The organization informs the authority defined in the legislation (CSIRT / National CERT / Office) without delay about cybersecurity incidents that have significantly affected the provision of its services or the state’s cyberspace.
A cybersecurity incident is significant when at least one of the following occurs:
- the incident may cause serious disruption in the operation of services or serious financial losses for the service provider
- the incident may cause significant material or immaterial damage to related people or other organizations
Notifications are to be done step by step according to the descriptions below. In addition, while the incident is ongoing, the organization must deliver the status updates requested by the authority.
Initial notification (without undue delay, no later than 72 hours of discovering the incident; 24 hours for regulated trust service providers under EU law)
- previous information is updated
- an initial assessment of the incident, its severity and effects is provided
- the impact of the incident and any known indicators of compromise are stated
Progress report (at the request of the Office or the National CERT)
- material changes in the status of handling the incident are described
- updates on mitigation and recovery efforts are provided
Final report (no later than 30 days from the initial notification)
- a detailed description of the incident, including its severity and effects
- the type of threat or root cause that likely triggered the incident
- the evidence gathered during the investigation
- applied and ongoing mitigation measures
- potential impact on other countries
If the incident is still ongoing after 30 days, a progress report is submitted instead. The final report must then be provided no later than 30 days after the resolution of the incident.
