# IT emergency plan

**What belongs in an IT emergency plan?**

An IT emergency plan is a short written instruction setting out who does what during an IT outage or cyber attack, who is contacted, and in which order operations resume. It is kept on paper, because in an emergency the IT itself is affected.

An emergency plan answers the questions that all arrive at once in a crisis. Who is notified, on which telephone number, and who decides whether production is halted? Which immediate measures apply, such as disconnecting affected machines from the network while leaving them powered on so that evidence is preserved? Which systems come back in which order? And how does the business keep trading in the meantime, meaning on which paper forms are orders, delivery notes and till receipts recorded?

Two figures are set by management, and they determine everything else. First: how long may a system be down before the cost begins to bite, an hour, a day, a week? Second: how much data may an incident destroy, in other words how old may the last usable backup be? From those two answers follow the backup interval, the spare equipment kept ready, and whether a maintenance contract with a promised response time is necessary.

The plan has a legal dimension. Where personal data are affected, the breach must be reported to the data protection authority within 72 hours of becoming aware of it under Article 33 GDPR, provided a risk to the individuals concerned exists. That clock runs while your business is at a standstill, which is why the reporting route, the responsibility and a prepared form belong in the plan. Companies covered by the Austrian NISG 2026, which implements the NIS2 Directive and enters into force on 1 October 2026, face a further catalogue of duties, and business continuity and crisis management are expressly among the required measures there.

A plan that only sits in a folder helps little on the day. Walk through it once around a table with the people who would actually be involved. Who holds the key to the server room when the owner is on holiday? Where is the off-site backup, and who is allowed to fetch it? On which number do you reach your IT provider on a Sunday? Exercises like these take little time and expose the gaps that would otherwise cost hours.

The first sensible step fits on a single sheet of paper: the key contacts, the first three actions, the location of the backup. Printed and kept in the server room, with a second copy at the owner's home. Everything else grows from there. The IT-Check establishes which systems are critical for your business, how long their restoration would take and what preparations exist. You receive the report with a remediation plan within 14 working days.

## Related terms
- [Backup and restore](https://vetosec.at/en/it-security/backup-wiederherstellung/)
- [Ransomware](https://vetosec.at/en/it-security/ransomware/)
- [Data breach notification duty](https://vetosec.at/en/it-security/meldepflicht-datenpanne/)
- [The 3-2-1 backup rule](https://vetosec.at/en/it-security/drei-zwei-eins-regel/)

## Source
https://vetosec.at/en/it-security/notfallplan/ (vetosec, schutz)
