(1) Essential and Important entities shall notify, without undue delay, the CSIRT in accordance with section (3) of any incident that has a significant impact on the provision of their service.

(2) Where appropriate, entities concerned shall notify, without undue delay, the recipients of their services of significant incidents that are likely to adversely affect the provision of those services.

(5) An incident shall be considered to be significant if:

a. it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;

b. it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

(6) For the purpose of notification under section (1), the entities concerned shall submit to the CSIRT:

a. without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;

b. without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;

c. upon the request of a CSIRT an intermediate report on relevant status updates;

d. a final report not later than one month after the submission of the incident notification under point (b), including the following:

e. a detailed description of the incident, including its severity and impact;

f. the type of threat or root cause that is likely to have triggered the incident;

g. applied and ongoing mitigation measures;

h. where applicable, the cross-border impact of the incident;

i. in the event of an ongoing incident at the time of the submission of the final report referred to in section (6)(d), entities concerned provide a progress report at that time and a final report within one month of their handling of the incident.

(7) By way of derogation from the section (6)(b), a trust service provider shall, with regard to significant incidents that have an impact on the provision of its trust services, notify the CSIRT without undue delay and in any event within 24 hours of becoming aware of the significant incident.