1
Company Context
Name, jurisdiction, rail types
2
Severity Classification
P1–P4 with decision tree
3
Role Assignment
Incident command matrix
4
Regulatory Timelines
Live countdown timers
5
Communication Templates
Regulator, board, customer
6
Tabletop Exercise
Randomized drill scenarios
P1
Critical
Complete rail outage · Confirmed data breach >10K records · Total settlement failure
P2
High
Partial rail degradation · APP fraud spike >$500K/hr · Suspected breach
P3
Medium
Third-party API degradation · Compliance rule violation detected
P4
Low
Minor performance issue · Non-critical system alert
Enter names or leave as generic titles. These are stored only in your browser during this session.
Incident Commander
Technical Lead
Comms Lead
Legal / Compliance
Executive Sponsor
Regulator Liaison
PSD2 / EBA Payment Incident Reporting
4-hour initial notification after classifying as major incident, followed by intermediate and final reports per EBA timetable. PSD3 is in legislative process as of early 2026 and not yet enforceable — this runbook uses PSD2/EBA Guidelines (currently in force).
NYDFS Part 500 applies to NY-licensed financial services companies. The 72-hour clock and notification recipients differ from GDPR — do not conflate these obligations.
Auto-generated templates based on your configuration. Copy into your incident management tool.
Randomized drill scenarios for quarterly tabletop exercises. Seeded by date for reproducibility.
Live Runbook Preview
Updates as you complete each step. Export from Step 6.
Complete the wizard to generate your runbook…