The obligation to report a cybersecurity incident within 24 hours applies to entities that are classified as regulated entities under the Cybersecurity Act (CSA). The 24-hour time limit represents the preliminary reporting (early warning) following the detection of a serious cyber incident. Subsequently, a more detailed report is filed within 72 hours and a final incident report with impact analysis within one month.
These obligations result from legislative changes related to the harmonisation of cybersecurity within the European Union and the implementation of the NIS2 Directive into national legislation.
Event vs. incident
It is important to distinguish between the two concepts:
- Event: this is the detection of a potential vulnerability or suspicious activity. For example, the discovery of a weakness in a system without any malicious action occurring.
- Incident: an event becomes an incident when a real disruption occurs – for example, an attacker gains unauthorized access, data is leaked, or service availability is compromised.
The obligation to report arises in the case of a serious cyber incident, not in the case of ordinary events or vulnerabilities.
Statutory responsibilities and incident management
ZoKB provides that the statutory representative of the organisation is legally responsible for compliance with cybersecurity measures. It is therefore essential to ensure that internal processes are in place to enable the rapid detection, assessment and reporting of serious incidents to the appropriate authority.
Incident response is also part of security management. If an employee identifies a suspicious email (e.g. phishing), he or she should immediately forward it to a designated incident handler, such as the IT department, for further analysis. Forwarding such a message to colleagues who, out of curiosity, open it and click on suspicious links only increases the likelihood of the attacker’s success. It is equally wrong for an employee to open a suspicious email, click on the attached links, and delete the message “just in case” in an attempt to cover up the incident after realizing the potential consequences.
The organisation should have a cyber security manager with the authority to decide on technical measures to prevent the spread of an incident – including, for example, disconnecting internal or customer systems if necessary to minimise damage. This decision may take precedence over business interests at the time.
Preparedness and documentation
Effective incident response requires:
- clear and up-to-date incident reporting procedures,
- designated responsibilities and escalation schemes,
- crisis communication matrix,
- the availability of these documents also in paper form, so that they are usable even in the event of a failure of digital systems.
Good preparedness significantly reduces the time between incident detection and reporting, which is key to both meeting legal deadlines and minimising damage.
