NATO Cyber Security Centre

For General Enquiries and for reporting Incidents contact:
NATO Cyber Security Centre
NCI Agency
SHAPE, Mons 7010 BE
P:+32 65 446666
[email protected]
PGP Fingerprint: D9E5 81BF 46A5 7F7B D540 CE1C 10BC C16B 11B4 DCE7. Download key here.

Engaging of our services

For enquiries about engaging of our services, please contact NCI Agency Demand Management

NATO Communications and Information Agency

NATO Communications and Information Agency
Agence OTAN d'information et de communication
Boulevard Leopold III
1110 Brussels

Report a Cyber Security Incident

Incidents can be reported via e-mail or phone to the above contact details. Our RFC2350 can be found here, and contains basic information about the NCSC, its channels of communication, and its roles and responsibilities.
When possible, please answer the following questions:

Notification Checklist
Q.1.	What is your name and contact details?
Q.2.	Which organization are you part of?
Q.3.	Is the event clearly a security breach of classified information? If so, have you already reported it to the CIS Security Officer?
Q.4.	Does the event look like a cyber incident?
Q.5.	What has been observed and what are the consequences
	[text description, from the reporting entity's perspective, on the actual event]
Q.6.	Is the event affecting a NATO system and/or a specific technology in use at NATO?
Q.7.	If relevant, what is the NATO Security Classification of the affected system?
Q.8.	If relevant, is the affected NATO system providing services to ongoing operations or exercises?
Q.9.	When did it start? Is it still ongoing? And If not, when did it stop?
Q.10.	What is affected by the event?
	[people, devices, services, networks, a piece of information,...]
Q.11.	Has the information been received from a journalist, a media, or a researcher? If so, have you already liaised with your local Office of Public Affairs?
Q.12.	If relevant, which NATO Element is the providing CIS/IT Support for this network/device/service?
Q.13.	Can you provide relevant technical details?
	a. The Asset tag of the device.
	b. The IP address of the device.
	c. The hostname of the device.
	d. The service or person you are trying to connect or connecting to. (URL, share, email,...)
Q.14.	Is there any other contact details you can share to help us responding to your request (local CIS personnel, Security Officer,...)
Q.15.   What actions/activities have been taken already?
Q.16.	Is there anything else you want to report?

Cyber Threat Intelligence	
CTI.1	If you are sharing Indicators of Compromise, what is the security classification?
CTI.2	Does the information bear any distribution restrictions?
CTI.3	Is the information specific to a NATO system, technology, operation, environment, other?
CTI.4	If this is a request for Action, have you received authorisation by the relevant Security Authority and CIS Operating Authority?
CTI.5	Is the notification about a confirmed cyber incident?