Crisis Communication

Crisis communication is the structured, pre-planned practice of managing internal and external messaging during a disruptive event — cyber incident, data breach, regulatory action, product failure, reputational attack, or operational outage. In 2026 it is no longer a 'nice-to-have' for large enterprises: under NIS2, DORA, GDPR and most sector-specific regulations, crisis communication obligations are explicit and enforceable.

Regulatory drivers in Europe: (1) GDPR Art. 34 requires communicating high-risk personal data breaches to affected data subjects 'without undue delay'. (2) NIS2 Art. 23 requires communication to service recipients that might be affected by significant incidents — in parallel to the BSI notification. (3) DORA Art. 17-19 extends incident notification to BaFin and, in some cases, affected clients. (4) Sector rules (banking secrecy, medical confidentiality, critical infrastructure protection) add additional requirements with different triggers.

Crisis communication spans four audiences with different information needs: (a) Internal — employees, who need timely, honest updates to avoid rumor and protect morale. (b) Regulators — who require specific facts, timestamps, classifications, and remediation plans in specific formats. (c) Customers/users — who need plain-language explanations of impact and actions they should take. (d) Media and public — who shape the broader narrative and reputational impact.

Key components of a mature crisis communication program: pre-approved holding statements for common incident types, named spokesperson with authority to speak on behalf of the organization, out-of-band communication channels (in case the primary channels are compromised by the incident itself), legal review workflow embedded in message approval, pre-built distribution lists (regulator contacts, customer segments, press), coordination with incident response and crisis management teams, and post-incident review to improve.

Common failures during real incidents: silence in the first hours creates space for speculation and rumor; overly technical or legalistic language alienates non-expert audiences; inconsistent messaging across channels (different facts in the press release, customer email, and internal memo) destroys trust; waiting until 'we have all the facts' usually means missing the first 24-hour window when coverage determines the public narrative. The general rule: communicate early, clearly, and only on confirmed facts — update as the investigation progresses.

Integration with the overall crisis management structure: crisis communication sits inside a broader Business Continuity Management (BCM) and Incident Response (IR) program. It has cross-dependencies with cyber incident response (especially during ransomware), legal counsel (privilege and liability management), human resources (employee messaging), and corporate security (physical safety communications).

Matproof integrates crisis communication templates and workflows into its NIS2, DORA, and GDPR modules: pre-approved holding statements, incident-specific templates (data breach, cyber incident, outage), BaFin and BSI notification form auto-population from incident metadata, approval workflows aligned with each regulation's timelines (GDPR 72h, NIS2 24h/72h/1 month, DORA tiered), and a single audit trail linking communications to the underlying incident record.