In the event of significant security incidents, a strict reporting obligation applies — with tight deadlines. The clock starts from the moment your organisation becomes aware of the incident.
When Is an Incident “Significant”?
An incident is considered significant if it significantly disrupts or could significantly disrupt the operation of your services, or significantly affects other entities or individuals (financially or otherwise).
The Three Reporting Stages
| Deadline | Report Type | Content |
|---|---|---|
| 24 hours | Early Warning | Nature of incident; whether cyberattack suspected; initial impact assessment |
| 72 hours | Initial Report | More detailed assessment; affected systems; indicators of compromise if applicable |
| 1 month | Final Report | Full analysis; root cause; measures taken; cross-border impact |
Where to Report?
To your national CSIRT (Computer Security Incident Response Team) or competent authority. ENISA maintains a directory of national CSIRTs.
Preparation Is Key
- Who reports? (Designate a responsible person)
- How do I reach the national CSIRT? (Have contact details ready)
- Template for the 24h early warning? (Keep a template prepared)