The notification period for the suspicion of a significant security incident is 24 hours (early warning) and 72 hours for a detailed assessment including the severity and its impact. One month after the notification of the early warning, a detailed final report must be submitted to the competent supervisory authority, describing the security incident in detail in terms of its cause and impact, as well as the remedial measures taken/underway. Cross-border effects must be reported in any case.

Affected organisations shall take appropriate and proportionate technical, operational and organisational cyber security measures that reflect the state-of-the-art and include at least the following:

1. Policies: policies on risk analysis and information system security
2. Incident Handling: Prevention, detection and management of cyber incidents
3. Business Continuity: BCM such as backup management and disaster recovery, and crisis management
4. Supply Chain Security: including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
5. Procurement Security: Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
6. Effectiveness: Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. Training: Basic cyber hygiene practices and cybersecurity training
8. Cryptography: policies and procedures regarding the use of cryptography and, where appropriate, encryption
9. Staff: Human Resources Security
10. Access control
11. Asset Management
12. Authentication: Use of multi-factor authentication SSO
13. Communikation: Use of secured voice, video and text communications
14. Emergency communication: Use of secured emergency communication systems within the entity

Senior management must approve cyber security risk management measures taken, monitor their implementation and be liable for breaches of these due diligence obligations. In addition, senior management must participate in training on the identification and assessment of risks and management practices in the area of cyber security and its impact, and provide relevant training to all employees on a regular basis.

The competent supervisory authority is granted far-reaching enforcement measures and sanctions. These include, among others

1. Evidence and tests: Authorities are to receive evidence, review it and carry out their own tests, audits and investigations, including on-site inspections/ random checks, regular and targeted security audits and ad hoc audits (especially after a security incident).
2. Information claims: Authorities can request and inspect data, documents, information, evidence of implementation.
3. Binding instructions: Authorities can issue binding instructions to operators in case of non-compliance, issue public warnings, appoint a supervisor (monitor).
4. Operating licence: In the case of continuous non-compliance, authorities can set deadlines and withdraw operating licences, certifications or similar in the event of violations.