The organization informs the Competent Authority (Úřad) without delay about cybersecurity incidents affecting the provision of its regulated services, have their origin in cyberspace, and for which intentional fault cannot be ruled out within the defined reporting period.
A disturbance is significant when at least one of the following occurs:
- disruption may cause serious breaks in the operation of services or serious financial losses for the service provider
- intentional fault in the initial reporting timeframe cannot be excluded.
Notifications are to be done step by step according to the descriptions below. While the disturbance is ongoing, the organization must deliver the status updates requested by the Authority.
Early Warning (at the latest within 24 hours of detecting the disturbance)
- Is the cause suspected to be illegal activities?
- Can the disturbance have effects on other countries?
- Note: This initial report establishes that intentional fault is a possibility.
More detailed notification of disruption (at the latest within 72 hours of the disturbance detection)
- Previous information is updated.
- The current assessment of the disturbance, its severity, and effects is given.
- Possible evidence of the leakage is listed.
- The latest assessment regarding the origin of the disturbance (i.e., whether intentional fault is still suspected) is provided.
Final report (at the latest within 1 month of the incident report):
- A detailed description of the incident, including its severity and effects.
- Type of threat or root cause that likely triggered the event.
- Applied and ongoing mitigation measures.
- Potential impact on other countries.
- Confirmation of the final root cause and accountability (e.g., confirming intentional fault or ruling it out).
