Notification of Users Regarding Significant Incidents or Threats
Key and important entities are required to notify the recipients of their services of significant incidents or serious cyber threats that could potentially affect them.
Key and important entities must, without delay and no later than 72 hours from becoming aware of a significant incident, inform the recipients of their services potentially affected by the incident in a clear and verifiable manner.
A notification of a significant incident must include the following information:
In the event of a serious cyber threat, key and important entities are obliged to inform the recipients of their services potentially affected by the threat of all possible protective measures or legal remedies they may employ to prevent or compensate for any resulting damage. Where necessary, the recipients should also be informed about the serious cyber threat itself.
The procedure for notifying service recipients about serious cyber threats shall follow the same process as the notification of recipients regarding significant incidents.
Taking all of the above into account, these guidelines define the procedure for notifying service recipients of significant incidents or serious cyber threats.
Key and important entities must publish notifications of significant incidents or serious cyber threats on their official website and, where necessary, via at least one of the following channels:
Key and important entities must, without delay and no later than 72 hours from becoming aware of a significant incident, inform the recipients of their services potentially affected by the incident in a clear and verifiable manner.
A notification of a significant incident must include the following information:
- The type of incident and a brief description
- The cause of the incident
- The potential impact of the incident on the service
- Contact details of the entity
- Instructions for service recipients on how to mitigate the impact of the incident and compensate for any resulting damage.
In the event of a serious cyber threat, key and important entities are obliged to inform the recipients of their services potentially affected by the threat of all possible protective measures or legal remedies they may employ to prevent or compensate for any resulting damage. Where necessary, the recipients should also be informed about the serious cyber threat itself.
The procedure for notifying service recipients about serious cyber threats shall follow the same process as the notification of recipients regarding significant incidents.
Taking all of the above into account, these guidelines define the procedure for notifying service recipients of significant incidents or serious cyber threats.
Key and important entities must publish notifications of significant incidents or serious cyber threats on their official website and, where necessary, via at least one of the following channels:
- Proactive SMS or other application-based messages
- Email correspondence
- Media (e.g., press releases and responses to media inquiries)
- Communication through the customer service centre
- Communication via social media