practical guide to log readiness, detection logic, triage, and incident handoff.](/en/cms/insights/nis2-detection-de-event-monitoring/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+11

[![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)