1. When is there a significant cyber security incident?
When assessing whether a disruption has a significant impact and therefore constitutes a security incident, the number of users affected, the duration of the disruption, the geographical spread of the disruption and the impact on economic or social activities must be taken into account.

2. When is an early warning necessary?
24 hours after becoming aware of the significant cyber security incident.

3. When is an incident notification required?
Immediately, but in any case within 72 hours of becoming aware of the significant cyber security incident.

4. When is an intermediate report required?
At the request of a CSIRT (Computer Security Incident Response Team) or, if applicable, the cyber security authority.

5. When is a final report required?
No later than one month after submission of the cyber security incident report.

6. When is a progress report required?
In the event of an ongoing cybersecurity incident at the time of submission of the final report, the entities concerned shall submit a progress report at that time and a final report within one month of the cybersecurity incident being dealt with.

7. When is a recall required?
If the suspicion from the early warning is NOT confirmed and/or the conditions for a significant cyber security incident are NOT met.

8. What are indicators of compromise (IOC)?
An Indicator of Compromise (IOC) is evidence that someone may have breached an organization's network or endpoint. This data not only indicates a potential threat, but also signals that an attack has already taken place, e.g. through malware, compromised credentials or data exfiltration.
Examples would be: Anomalies in network traffic, unusual login attempts, changes to system configurations or unexpected software installations or updates.

9. Contact
For technical questions: nis-reports@cert.at
For official/regulatory questions: post@nis.gv.at