Compliance Timers
Track regulatory notification deadlines with countdown timers that help ensure timely compliance with breach notification requirements.
Overview
Many regulations require organizations to notify authorities or affected individuals within specific timeframes after discovering a security incident. DFIRe helps you track these deadlines with compliance timers.
Compliance timers are available on incident cases and appear in two places:
- Case sidebar - Active timers are displayed with progress bars, sorted by urgency
- Compliance tab - Full timer management with start, complete, and reset actions
Preconfigured Timers
DFIRe includes timers for common regulatory frameworks:
| Framework | Timer | Deadline | Authority |
|---|---|---|---|
| GDPR (EU) | Data Protection Authority Notification | 72 hours | Local DPA (e.g., CNIL, ICO, DPC) |
| NIS 2 (EU) | Early Warning Report | 24 hours | CSIRT / Competent National Authority |
| NIS 2 (EU) | Incident Notification | 72 hours | CSIRT / Competent National Authority |
| DORA (EU Finance) | Major ICT-Related Incident Report | 24 hours | Competent Authority (e.g., Central Bank) |
| SEC (US Public) | Form 8-K Filing (Materiality) | 4 business days | SEC (EDGAR System) |
| CIRCIA (US Critical Infra) | Covered Cyber Incident Report | 72 hours | CISA |
| CIRCIA (US Critical Infra) | Ransom Payment Report | 24 hours | CISA |
| NYDFS 500 (US Finance) | Cybersecurity Event Notice | 72 hours | Superintendent of Financial Services |
| HIPAA (US Health) | Breach Notification | 60 days | HHS Secretary & Affected Individuals |
| PCI DSS (Global) | Account Data Compromise | 24 hours | Payment Brand (Visa/MC) & Acquirer |
Each timer includes trigger guidance explaining when the timer should be started, and a reference URL linking to the relevant regulation.
Using Timers
Starting a Timer
To start a compliance timer on an incident case:
-
Navigate to the Compliance tab
Open the incident case and select the Compliance tab.
-
Select a timer template
Available timer templates are listed with their framework, deadline duration, and trigger guidance. Click on a timer to expand and see details.
-
Click "Start Timer"
The timer begins counting down immediately from the current time. The deadline is calculated based on the timer's configured duration.
Tip: Carefully review the trigger guidance before starting a timer. The guidance explains the conditions that trigger the notification requirement, helping you determine the correct moment to start the countdown.
Timer States
Active timers progress through the following states:
- In Progress - Timer is running with time remaining
- Warning - Less than 25% of the time remains
- BREACHED - The deadline has passed without completion
- Completed - The notification was made and the timer was marked complete
Completing a Timer
When you've made the required notification, click Mark Complete on the timer. The timer records who completed it and when.
Note: DFIRe does not automatically collect completion details. To document how the notification was made (method, recipient, confirmation), add a timeline event or case note manually. This provides an audit trail of your compliance actions.
Resetting a Timer
If a timer was started in error, click Reset to restart the countdown from the current time. This does not delete the timer—it restarts the clock.
Sidebar Display
For incident cases with active timers, a Compliance Timers section appears in the case sidebar. This provides at-a-glance visibility of timer status without leaving the current view.
The sidebar shows:
- Count of active (non-completed) timers
- Mini progress bars for up to three timers, sorted by urgency
- Time remaining for each timer
- Visual warning if any timer is breached (red highlight with pulse effect)
Click the sidebar section to navigate directly to the Compliance tab.
Notifications via Webhooks
DFIRe does not include built-in email notifications for compliance timers. Instead, use outgoing webhooks to notify stakeholders when timers reach critical thresholds.
Available webhook trigger events for compliance timers:
| Event | Description |
|---|---|
| Timer at 50% (Half Time Warning) | Timer has reached 50% elapsed time |
| Timer at 25% (Quarter Time Warning) | Timer has reached 75% elapsed (25% remaining) |
| Timer at 10% (Critical Warning) | Timer has reached 90% elapsed (10% remaining) |
| Timer Breached (Deadline Passed) | Timer deadline has passed without completion |
Webhook payloads include timer details such as name, framework, deadline, and time remaining. See Webhook Payload Templates for the full list of available TIMER.* variables.
Example: Pushover Alert at 50%
Create a webhook to send a push notification when any timer reaches 50%:
- Trigger event: Timer at 50% (Half Time Warning)
- Endpoint: Pushover, PagerDuty, Slack, or your alerting system
- Payload template using
{{timer.name}},{{timer.time_remaining_seconds}}, and{{meta.case_url}}
Custom Timer Templates
Create organization-specific timers for internal policies or regulations not included in the defaults.
Creating a Timer Template
- Go to Settings > Workflow > Compliance Timers
- Click "Add Compliance Timer"
-
Configure the timer
- Timer ID: Unique identifier (e.g.,
timer_internal_legal). Cannot be changed after creation. - Framework: Regulation or policy name (e.g., "Internal Policy")
- Timer Name: Descriptive name shown to users
- Duration (Hours): Time until deadline
- Business days only: Check if weekends/holidays should be excluded
- Authority Name: Who must be notified
- Trigger Guidance: When this timer should be started
- Reference URL: Link to policy or regulation documentation
- Timer ID: Unique identifier (e.g.,
-
Save the timer
The timer is immediately available to add to incident cases.
Examples of custom timers:
- "Notify Legal" - 4 hours - Internal escalation requirement
- "Executive Briefing" - 24 hours - Management notification
- "Insurance Carrier" - 48 hours - Cyber insurance notification clause
- "Customer Notification" - 7 days - Contractual SLA requirement
Editing and Deleting Timers
Timer templates can be edited or deleted from Settings > Workflow > Compliance Timers. Deleting a template does not affect timers already active on cases—they continue running with their original settings.
Best Practices
When to Start Timers
- Read the trigger guidance - Each timer includes guidance on when the clock should start
- Document your reasoning - Add a timeline event explaining why you started the timer at this moment
- Start conservatively - If uncertain, start the timer earlier rather than later
Documenting Compliance
- Add timeline events for key compliance milestones (notification sent, confirmation received)
- Attach documentation such as notification emails, portal screenshots, or confirmation receipts
- Record contact details in case notes (who was notified, via what channel)
Multiple Timers
A single incident may trigger multiple notification requirements. For example, a data breach affecting EU citizens and US healthcare data might require:
- GDPR DPA notification (72 hours)
- HIPAA breach notification (60 days)
- Internal legal notification (4 hours)
Start all applicable timers to track each requirement independently.